gültig ab 01.04.2019

zum Archiv: weitere Versionen

GENERAL DATA PRIVACY STATEMENT

Protecting your personal data is a particular concern of ours. We therefore exclusively process your data on the basis of statutory regulations (in particular based on the provisions of the General Data Protection Regulation, the national Data Protection Act and the Telecommunications Act). We wish to inform you of the most important aspects of data processing on our website in this Data Privacy Statement.

When does this Data Privacy Statement apply?

Our Data Privacy Statement applies to anyone who makes use of one of our products or services, vists our websites or makes contact with us. We have drafted separate data privacy statements for special services, which specifically govern data processing and the associated data protection issues. This Data Privacy Statement is therefore only applicable where specific data privacy statements do not contain more specific provisions in the individual case. There are special data protection statements for the online distribution of tickets or for the Postbus shuttle.

We are also continually developing our performance, provision and services. As a result we also continuously adapt the data privacy statement. However, we shall ensure that the latest effective version is always available to you.

Who is responsible for data processing?

ÖBB-Postbus GmbH, FN 248742 y, Am Hauptbahnhof 2, 1100 Vienna, tel.: +43 1 93000 0 is the controller under data protection law, as defined in Article 4(7) GDPR.

What happens if contact is made with ÖBB-Postbus GmbH?

We provide online forms in various sections on www.postbus.at if you wish to contact us via our website or by email. Contact shall be made:

  • in the event of lost objects (lost and found)
  • in case of customer queries (customer feedback) or
  • in the event of renting or selling buses


Online sale of tickets for Vienna Airport Lines (VAL)

ÖBB-Postbus GmbH operates a web shop at https://www.viennaairportlines.at/de/, providing you with the opportunity to purchase tickets for Vienna Airport Lines online. A special data privacy statement has been drafted for data processing based on ticket purchase, which is available for inspection at https://www.viennaairportlines.at/de/info/375.

Postbus shuttle

We began a pilot operation for micromobility in the municipality of Lustenau in November 2018. This pilot operation, for which a data privacy statement has also been executed, is subject to internal conditions of participation. The conditions of participation and the special data privacy statement are available under the following link: https://www.postbus.at/unsere-leistungen/postbus-shuttle.html

Market and opinion research / customer surveys

In order to improve our products and services and adapt them to customer requirements, we conduct surveys with different target groups: on the one hand with people who do not use the bus and on the other hand with people who use a bus (irrespective of which one) or people who use the ÖBB-Postbus. We thereby commission market research companies or conduct the surveys ourselves. Persons to be surveyed can be selected either completely randomly or based on social statistics or usage-specific factors. Contact with participants can be implemented via the pools of respondents for market research companies ‒ carried out without our input at the sole responsibility of partner operators. Or we invite people with a general interest, without addressing individual participation in the survey. In case of specific survey topics we also address customers.

Establishing personal reference is not intended for any surveys. All surveys are conducted completely anonymously. This is true even if we write to you directly as customer or you have declared your consent in advance to participate in a survey.

We only receive or compile an overall evaluation of data, which do not show individual interviews or persons.

If we address our customers directly, we will then exclusively contact people who have given consent thereto.

Should we conduct the survey in cooperation with a market research company in specific cases, we shall conclude a separate confidentiality agreement with said company in advance of a customer survey, laying down the secure handling of your data specifically for the individual case. In particular, this Agreement shall ensure that the company will not transfer your data to other market research institutions and other third parties for surveys for their own purposes.

In any case you are not obliged to take part in any of our customer surveys.


Quality measures

If you contact us by email with requests, suggestions or criticism, we would like to ensure that we have performed our service to your satisfaction. After replying to your concerns, we will therefore ask how satisfied you were with our service.

This constitutes an internal quality assurance measure. For reasons of objectivity and automated processing, we employ a processor for this purpose, to draft and send the reply and automated request on our behalf. In the event of a request, we will solely hand over your email address and customer number to the processor. We shall not provide this processor with the opportunity to inspect your data, to use your data for other purposes or transfer them to third parties.

Before employing a processor, we have assured ourselves that it will provide a sufficient guarantee for lawful and secure use of data.


Information according to Article 13f GDPR

Data are generally collected and processed for the purpose of contract implementation (e.g. in the event of concluding a transport arrangement, when renting or selling a bus), handling and responding to your queries, checking any applications for reimbursement and compensation, your voluntary participation in a customer survey, sending a newsletter, sending queries within the scope of quality measurement.

Data processed for these purposes shall be disclosed as required and according to the intended use to the following categories of recipients:

To:

  • the responsible banking institution / payment service provider for the purpose of handling payments (for the purposes of executing the contract, Article 6(1) b) GDPR).
  • the regulatory authorities in the event of arbitration proceedings (for the purposes of compliance with railway legislation and rights, Article 6(1) c) GDPR).
  • the assigned legal representative in the event of disputes under civil law (based on our legitimate interests in defending legal claims, Article 6(1) f) GDPR).
  • the locally competent administrative authority in the individual case (in particular tax authorities, driving licence authorities, Rundfunk und Telekom Regulierungs-GmbH or trade authorities) for the purposes of observing statutory regulations and rights, Article 6(1) c) GDPR.
  • the locally competent courts in the individual case or other competent authority in the individual case (based on our legitimate interests in the defence of legal claims, Article 6(1) f) GDPR).
  • the debt collection agency assigned by the controller for the recovery of outstanding debts based on our legitimate interests in the defence of legal claims, Article 6(1) f) GDPR).
  • the chartered accountant for the purpose of auditing (in order to observe statutory regulations, in particular applicable provisions of stock corporation law, Article 6(1) c) GDPR).
  • to our commissioned processors, if they process personal data on our behalf. (Based on our legitimate interests, in particular in improving, simplifying and maintaining our database systems, Article 6(1) f) GDPR).

We therefore carry out data processing in particular based on the legal framework conditions summarized again below (as amended):

  • Regulation (EU) No 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation (GDPR), in particular Article 6(1) a) (consent), b) (execution of contract), c) GDPR (statutory right or obligation), f) (legitimate interests) and (4) (processing for other purposes).
  • Code of Criminal Procedure 1975,
  • Introductory Act to the Administrative Procedures Act 2008
  • Administrative Penalties Act 1991
  • General Administrative Procedure Act 1991
  • General Civil Code for all German hereditary lands of the Austrian Monarchy
  • Telecommunications Act 2003
  • Federal Act on General Regulations and Procedures for Fees Administered by the Tax Authorities of the Federal Government, Regional States and Municipalities (Federal Fiscal Code, BAO)
  • Federal Act on Special Regulations of Civil Law for Companies (Austrian Commercial Code, UGB)
  • General Terms and Conditions and other conditions of participation of ÖBB-Postbus GmbH.
  • Federal Act of 21 January 1959 on Liability for the Compensation of Damages from Accidents in the Operation of Railways and the Operation of Motor Vehicles (Railways and Motor Vehicles Liability Act – EKHG) BGBl. [Federal Law Gazette] No. 48/1959, as amended.
  • Federal Act on distance sales and contracts concluded outside business premises (FAGG) BGBl. I No. 33/2014, as amended by BGBl. I No. 83/2015, as amended.
  • Federal Act of 8 March 1979, by means of which provisions are adopted on the protection of consumers (Consumer Protection Act – KSchG), BGBl. No. 140/1979 as amended.

We shall not transmit personal data to a third country or an international organization.

In the event of any questions on data protection or the use of your personal data, feel free to contact our data protection officers.

Contact data for data protection officers:

ÖBB-Postbus GmbH
Am Hautbahnhof 2
1100 Vienna

Email: datenschutz.postbus@pv.oebb.at


Storage period

In general personal data are only stored by us to the extent that is absolutely necessary and are essentially deleted following expiry of the statutory period of limitations under civil law of three years (e.g. customer correspondence) or in the event of invoice-relevant data after seven years (e.g. booked tickets, customer cards), according to § 212 UGB or §§ 132 et seq. BAO. A longer storage period is only implemented in justified individual cases, for example as a result of an ongoing civil law or regulatory dispute.

Your rights

(1) Rights of data subjects

As the data subject in the individual case, you are entitled to assert the following rights of data subjects against us, if we are the controller for data processing:

  • Right of access (Article 15 GDPR)
  • You have the right to demand information on which personal data are collected about you and held by us.
  • Right to rectification and erasure (Article 16 GDPR)
  • You have the right to rectify any incorrect data concerning your person (e.g. spelling mistakes).
  • Right to erasure (Article 17 GDPR)
  • You have the right for personal data to be deleted, provided such deletion is covered by the cases set out in Article 17 GDPR, for example if we were to wrongfully process data.
  • Right to restriction (Article 18 GDPR)
  • You have the right of a data subject to demand that the controller restrict the processing of personal data about you if the requirements under Article 18 GDPR are in place.
  • Right to data portability (Article 20 GDPR)
  • You have the right of a data subject to receive the data provided by you in an interoperable format.
  • Right to object (Article 21 GDPR)

You have the right of a data subject to raise an objection to data processing, provided the requirements of Article 21 GDPR are in place.

 

If you wish to assert a right of a data subject, please contact us. The following contact options are available:

Contact data:

ÖBB-Postbus GmbH
(Subject: assertion of rights of data subjects)
Am Hauptbahnhof 2
1100 Vienna
Email: datenschutz.postbus@pv.oebb.at

Please attach a copy/scan of an official photo ID to your application, indicating your date of birth (e.g. identity card, driving licence or passport). This is because we have to check your identity before we can reply to your request or make the necessary arrangements. The purpose of this identity check is to enable us to establish your actual capacity as a data subject, in order to ensure that personal data are not disclosed to unauthorized third parties (risk of misuse).

Once we have received your request and you have proven your identity, we will respond to your request within four weeks. In the event that we have specific questions as part of the reply, we will contact you and ask you to cooperate and assist.

 

(2) Complaints

Furthermore, you have the right to submit a complaint to the data protection authority, according to §§ 24 et seq. DSG [Data Protection Act] and Article 77 et seq. GDPR if you believe that we have breached obligations under the General Data Protection Regulation.

Contact data:

Austrian Data Protection Authority,
1030 Vienna, Barichgasse 40-42,
Tel.: +43 1 52 152-0
Email: dsb@dsb.gv.at
www.dsb.gv.at

(3) Withdrawal of consent

If you have consented to your data being processed for a specific purpose, you have the right to withdraw your consent at any time, without indicating reasons.


Use of cookies

Cookies are small text files or codes, which contain information units. These text files are stored on your hard drive or in the main memory of your browser if you visit one of our websites. Thanks to cookies, the contents of our websites can be structured more easily and devices on which you have previously visited our websites can be identified. We use cookies to gain a better understanding of the functioning of applications and websites and to analyse and optimize the user experience when using our websites online and on mobile devices.

Cookie categories

We primarily use cookies from the following categories on our websites:

Operationally necessary cookies

These cookies are necessary to allow you to use our websites as intended and make all functions available to you. Without such cookies the requested services cannot be provided. These cookies do not record information about you and do not store Internet locations. Absolutely necessary cookies cannot be deactivated on our site. However, they can be deactivated at any time on the browser that you use.

Functional cookies

These cookies are necessary for certain applications or functions of the website, allowing them to be duly executed. This may for example include cookies, which store implemented settings such as a visitor’s language setting or even – assuming your prior consent – pre-completed forms.

Storage period: in the event of a session cookie for the period of the session, or in the event of your prior consent for the period of your consent.

Analytical cookies

These cookies collect information on user behaviour for visitors to our websites. For example, a record is kept of which websites are most frequently visited and which links are clicked on. All recorded data are stored anonymously with information for other visitors. Using data obtained by these cookies, we can compile analytical evaluations on our website using Piwik and thereby continually improve the user experience.

Storage period: in the event of a session cookie for the period of the session, in all other cases (for example for our web analysis service PIWIK) for a maximum three years.

How long are cookies stored on my device?

The time that a cookie stays on your device depends on whether it is a persistent cookie or a session cookie. Session cookies only remain on your device until your browser session is finished. Persistent cookies remain stored on your device, even after you have completed a browser session, until such time as the preset time for the cookie has expired or it has been deleted.

PIWIK (Matomo) web analysis

Our websites and digital dialogue with our customers use Piwik, a web analysis service. Piwik uses cookies, which allow us to conduct an analysis of the use of our websites.

For this purpose, usage information generated by the cookie (including your abbreviated IP address) will be transferred to our server and stored for usage analysis purposes, which on our part serves for website optimization. Your IP address is immediately anonymized in this operation, meaning that you remain anonymous to us.

Information generated by cookies on the use of our websites shall not be transferred to third parties.

You can prevent the use of cookies through an appropriate setting in your browser software. However, in this case it may happen that not all functions of our websites can be used in full.

If you do not agree to the storage and evaluation of data in relation to your visit and the use of our websites, storage and usage may be objected to at any time (see terms of use for the website www.postbus.at/). In this case a so-called opt-out cookie is stored in your browser, resulting in Piwik not collecting session data.

For technical reasons, specific data and information must be collected and stored for visits to our websites, e.g. websites used, time and duration of visit and data made available by the used browser (e.g. on the operating system and used system settings). We use such data and information anonymously in order to design our offer in a user-friendly way and technically optimize our offer.

Should you provide personal data or information on our websites, we can continue to use them within the framework of the legal requirements of TKG [Telecommunications Act] without your further consent. Use for advertising or marketing purposes, or transfer to third parties, which requires your separate prior consent, shall be exempt from this. We will separately inform you about any communications to other ÖBB affiliated companies (e.g. in the event of a concern, complaint, etc.).

Should you access the abovementioned offers on our websites or switch to these websites, we will share data provided by the browser with such operators. We are generally not responsible for contents offered on these external sites, both with regard to data protection and to the technical security of the data and information provided. Please note in this context that external providers use technologies for personalization of advertising.

If we provide a contact option through an input screen on our website, this communication shall be encrypted on the https protocol. Please note that the confidentiality of other communications on the Internet, in particular via email, is not guaranteed, and we therefore recommend not transmitting confidential data and information by email.


How we protect your data

By information security we mean: confidentiality of data, data integrity and data availability.

In order to guarantee information security, we have established organizational framework conditions and protective measures, which conform to the latest technology. This includes:

  • load distribution;
  • firewalls;
  • encryption;
  • security tests;
  • system reviews; and
  • ongoing monitoring.

Access rights are only granted to our employees to the absolutely necessary extent, specifically for the role. The use of such access rights is recorded in writing.

Your data shall be protected by a secure online connection (TLS) between your PC and our servers, depending on the browser configuration, with at least 128 Bits.

By processors we mean our contractual partners, who process personal data on our behalf (example: maintenance of our databases).

Use of processors

We only employ processors for our lawfully conducted data processing. We always assure ourselves in advance that the individual processor is suited to service performance, in particular that the processor provides a sufficient guarantee of secure and lawful use of data.

Processors that we have selected only receive personal data from us to the extent that is absolutely necessary.

Our processors have contractually undertaken:

  • to solely use personal data for the purpose of the contract;
  • to delete personal data once the purpose of the contract is complete;
  • not to share personal data with third parties;
  • not to use personal data for their own purposes; and
  • to comply with new obligations under the General Data Protection Regulation (e.g. keeping a register of processing activities, conducting a data protection follow-up assessment as required, etc.).

Before employing a processor, we conclude a written agreement with it, in which special obligations are imposed on the processor and its employees, and they again are subject to a separate confidentiality obligation. We impose certain data security measures on the processor to ensure that customer data and data processing are sufficiently protected.