Privacy policy Postbus Shuttle

"Postbus Shuttle", is a business unit of Österreichische Postbus Aktiengesellschaft. "Postbus Shuttle" offers you a flexible mobility service that will take you to your destination comfortably and easily - and at a reasonable price. Österreichische Postbus Aktiengesellschaft is a company of ÖBB.

Customer satisfaction is our top priority. This means that protecting your data is particularly important. We would like to thank you for the trust you place in us by submitting your data to us for processing. As a sign that we respect your rights as well as your privacy, we have formulated our policy, which applies when processing your data:

• We attach great importance to transparency when processing your data. Therefore we have paid special attention to our privacy policy in order to provide you with the necessary information on how we handle your data.

• It is important to us that you know for what purposes we use your data and when we store it. We inform you in our privacy policy how and to what extent we process your data.

• We process your data only to the extent necessary and use them exclusively for lawful and justified purposes.

• In certain cases we will ask you whether you consent to the use of your data. In these cases, you yourself decide how and when we use your data. For example, we will never send you unsolicited electronic advertising.

• It is our aim to continuously improve. Contact us if you have any concerns.

• We live our principles, especially in the area of data protection. Please read the next sections of this privacy policy to find out how we process your data as part of our various data applications.

The privacy statement applies to all those who book and / or use a “Postbus Shuttle” service, make a journey request or contact us. A journey can be booked electronically via the app or, depending on the region, by telephone.

We are constantly developing our performance, services and support. For this reason, we will also continually adapt the data protection declaration. However, we will ensure that the latest version is always available for you.

Österreichische Postbus Aktiengesellschaft, FN 250198p, Am Hauptbahnhof 2, 1100 Vienna, Telephone +43 5 1717 is the data protection officer in the sense of Article 4 paragraph 7 DSGVO. The DSGVO defines a data controller as a natural or legal person, authority, institution or other body which alone or jointly with others decides on the purposes and means of processing personal data.

By personal data we mean all information relating to an identified or identifiable natural person (hereinafter “data subjects”). A natural person is regarded as identifiable if said person can be identified as precisely this natural person, in particular through allocation of an identifier such as a name, identification number, location data, online identification data or one or more other special features in the particular individual case (e.g. voice). Thus this includes, at the least, the data that can be associated with you as a customer. For example, your name, email address, telephone number, booking code, ticket code or your customer number are personal data.

The legal basis for data processing in accordance with Article 6 DSGVO is either the fulfilment of a contract, the fulfilment of a legal obligation, your prior consent or our overriding legitimate interests, which may also include processing for a further purpose.

Data that can be assigned to your person can be derived from the following occasions, purposes and sources:

• If you book and / or use a trip of Österreichische Postbus Aktiengesellschaft for the "Postbus Shuttle", make a travel request and give us feedback.

• When you create a Postbus Shuttle account in our app (this is mandatory for our service).

• If you use the shuttle interface.

• In the event that we have to contact you (e.g. cancellation of vehicles).

• If you contact the Postbus Shuttle customer service with questions, requests, suggestions, complaints, criticism or other comments (e.g. disruptions).

• If you are asserting your rights as a passenger, if you are claiming a fare supplement or if you have submitted an application for reimbursement / compensation.

• For statistical research to improve our services or systems, but the results of this research will not in any way identify you personally

• In the course of the company's internal risk analysis.

In accordance with the provisions of articles 12ff DSGVO, we would like to inform you about the following topics: Österreichische Postbus Aktiengesellschaft FN 250198p, Am Hauptbahnhof 2, 1100 Vienna, Telephone +43 5 1717 is the data protection officer in the sense of Article 4 clause 7 DSGVO. If you have any questions regarding data protection or the use of your personal data, please contact our data protection officer.

Contact details of the data protection officer:
Am Hautbahnhof 2, 1100 Vienna
E-mail: postbus.datenschutz@postbus.at

In the following cases and for the following purposes, personal data will be collected by ourselves in accordance with Article 13 DSGVO:

If you

• book a journey online using the app or Shuttle Interface

• create a Postbus Shuttle account online using the app

• make a journey request online via the app or by phone or Shuttle Interface

• submit an application for reimbursement and compensation;

• contact the ÖBB customer service or customer office for other services or enquiries;

• be contacted by us (e.g. change of the driving conditions)

• give us a feedback after the ride

• participate in sweepstakes , other promotions, direct marketing or customer surveys, provided you have given your prior consent

Our service is also offered through selected cooperation partners. In this case, data collection is carried out by the cooperation partner pursuant to Article 14 GDPR. We currently use ÖBB-Personenverkehr AG as a cooperation partner. When booking a ticket for a specific train journey (i.e. booking a ticket to your destination and back), you will automatically be offered the ÖBB Transfer Service if this service is available at your destination. The transfer service is provided by Österreichische Postbus Aktiengesellschaft or by third parties commissioned by us. Another cooperation partner is iMobility GmbH, which facilitates the booking of Postbus Shuttle trips via wegfinder. In the context of these cooperations, ÖBB-Personenverkehr AG (PV AG) and iMobility (iMob) provide the following data:

• Name of the person making the booking (PV AG, iMob)

• Booking number of the order (PV AG, iMob)

• Pick-up location and pick-up time, arrival location and arrival time (coordinates and desired time of the trip) (PV AG, iMob)

• Train number for the train on which the passengers are arriving/to which the passengers are to be taken

• Number of passengers (PV AG, iMob)
  • incl. date of birth for registered customers (PV AG)
  • incl. notional date of birth for seniors and children (PV AG)
  • incl. discount card (for price calculation) (PV AG)
• Wheelchair (to determine if the transfer service allows for the transport of a wheelchair) (PV AG)
• Dog (to determine if the transfer service allows for the transport of a dog) (PV AG)
• Bicycle (to determine if the transfer service allows for the transport of a bicycle) (PV AG)

If we do not provide the service ourselves, we use third parties (for example local taxi companies at the destination) to provide the service, to whom the following data may be disclosed where necessary.

• Name of the person making the booking
• Train number for the train on which the passengers are arriving/to which the passengers are to be taken
• Number of persons
• Fare incl. information “Paid”, as it was booked via the ticket shop
• Booking reference
• Pick-up location (name of the station or hotel, address and position on map)
• Pick-up time
• Arrival point (name of the station or hotel, address and position on map)
• Arrival time

ÖBB-Personenverkehr AG (as far as the train service is concerned) as well as Österreichischen Postbus Aktiengesellschaft and any third party commissioned by us (as far as the transfer service is concerned) shall carry out this service under their own responsibility under data protection law. As a consequence, you must in particular exercise your claims/rights under data protection law (e.g. a request for information under data protection law) against Österreichischen Postbus Aktiengesellschaft, ÖBB-Personenverkehr AG and the commissioned third parties.

In case of complaints and other inquiries, we will, if you wish, also forward them to ÖBBPersonenverkehr AG or to the commissioned third party.

When required, and depending on the intended use, the data processed for these purposes are disclosed to the following categories of recipients:

To

• the regulatory authorities in the event of a conciliation procedure (for the purposes of compliance with railway law provisions and authorisations, Article 6(1)(c) DSGVO).

• the assigned legal representative in the event of disputes under civil law (based on our legitimate interests in defending legal claims, Article 6(1) f) GDPR).

• the administrative authority responsible in the individual case in terms of subject matter and location (in particular also tax authorities, driving licence authorities, Rundfunk und Telekom Regulierungs-GmbH or trade licensing authorities) for the purposes of compliance with statutory provisions and authorisations, Article 6 (1) c DSGVO.

• the court or other authority with jurisdiction in the individual case (on the basis of our legitimate interests in defending legal claims, Article 6 para. 1 lit. f DSGVO).

• the debt collection company commissioned by the responsible party to collect outstanding debts on the basis of our legitimate interests, which consist in the defence of legal claims (Article 6 Paragraph 1 letter f DSGVO).

• the chartered accountant for the purpose of auditing (for the purposes of compliance with statutory provisions, in particular the applicable provisions of stock corporation law, Article 6 (1) (c) DSGVO).

• our commissioned data processors, if these process personal data on our behalf. (Based on our legitimate interests, in particular for the improvement, simplification and maintenance of our database systems, Article 6 Para. 1 lit. f GDPR).

Our data processing therefore takes place in particular on the basis of the following summarised legal framework (as amended):

• Regulation EU 2016/679 on the protection of individuals with regard to the processing of personal data, on the free movement of such data (Basic Data Protection Regulation (DSGVO), in particular Article 6 para. 1 lit. a (consent), lit. b. (execution of contract), lit. c DSGVO (legal entitlement or obligation), lit. f (legitimate interests) as well as para. 4 (processing for further purposes);

• Order of the Federal Minister of Public Economy and Transport on the access to the trade of transporting persons by motor vehicle (job access ordinance on scheduled and non-scheduled motor vehicle services – BZP-VO), Federal Law Gazette No. 889/1994 as amended;

• Ordinance on the General Terms and Conditions of Carriage for Regular Motor Service (BGBl. II No. 47/2001) as amended;

• Regulation No 181/2011 of the European Parliament and of the Council of 16 February 2011 concerning the rights of passengers in bus and coach transport and amending Regulation (EC) No 2006/2004

• Industrial Code 1994;

• In the case of a criminal proceeding 1975;

• Introductory Act to the Administrative Procedure Acts 2008;

• Administrative penal code 1991;

• General Administrative Procedure Act 1991;

• General Civil Code for the entire German hereditary lands of the Austrian Monarchy;

• Telecommunications Act 2003;

• EU Directive on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010 and repealing Directive 2007/64/EC (PSD2);

• Federal law on general provisions and the procedure for the levies administered by the tax authorities of the Federation, the Länder and the municipalities (Bundesabgabenordnung, BAO)

• Federal law on special civil law provisions for companies (Corporate Code, UGB);

• Federal Act on Distance Selling and Contracts concluded away from business premises (FAGG) BGBl. I No. 33/2014 as amended by BGBl. I No. 83/2015 as amended;

• Federal Act of 8 March 1979 laying down provisions for the protection of consumers (Consumer Protection Act - KSchG), BGBl. No 140/1979 as amended;

• General Terms and Conditions and special conditions of carriage of the controller and of his cooperation partners.

We do not intend to transfer personal data to a third country or to an international organization.

Storage period: In general, personal data are only stored by us to the extent that is absolutely necessary, and in principle, they are deleted after expiry of the legal civil limitation period of three years (e.g. customer correspondence) or in the case of invoice-relevant data, after seven, maximum ten years (e.g. booked tickets, yearly tickets) in accordance with § 212 UGB or §§ 132f in conjunction with 207ff BAO. A longer storage period is only implemented in justified individual cases, for example as a result of an ongoing civil law or regulatory dispute.

In detail we would like to highlight the following different topics:

• If the data is billing-relevant data due to other ticket purchases, applications for reimbursement, additional fare claims, this data is stored for ten years.

• Otherwise, we record the data assignable to you for a period of three years, such as, for example, customer correspondence, the use of other services, mere participation in sweepstakes, campaigns or customer surveys.

• Revocation of a declaration of consent or assertion of an objection to direct marketing in accordance with Article 21f DSGVO (black list): This information cannot be deleted, particularly as we keep it as a negative list and thus ensure that you do not receive any promotional offers from us at the moment.

• In case of cancellation of your registration, your access data, password, e-mail address and telephone number will be deactivated. Your message will be deleted at the latest 3 years after deactivation.

Your rights

1. You, as the person concerned in the individual case, are entitled to assert the following rights of data subjects against us if we are the data controller

• Right to information (Article 15 DSGVO): You have the right to request information about what personal data about you is collected and held by us.

• Right of rectification and deletion (Article 16 DSGVO): You have the right to rectify any incorrect data concerning your person (e.g. typing errors).

• Right of deletion (Article 17 DSGVO): You have the right to have personal data deleted if such deletion is covered by the cases of application provided for in Article 17 DSGVO, for example if we would process data unlawfully.

• Right to limitation (Article 18 DPA): The data subject has the right to request the controller to limit the processing of personal data relating to him/her, provided that the conditions laid down in Article 18 DPA are met.

• Right to data portability (Article 20 DPA): You have the right of the data subject to receive the data he or she has provided in an interoperable format.

• Right of objection (Article 21 DPA): You have the right of the data subject to object to data processing, provided that the conditions of Article 21 DPA are met.

If you wish to assert a data subject right, please contact us. To do so, the following contact options are available to you:

Österreichische Postbus Aktiengesellschaft
Am Hauptbahnhof 2
1100 Vienna
E-mail: postbus.datenschutz@postbus.at

Please include the following information in your request:

• A copy / scan of your official photo identification stating your date of birth (e.g. identity card, driver’s licence or passport) and
• the e-mail address registered for the Postbus Shuttle account.

This is because we have to verify your identity before we can respond to your request or take the necessary steps. The purpose of this identity check is to enable us to establish your actual status as a data subject, in order to ensure that personal data is not disclosed to unauthorised third parties (risk of misuse). As soon as we receive your request and you have proven your identity to us, we will respond to your request within four weeks. In the event that we have specific questions in the course of answering, we will contact you and ask for your cooperation and assistance.

2. In addition, you have the right to lodge a complaint with the data protection authority in accordance with §§ 24ff DSG and Articles 77ff DSGVO if you believe that we are in breach of our obligations under the Basic Data Protection Regulation.

contact details:

Austrian data protection authority,
1030 Vienna, Barichgasse 40-422
Phone +43 1 521 52-25 69
e-mail: dsb@dsb.gv.at
www.dsb.gv.at

3. revocation of a granted consent

If you have given us your consent to process your data for a specific purpose, you have the right to revoke your consent at any time without giving reasons.

You can also view the privacy statement in the app itself during the registration process, at any time after registration in the app menu under “Legal information” and before completing any booking.

• We save the itinerary of your ticket purchase or booking so that you can always know and follow the exact course of your journey. This information also serves as booking confirmation.

• Mere travel requests that did not result in a ticket purchase are stored to improve our services.

• You will always find the offer with the best price as the first offer.

When designing our service, we have taken care to ensure that data is only collected and processed to the extent absolutely necessary.

Essential in this context are the following when using our app

• First and user name, as well as optionally the last name

• Customer and user ID

• Contact information (e-mail address, phone number),

• a password,

• Issued approvals of the general terms and conditions,

• Ticket information, information about the booked trip including information about the travellers,

• Device information and IP address (when logging in and out and changing the data provided),

• Favorites,

• Type of payment,

• Real-time information before, during and after the journey (in particular, changes in departure and arrival times, total cancellation, boarding and disembarkation information),

• Location information for the purpose of booking a ticket or requesting a connection, if you have consented to this functionality,

• Start address, destination address, entry stop, exit stop,

• Logging data.

The use of our app requires that you create a Postbus Shuttle account. It is therefore not possible to make bookings or travel enquiries without first creating a Postbus Shuttle account. To create a Postbus Shuttle account, we need at least the following information about you:

• First and user name, as well as optionally the last name

• Your e-mail address,

• Agreement with our general terms and conditions incl. time stamp

• Mobile number to receive an activation code and other notifications (e.g. cancellation of a journey),

• password of your choice

During the registration process, you will receive an activation code by text message to the mobile number you have provided. After entering and confirming the activation code, your account will be activated. Once you have successfully registered, Postbus Shuttle will send you confirmation and contact details to the e-mail address you have provided. When you open the app in the future, you will automatically be logged in with your account.

You can log out of your account from within the app. To do this, select the “Log out” option in the app menu.

If you wish to deactivate your account/registration, please write to postbus.shuttle@postbus.at. Your registration will be cancelled and your access data, password, e-mail address, and mobile number will be deactivated.

In order to book a trip with the Postbus Shuttle by telephone (where available), please use the telephone number(s) provided on our website (https://www.postbusshuttle.at/) to be connected to the relevant customer centre. If you are not yet a Postbus Shuttle customer, you will need to provide your name and, if you wish, your telephone number and e-mail address.

To make a booking, you need to tell the Customer Centre your departure and arrival addresses (or departure and arrival stops) and the time and date of your journey. The Customer Centre will use this information to check for availability and book the trip for you if required.

To cancel a trip that has already been booked, you must contact the Customer Centre and inform them of the cancellation. The trip will then be cancelled.

If there are any changes to your journey, such as delays, you will be notified automatically in the app or, if you do not have an app account, by e-mail to the e-mail address you have provided or by text message to your mobile phone number.

We are planning the possibility that you can voluntarily rate the ride in the app. This feedback will be saved without personal reference. If you would like to give us detailed feedback, you are welcome to send us an e-mail to postbus.shuttle@postbus.at.

You have the option of booking the trip through one of our partners. Partners include doctors, hotels, local authorities and others. Booking through our partners can be done by visiting or calling the partner.

In this context, we or our partners will collect the following information:

• First and last name or name of the partner;

• Information on data subjects using the Shuttle Interface;

• Contact details (address, e-mail address, telephone number of the partner);

• Traveller details (name, number of travellers, price, payment method, optionally telephone number, optionally e-mail address);

• Information about the trip (start address, destination address, entry stop, exit stop, date and time of the trip, booking date).

The partner is not authorised to use the data entered for the customer as part of the booking for any other purpose.

By payment information we mean information that we require for processing the payment. As a matter of principle, we will never store any payment information, such as credit or debit card numbers, expiry date, the card validation code (CVC) or user account and password data.

In all other cases, payment information (e.g. expiry date or the card validation code (CVC)) will be processed and used by a tested and certified payment service provider (Terminal Service Provider and Payment Service Provider).

In order to handle the payment process, we employ tested and PCI-certified payment service providers who process and use the payment information (e.g. CVC code or expiry date) to complete the booking. The data will only be processed for the purpose of payment processing in connection with the ticket booking. These payment service providers generally operate independently and therefore process your data under their own responsibility under data protection law.

In order to clearly authorise a payment, the payment service provider will require various pieces of information from us, such as e.g. identification data for browser and operating system type, which are saved by us and forwarded to the payment service provider for processing the payment.

Further information related to this is also provided to you by the payment service provider itself.

For the purposes of payment risk management, as required in the specific case and as part of the purchase transaction, personal data may be transmitted in the absolutely necessary extent to the payment service provider, which then uses this data to conduct a risk assessment. Payment-related data will also be consulted for anonymised analyses.

By information security we understand:

• onfidentiality of data,
• Data integrity and
• Data availability

In order to guarantee information security, we have established organisational framework conditions and protective measures that correspond to the state of the art.

These include:

• Load distribution,
• Firewalls,
• Encryption,
• Security checks,
• System checks and
• continuous monitoring.

Our employees are only granted access rights in accordance with their roles and to an extent that is absolutely necessary. The use of these access rights is recorded.

The app is distributed via the Apple App Store and the Google Play Store (hereinafter referred to as “Store”). Inclusion, distribution and use of the app is therefore additionally subject to the separate conditions of these two stores, over which we have no influence, and which are compiled and asserted at the sole responsibility of the stores.

Cookies are small text files or codes that contain information units. These text files are stored on your hard disk or in the memory of your browser when you visit one of our websites. Thanks to cookies, the content of our web pages can be structured more easily and those devices can be recognised via which our web pages were previously visited. We use cookies to gain a better understanding of how applications and websites work and to analyse and optimise the user experience when using our websites online and on the move.

We do not use cookies for our app, for our shuttle interface a cookie necessary for operation is used. This is necessary to ensure that the Shuttle Interface can be used as intended and all functions are available. Without this cookie the requested services cannot be provided. This cookie does not collect any information about you and does not store any Internet locations. Unconditionally required cookies cannot be deactivated via our site. However, they can be deactivated at any time via the browser you are using. Beyond this operationally necessary cookie, no further cookies are used.

Data processors pursuant to the GDPR are natural and legal entities that are commissioned by us to provide a specific service.

For example, we currently use service providers for the following tasks:

• for the maintenance of our databases and our applications,

• To conduct on-line surveys, and

• To assess the quality of our services, and

• To provide services to our customers

We only use processors for data processing that is lawfully carried out by us. We always satisfy ourselves in advance that the individual processor is suitable for the provision of services, in particular that it offers sufficient guarantees for the lawful and secure use of data.

Processors only receive personal data from us to the extent absolutely necessary. Our processors have contractually committed themselves to only use personal data

• to be used exclusively for the purpose of the order,

• after the respective purpose of the order has ceased to apply,

• not to pass on to third parties, and

• not to be used for own purposes.

Before employing a processor, we conclude a written agreement with the processor, in which special obligations are imposed on the processor and employees in particular and they are again separately obliged to maintain confidentiality. We impose certain data security measures on the processor to ensure that customer data and data processing are adequately protected.

We have provided you with comprehensive information on the purposes of our data processing, categories of data recipients, the legal basis and legal framework, the storage period as well as the rights you are entitled to and the scope of data processing. In all data processing, we have taken care to ensure that data collection and data scope are limited to the extent that is absolutely necessary. Therefore, if we ask you to provide data, this is necessary so that:

• You can book and carry out your journey with the Postbus Shuttle online (via the app), by phone or via the Shuttle Interface,

• you can give us feedback after the ride (planned feature),

• we can contact you in the event of a default or any outstanding debt,

• we can answer your complaint / inquiry or

• you can assert your rights as a passenger or under the DSGVO

If you do not or not fully comply with our request for data disclosure, it cannot be guaranteed that we will be able to comply with or process your aforementioned purchase or other request(s).