Privacy Notice (bahn.de/bahn.com)

When you use bahn.de/bahn.com, the DB companies (DB Vertrieb GmbH, DB Fernverkehr AG and DB Regio AG) process your data as joint controllers. These companies have stipulated in an agreement which of them fulfils which obligations under data protection law. You can find the essence of this agreement in the section "What data do we collect and how and why do we process your data?".

If you have any questions or suggestions regarding data protection, please contact one of the listed data controllers:

DB Vertrieb GmbH
Europa-Allee 78- 84
60486 Frankfurt
E-mail: p.d-datenschutz@deutschebahn.com

DB Fernverkehr AG
Europa-Allee 78- 84
60486 Frankfurt
E-mail: fv-datenschutz@deutschebahn.com

DB Regio AG
Europa-Allee 70-76
60486 Frankfurt
E-mail: datenschutz.regio@deutschebahn.com

The appointed data protection officer for all three of the aforementioned responsible parties is Ms Dr. Marein Müller.

The group of above-named companies is responsible for processing bahn.de/bahn.com-related data. They have formally agreed which of them performs a given task as part of this joint processing, what the purpose of this processing is, how it is organised and who complies with the obligations arising from GDPR, in particular with information-related obligations. The key features of this agreement are described below.

DB Vertrieb GmbH and DB Fernverkehr AG are responsible for the following:

• Selling BahnCards and extending BahnCards as part of a subscription
• Undertaking marketing communication and customer information activities as part of DB Vertrieb GmbH's campaign management processes (with the participation of DB Fernverkehr AG).

DB Vertrieb GmbH and DB Regio AG are responsible for the following:

• Communicating with customers (e.g. those with subscriptions) and advertising.
• Regional offers

DB Vertrieb GmbH, DB Fernverkehr AG and DB Regio AG are responsible for the following:

• Using websites for marketing products and services, providing information and handling marketing communication.
• Issuing vouchers and registering their redemption, providing information necessary for campaigns
• Using customer database(s) for the holistic processing of customer transactions and exchanging customer data to prevent fraud, etc.
• Processing and paying goodwill gestures and compensation (e.g. due to disruptions and unforeseen events)
• Handling complaints management, service-related issues and customer dialogue, incl. providing contact forms

We process your data exclusively for specific purposes. These may arise due to technical necessity, contractual obligations or express requests on the part of users.

For technical reasons, certain data must be collected and saved when you visit bahn.de/bahn.com. This includes, for example, the date and duration of your visit, the web pages used, the identification data of your browser and type of operating system used as well as information on the website via which you were routed to our site.

In order to comply with a contract, we require certain personal data from you. This data is required for ticket bookings, processing payments, checking credit ratings, for delivery by post to the specified address, where applicable, and for dealing with any cancellations and refunds.

In this case, the contract pursuant to Article 6(1)(b) GDPR is the legal basis for the processing of your personal data. Article 6(1)(b) GDPR shall also apply to processing that is required in order to take steps prior to entering in to the contract , e.g. in cases of inquiries regarding our products and services.

Insofar that we obtain your consent for the processing of personal data (e.g. if you subscribe to our newsletter or use the Remain-logged-in option), this consent shall serve as the legal basis according to Article 6(1)(a) GDPR.

If our company is subject to a legal obligation that requires us to process personal data, for example to fulfil tax obligations, this processing shall be based on Article 6(1)(c) GDPR.

We would like to use your previous and current usage patterns of bahn.de to provide you with customised contents that will make our range of products more interesting to you as a user. For this we store and analyse pseudonymised usage data from online activities. We can then offer you special advantages such as ticket price reductions and free seat reservations the next time you book a ticket. The legal basis for this is Art. 6 (1) (f) GDPR.

We also do this in order to maintain customer relations with you and to provide you with information and offers which we think will correspond to your travel preferences and interests. We therefore process your data on the basis of Article 6(1)(f) GDPR (including with the help of service providers) in order to send you information and offers. We use your contact data (name, address and e-mail address which we have received from our business relationship with you) for advertising by post and for similar goods or services by e-mail, and in particular for market research, unless you object to such use.

You can object at any time to the future use of your data for such advertising purposes. Send your objection by e-mail to p.d-datenschutz@deutschebahn.com (Advertising Objection).

In the following you will find a more detailed description of the data processing that can take place when booking a ticket on bahn.de. Further information, for example on data processing at ticket machines or if you visit our pages on social networks, can be found at: www.db-vertrieb.com/datenschutz

Specific examples are as follows:

• Creating a customer account
  Anyone who wants to create a customer account on bahn.de must register first. Click the following link to read the privacy policy regarding the customer account: bahn.com/privacy-customer

• Booking a digital ticket
  When booking a digital ticket, address details as well as surname and first name are saved. During ticket inspections on trains, the information on the ticket (first name and surname) is displayed on the scanner (mobile terminal).

• Payment data on bahn.de/bahn.com
  To ensure that your payments are processed securely, payment-related data (amount, booking reference, booking description, payer) is forwarded to payment service providers.
  
  Payment by credit card
  Our payment service provider for processing credit card payments is PAYONE GmbH, Lyoner Strasse 9, 60528 Frankfurt am Main, Germany. To learn how Payone processes your data, please read its privacy policy at https://www.payone.com/dsgvo/. The payment service provider performs the following: processing of credit card data in order to perform payments; application of security measures used by your card's issuer (such as 3D Secure and strong customer authentication). No other institution handles your data. We do not receive access to your full credit card data. Instead, we merely save a reference in the form of an abbreviated credit card number so that you can identify it. To prevent cases of fraud, a processor is used to process your device or browser fingerprint along with your payment-related data. This serves to protect you and us by preventing the misuse of your financial details when making payments via bahn.de/bahn.com. The legal basis for this is Art. 6 (1) (f) GDPR.
  
  Payment via PayPal
  If you pay via PayPal, your payment data will be forwarded to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg, Luxembourg (hereinafter called "PayPal"), as part of the payment process. Further information is available in the company's privacy policy (https://www.paypal.com/de/webapps/mpp/ua/privacy-full).
  
  Payment via giropay
  If you pay via giropay, your payment data will be forwarded to paydirekt GmbH, Hamburger Allee 26-28, 60486 Frankfurt am Main, Germany, as part of the payment process. Further information is available in the company's privacy policy (https://www.paydirekt.de/agb/index.html).

• Purchasing a BahnCard
  When you buy a BahnCard, our system records your contact and identification data (e.g. date of birth). Further information on data processing in connection with the BahnCard can be found at: www.db-vertrieb.com/datenschutz

• Enquiry regarding your booking on bahn.de/bahn.com
  When you send us an enquiry regarding your booking using the contact form on our website, your details from the enquiry form, including the contact details you provide there, will be processed by us for the purpose of handling the enquiry and any follow-up queries that may arise. The legal basis for this is Art. 6(1)(b) GDPR.

• Ordering subscriptions online
  Contact and payment details are collected when ordering a season ticket as a subscription. Depending on the offer, identification data such as date of birth or a photograph may also be required.

• Newsletter registration
  If you sign up for one of our newsletters, the e-mail address will be collected as mandatory information.
  
  When you register for a newsletter, we store the IP address assigned by the Internet Service Provider (ISP) to your end-user device used at the time of registration, as well as the date and time of registration. The collection of this data is necessary in order to trace (possible) subsequent misuse of the e-mail address of the person concerned and it therefore serves our legal protection. We want to be able to provide you with information that is relevant to you, so we analyse your interest in the contents of the bahn.de/bahn.com newsletter based on clicks and the display of content via customised links.
  
  You may unsubscribe from the newsletter at any time at p.d-datenschutz@deutschebahn.com or by clicking the relevant link at the bottom of the newsletter.
  
  If you object to your data being used for promotional purposes, your data will only be used anonymously for statistical purposes.

• Participating in competitions
  When we run competitions, we collect data for managing the process. The precise details, i.e. what data is collected and for what purpose, are available on the web page of the relevant competition.

• Virtual chat assistants

  On bahn.de/bahn.com the virtual assistant (also called chatbot) DB Smile is used. The chatbot serves as an information and customer contact channel for questions relating to DB passenger transport. Communication with the chatbox is easy, and customers can obtain information and receive answers to their questions quickly. DB Smile responds to a large number of requests automatically with the help of artificial intelligence and keyword recognition, offers suggestions and assistance for communication with the chatbot or refers users to other customer service channels (hotline or contact form). At this stage, the chatbox is unable to answer complex or individual customer inquiries. If a request cannot be answered automatically by our bot, you have the option of chatting in real time with a staff member.

  At present no contract-related customer inquiries are processed or resolved automatically or via live chat. Anyone who has questions of this type can continue to contact us via phone or e-mail. Users should therefore not provide any personal information when interacting with the chatbot.

  Your inquiries are stored in the chatbot for a maximum of 30 days in order to train the chatbot and optimise response recognition and accuracy. The chatbot can thus be continuously developed in terms of content and functionality. No personal data is analysed. Usage data such as chat duration, timestamp of messages, number of messages or operating system used are only stored for statistical purposes. We process user information only in order to handle their queries and for internal purposes, e.g. managing and improving processes related to our business and services (Art. 6(1)(b) GDPR). 

• Booking a digital ticket after visiting a partner website (as part of affiliate marketing activities)
  If you make a booking on an external partner website after clicking a DB affiliate advertisement, the business partner's cookies on that website are read. The relevant cookies have a lifetime of 30 days. This step is necessary to pay the business partner for the booking you make. We work with the Awin network for the purposes of affiliate marketing. 

Contract processing generally requires the involvement of order processors who are subject to our instructions, such as e.g. computer centre operators, printing or mail-order service providers or other agents involved in contractual performance.

External service providers who process data on our behalf are carefully selected and placed under strict contractual obligations. Service providers follow our instructions and this is guaranteed by technical and organisational measures, as well as by means of supplementary checks and controls.
In addition, we only disclose your data when you have given us your express consent or where we are under a statutory obligation.

Transmission to third countries outside the EU/EEA or to an international organisation, will not take place unless we have been given reasonable guarantees. These include the EU standard contractual clauses and an adequacy decision from the EU Commission. For example, we may be required to forward data in the following circumstances for the purpose of contract processing when users book services on bahn.de/bahn.com:

• Travel insurance from our partner Europäische Reiseversicherung AG
• Hotel services from our hotel reservations partner HRS
• Use of DB's car hire offers from the leasing firms DB Rent, Europcar and Sixt
• Credit rating checks by Infoscore Consumer Data GmbH when registering for direct debit services
• When making use of services for travellers with reduced mobility, your data is sent to the appropriate offices of the DB Group departments involved.
• When you purchase a BahnCard on bahn.de/bahn.com, you enter into a contract with DB Fernverkehr AG. To complete this process, we forward the data, which you provide, to DB Fernverkehr AG. Further information is available in the relevant General Terms and Conditions. We merely handle the payment process and store the data provided for this purpose.
• In the case of payment irregularities / payment default, details of the account receivable may be sent to a debt collection agency.
• When you use the contact form on bahn.de/bahn.com for communicating with DB Fernverkehr or DB Regio, the details you supply are forwarded to the customer dialogue units of the relevant transport companies. bahn.de/bahn.com merely serves as the platform hosting these forms.

You purchase our partners' services on bahn.de/bahn.com directly from these partner companies. Further information on this is available under "Do you incorporate data from third parties?"

We only store your data for as long as necessary to achieve the purpose for which it was collected (e.g. in the context of a contractual relationship) or insofar as permitted by law. Thus, in the context of a contractual relationship, we store your data until final completion of the contract. Thereafter, the data will be stored for the statutory storage period.

We use cookies on our website for purposes relating to functions, measurement and analysis. Cookies are small text files which can be used to store data on your end-user device. We distinguish between cookies that are necessary for the technical functioning of the website and cookies that are not essential for the technical functioning of the website, e.g. for range measurement activities.

Generally speaking, it is possible to use bahn.de/bahn.com without the cookies that serve non-technical purposes. This means that you can prevent tracking via cookies in your browser (do not track, tracking protection list, etc.) or block the storage of third-party cookies. We also recommend regular checks of stored cookies that have not been expressly requested.

You can click the "Cookie settings" button to access your cookie settings and make any changes you want.

Note: Please note that these settings also apply for all subdomains of bahn.de/bahn.com. Subdomain cookie settings that differ from those of the main domain cannot be selected.

The following tracking measures that we use are carried out on the basis of Art. 6(1)(b) GDPR. They enable us to design our website in line with requirements and to optimise it continuously.
In order to be able to assess the effectiveness of our measures to improve the functionalities and your user experience, we continuously collect necessary statistics on the usage of bahn.de/bahn.com. For this, we use the analysis tools Tealium, Adobe Analytics, Optimizely, Qualtrics and m-pathy. If your IP address needs to be processed, it will be made anonymous. All service providers are contractually obliged to handle your data in accordance with privacy requirements.

Use of Tealium
In order to facilitate the dynamic modification of this website and the management of dynamic content, we use the tag management service Tealium iQ (Tealium Inc., 11095 Torreyana Road, San Diego, CA 92121, USA). This also includes processing your selected cookie settings. The cookies used for this purpose are stored on your end device for 12 months.

Use of Adobe Analytics
In order to manage our website and optimise its performance, we use the web analysis service of Adobe Systems Software Ireland Limited (Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland). The relevant cookies have a lifetime of 24 months. The information processed via cookies are not personal in nature and cannot be linked to a specific individual. We use this information to measure and evaluate the use of the website and to create statistics. This enables us to assess how often different sections and texts on our website's pages are read, and whether or not our website design influences the extent of website usage. The statistics obtained enable us to improve our content and make it more interesting for you as a user.

Use of Optimizely
In order to be able to show you our website with slightly different content, we carry out so-called A/B testing using the web analysis service Optimizely.For this purpose, cookies are stored on your end device with a lifetime of 24 months. The analysis service provider is Optimizely (631 Howard Street, Suite 100, San Francisco, CA 94105, United States). The anonymised data is usually processed on an Optimizely server in the USA.

Use of Qualtrics
In order to ensure continual improvement of our content and services, we invite users of our website to take part in surveys. For these, we use technology from Qualtrics LLC (333 W. River Park Drive, Provo UT 84604, USA). Data is collected anonymously.The purpose of the cookies used by Qualtrics is to prevent users from participating multiple times within a certain period of time. The relevant cookies have a lifetime of 12 months. Participation in the surveys is voluntary.

Use of m-pathy
This website uses m-pathy, a technology from Verint Systems GmbH (Ziegelteich 29, 24103 Kiel, Germany), to collect and store session and interaction data of website visitors. This information is used for improving the content and usability of the website's pages. Cookies are stored for this purpose and have a lifetime of 24 months.

The following cookies are not essential for using the website and will be processed only if you give your consent beforehand.

Use of Exactag
This website uses the analysis service from Exactag GmbH (Philosophenweg 17, 47051 Duisburg, Germany). Cookies are used to store data on how you use bahn.de/bahn.com. The cookie set by Exactag has a lifetime of 12 months. The legal basis for this is Article 6(1)(a) GDPR.

Use of AdForm
Cookies from AdForm A/S(Wildersgade 10B, 1, 1408 Copenhagen K, Denmark) are used for placing interest-based advertising. These cookies create pseudonymised usage profiles containing information about different features, such as users' operating systems, browser versions, anonymised IP addresses, geographic location, number of clicks and number of views. The cookie set by AdForm has a lifetime of 12 months. The data is used for the following purposes:

• Identifying the number of visitors to bahn.de/bahn.com
• Identifying the sequence in which different website pages are accessed by visitors to bahn.de/bahn.com
• Optimising the website

Adform uses this information to deliver more targeted, usage-based online advertisements. In order to be able to use the advertising space from other websites, the cookies are synchronised with the following platforms: Google, Doubleclick, Appnexus, DataXu, Mediamath, TURN, TheTradeDesk, Active Agent, TheAdex. The legal basis for this is Article 6(1)(a) GDPR. 

• You can request information to find out what information is stored about you.
• You may request the correction, deletion and restriction of the processing (blocking) of your personal data as long as this is legally permissible and possible within the framework of an existing contractual relationship.
• You have the right to file complaints with the supervisory authority. The supervisory authority responsible for DB Vertrieb GmbH is: Der Hessische Datenschutzbeauftragte, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, e-mail: poststelle@datenschutz.hessen.de
• You have the right to transferability of the data that you have submitted to us based on consent or under a contract (data transferability).
• If you have given us your consent to data processing, you can withdraw it at any time by the same means by which it was given. Withdrawal of consent does not affect the legitimacy of processing carried out on the basis of consent prior to its withdrawal.
• You can object to the data processing for reasons arising from your particular situation, if the data processing is based on our legitimate interests.
• You can opt out of advertising messages at any time with future effect (advertising opt-out).

Joint responsibility exists between DB Vertrieb, DB Fernverkehr and DB Regio as per Art. 26 GDPR. The parties have formally agreed which of them complies with the obligations arising from GDPR. Independently of this, you can make a claim based on your rights vis-a-vis the above-named contracting parties at any time. If you contact us in writing but your issue relates to the area of responsibility of the service you used, we will forward your matter accordingly. As a result, you may receive an answer from the relevant DB service unit instead of us.

To exercise your rights, simply write to us at the following address:

DB Vertrieb GmbH
Europa-Allee 78 – 84
60486 Frankfurt am Main
Germany

or send an e-mail to p.d-datenschutz@deutschebahn.com

We incorporate data from third parties in order to provide you with offers along the entire length of the mobility chain (partner offers). This requires you to submit your information directly on the relevant third parties' websites. These websites/webpages are integrated with bahn.de/bahn.com and have been modified to ensure that they suit our website's visuals. Third party content always features its own site notice and data privacy information.

We incorporate content from the following partners:

• AMEROPA - rail holidays and city breaks
• FlyLoco - city breaks via air travel
• Weg.de - all-inclusive flights and last-minute journeys
• HRS - hotel provider
• Eventim - tickets for musicals and other events
• ERGO - travel insurance
• DB Regio Bus Ost GmbH - long-distance coach travel
• Avis - car hire • Europcar - car hire
• Sixt - car hire
• Ypsilon.net - car hire price comparison
• Auto Europe - car hire broker within Ypsilon.net comparison service

When you click on a link to an external website, you leave the bahn.de/bahn.com website. As a result, DB Vertrieb GmbH is not responsible for the content, services or products available on this linked website. Similarly, DB Vertrieb GmbH is not responsible for data privacy or technical safety on the linked website.

We update our Privacy Notice to bring it into line with new functionalities or legal requirements. We therefore recommend that you regularly check the Privacy Notice. Where your consent is required, or components of the Privacy Notice involve provisions contained in our contract with you, changes shall only take place with your consent.

Last updated: November 2022