Privacy policy for customer accounts (as of 1 October 2021)

The privacy policy for customer accounts supplements the general bahn.de/bahn.com privacy policy

This notice describes what personal data we process in connection with customer accounts and how you can opt out of this data processing.

When you use your customer account, the DB companies DB Vertrieb GmbH, DB Fernverkehr AG and DB Regio AG process your data and are jointly responsible for doing so. The companies have agreed which of them is responsible for privacy-related obligations. The essential details of this agreement are described in the section "What data do we collect and how and why do we process your data?"

If you have any questions or suggestions regarding this privacy policy, simply contact one of the DB companies.

DB Vertrieb GmbH
Europa-Allee 78- 84
60486 Frankfurt
Germany
ecommerce-datenschutz@bahn.de

DB Fernverkehr AG
Europa-Allee 78- 84
60486 Frankfurt
Germany
fv‐datenschutz@deutschebahn.com

DB Regio AG
Europa-Allee 70-76
60486 Frankfurt
Germany
datenschutz.regio@deutschebahn.com

Ms Chris Newiger is the designated privacy officer for all three companies.

Further information about the customer account are available in the terms and conditions of use for customer accounts.

The above-named companies share joint responsibility for processing your data in connection with the customer account. They have concluded an agreement which details the following: which of them is responsible for which tasks within the scope of joint processing, what objectives this meets, who organises it, and who is responsible for obligations arising from GDPR, in particular for information-related obligations. The essential details of this agreement are described below.

DB Vertrieb GmbH and DB Fernverkehr AG are responsible for the following. 

  • Sale of BahnCards and their extension as subscriptions, plus the processes by which registered customers can join or leave the BahnBonus programme.
  • Operational customer management for registered customers and in connection with BahnCard and BahnBonus (e.g. enabling the collection of BahnBonus loyalty points).
  • Handling marketing communication and providing customer information for register customers, BahnCard holders and BahnBonus participants within the framework of campaign management activities at DB Fernverkehr AG (with the involvement of DB Vertrieb GmbH).
  • Handling marketing communication and providing customer information for registered customers within the framework of campaign management activities at DB Vertrieb GmbH (with the involvement of DB Fernverkehr AG).
  • Performing statistical analyses on the basis of pseudonymised or anonymised data such as the details of registered customers, from the BahnBonus loyalty points programme, the BahnCard programme and campaign management activities.

DB Vertrieb GmbH and DB Regio AG are responsible for the following.

  • Customer communication activities (e.g. for subscription customers) and advertising activities (e.g. regional offerings) for registered customers.

DB Vertrieb GmbH, DB Fernverkehr AG and DB Regio AG are responsible for the following.

  • Marketing products and services via websites and apps, providing information and handling marketing communication for registered customers.
  • Issuing vouchers and tracking their redemption, providing the information necessary for campaigns for registered customers. 
  • Sharing registered customers' data to facilitate the holistic processing of activities, e.g. booking tickets, buying a BahnCard or preventing fraud.
  • Sharing registered customers' data in connection with complaints management, service-related issues and customer dialogue. 

We collect and process your customer account data exclusively for specific purposes. These purposes may be due to technical necessity, contractual obligations or express requests on the part of users.

Processing personal data in connection with your customer account is based on Article 6(1)(b) GDPR. This also applies to processing that is required in order to take steps prior to entering into the contract , e.g. in cases of inquiries regarding our products or services.

Insofar that we obtain your consent for the processing of personal data (i.e. if you subscribe to our newsletter or use the remain-logged-in option), this consent shall serve as the legal basis according to Article 6(1)(a)) GDPR.

If we are subject to a legal obligation that requires us to process personal data, for example to fulfil tax obligations, this processing shall be based on Article 6(1)(c)) GDPR.

We would like to use your previous and current usage patterns regarding your customer account to provide you with customised contents that will make our range of products more interesting to you as a user. For this we store and analyse pseudonymised usage data from online activities. We can then offer you special advantages such as ticket price reductions and free seat reservations the next time you book a ticket. The legal basis for this is Article 6 (1) (f) GDPR.
The following contains a more detailed description of the data processing activities that take place when you register for and use a customer account.

List of specific examples:

Creating a customer account
The following mandatory information is required when users create a customer account:

  • User name (e-mail address) and password
  • First name and surname
  • E-mail address
  • Security question for forgotten passwords and answer to your security question

It is not possible to create a personal account without supplying this information. All other personal information and details pertaining to the user's travel profile are optional. We save your booking and login data in your customer account and use it for performing internal analyses and marketing research. 

Booking a digital ticket    
When you book a digital ticket, our system uses the address details as well as surname and first name in your customer account. In addition, when you book an international ticket via international-bahn.de/bahn.com or certain regional offerings, our system uses the date of birth in your customer account, if you have included it. When the tickets are inspected on board the train, the train attendant's mobile terminal will display the information contained in the ticket.

Purchasing a BahnCard
When you purchase a BahnCard, our system uses the contact and identification data in your customer account. Further information on data processing in connection with the BahnCard can be found at db-vertrieb.com/datenschutz.(german only)

Payment details in customer accounts
We process your payment details when handling transactions, such as when you buy a product via bahn.de/bahn.com. Depending on the payment method chosen, we may forward your payment details to a third party, as we work with partner companies in order to process certain payment options. You can use the payment services of PayPal, paydirekt and Klarna without payment details being stored in your customer account. 

  • Registration for payment by SEPA direct debit
    When you register to use the SEPA direct debit process, you provide us with a SEPA mandate that we can use to deduct payments from your bank account by means of a SEPA direct debit if you have selected this payment option. The legal basis for this is Article 6(1)(b) GDPR.
  • Payment by credit card
    To ensure that your payments are processed securely, payment-related data (amount, booking reference, booking description, payer) in your customer account is forwarded to a payment service provider. The legal basis for this is Article 6(1)(b) GDPR. Our payment service provider for processing credit card payments is PAYONE GmbH, Lyoner Strasse 9, 60528 Frankfurt am Main, Germany. To learn how Payone processes your data, please read its privacy policy at https://www.payone.com/dsgvo/.  
    The payment service provider performs the following: processing of credit card data in order to perform payments and store details in your customer account; application of security measures used by your card's issuer (such as 3D Secure and strong customer authentication). No other institution handles your data. We do not receive access to your full credit card data. Instead, we merely save a reference in the form of an abbreviated credit card number so that you can identify it. To prevent cases of fraud, a processor is used to process your device or browser fingerprint along with your payment-related data. This serves to protect you and us by preventing the misuse of your financial details when making payments via bahn.de/bahn.com. The legal basis for this is Article 6 (1) (f) GDPR.

Enquiry regarding bookings
If you use the contact form / chatbot to ask questions regarding a booking, our system uses the details in your customer account, including the contact details it contains, to process your enquiry and in the event of follow-up questions. 

Offers relating to similar products or services
We take steps in order to maintain customer relations with you and to provide you with information and offers which we think will correspond to your travel preferences and interests. We therefore process your data on the basis of Article 6(1)(f) GDPR (plus with the help of service providers) in order to send you information and offers. We use your contact data (name, address and e-mail address which we have received as a result of our business relationship with you) for advertising by post and for similar goods or services by e-mail, in particular for market research, unless you object to such use.

You can object at any time to the future use of your data for such advertising purposes. Simply send your objection by e-mail to ecommerce-datenschutz@bahn.de or by post to one of the above-named DB companies (advertising opt-out).

Ordering subscriptions online
When you purchase a season ticket as a subscription, our system uses the contact and payment data in your customer account. Depending on the offer, identification data such as date of birth or a photograph may also be required. Your customer account displays your current subscription.

Newsletter registration
If you use your customer account to register for a newsletter, our system uses the relevant data in your account.
When you register for a newsletter, we also store the IP address assigned by the Internet Service Provider (ISP) to your end-user device used at the time of registration, as well as the date and time of registration. The collection of this data is necessary in order to trace (possible) subsequent misuse of the e-mail address of the person concerned and it therefore serves our legal protection. We want to be able to provide you with information that is relevant to you, so we analyse your interest in the contents of the newsletter based on clicks and the display of content via customised links. You can unsubscribe from the newsletter at any time at ecommerce-datenschutz@bahn.de or by clicking the relevant link at the bottom of the newsletter. 

Participating in competitions
When we run competitions, we collect data for managing the process. The precise details, i.e. what data is collected and for what purpose, are available on the web page of the relevant competition.

Virtual chat assistants
On bahn.de/bahn.com the virtual assistant (also called chatbot) DB Smile is used. The chatbot serves as an information and customer contact channel for questions relating to DB passenger transport. Communication with the chatbox is easy, and customers can obtain information and receive answers to their questions quickly. DB Smile responds to a large number of requests automatically with the help of artificial intelligence and keyword recognition, offers suggestions and assistance for communication with the chatbot or refers users to other customer service channels (hotline or contact form). At this stage, the chatbox is unable to answer complex or individual customer inquiries. If a request cannot be answered automatically by our bot, you have the option of chatting in real time with a staff member.

At present no contract-related customer inquiries are processed or resolved automatically or via live chat. Anyone who has questions of this type can continue to contact us via phone or e-mail. Users should therefore not provide any personal information when interacting with the chatbot.

Your inquiries are stored in the chatbot for a maximum of 30 days in order to train the chatbot and optimise response recognition and accuracy. The chatbot can thus be continuously developed in terms of content and functionality. No personal data is analysed. Usage data such as chat duration, timestamp of messages, number of messages or operating system used are only stored for statistical purposes. We process user information only in order to handle their queries and for internal purposes, e.g. managing and improving processes related to our business and services (Art. 6(1)(b) GDPR). 

Booking a digital ticket after visiting a partner website (as part of affiliate marketing activities)
If you make a booking on an external partner website after clicking a DB affiliate advertisement, the business partner's cookies on that website are read. The relevant cookies have a lifetime of 30 days. This step is necessary for paying the business partner for the booking you make. We work with the Awin network for the purposes of affiliate marketing. 

We only store your data for as long as necessary so we can achieve the purpose for which it was collected (e.g. in the context of a contractual relationship) or insofar as permitted by law. Thus, in the context of a contractual relationship, we store your data until final completion of the contract. Thereafter, the data will be stored for the statutory storage period.

Your access to your customer account will be automatically suspended following 24 months of inactivity.

Cookies are set when you visit your account. The following cookies are also set when you use your account.

Use of CrossEngage
If you have a bahn.de/bahn.com customer account, personal offers and promotions can be displayed when you are logged in. In order to be able to design and display this content, we have to place a cookie on your browser when you use bahn.de/bahn.com. It has a lifetime of 12 months. The data collected via the cookie is pseudonymised and processed on the servers of our service provider CrossEngage GmbH (Gontardstr. 11, 10178 Berlin, Germany). The legal basis for this is Article 6(1)(b) GDPR.

Cookies that are not essential for using the website:

The following cookies are not essential for using the website and will be processed only if you give your consent beforehand. 

Remain-logged-in option 
If you use the remain-logged-in option, you will be recognised and addressed by your name the next time you visit. You can use the contents of your customer account faster and receive customised offerings. Use of the remain-logged-in option does not enable direct access to your personal customer account. In order to access your data such as address, account or booking information, personal offers, etc., you must always log in to your customer account with your user name and password bahn.de/bahn.com will be pre-set with your user name every time you log in. Our aim is to provide a faster and more convenient login. We will never pre-set your password. If your end-user device is used by several people, please make sure that the auto-fill-in option in your browser is switched off in order to avoid misuse.

Registration 
If you wish to use the remain-logged-in option, we need your consent in accordance with Article 6(1)(a) GDPR. You can give your consent to the remain-logged-in option on registration and when logging in to your customer account. By entering your user name and password, ticking the remain-logged-in box and clicking the login button, you consent to the option. You have to give your consent for every end-user device and every browser used. Following your consent, we place two cookies on your browser. These are first-party cookies that can only be read by us. One cookie allows us to give your browser a randomly generated ID and thereby enables us to clearly recognise it and/or you as user of the browser. The other cookie indicates whether the remain-logged-in option has been set in your browser. If this is the case, the randomly generated cookie ID from your browser is decoded in our systems and allocated to your customer account. This only takes place by way of encrypted connections.
Both cookies thereby enable us to recognise you on subsequent visits to bahn.de/bahn.com and to address you by your name. These cookies are not used to collect usage data from your browser or to link this usage data with data from other browser sessions.
The cookies for the remain-logged-in option have a lifetime of 24 months. After every login to your user account with your customer name and password, the lifetime of the cookies will be extended by a further 24 months as from this login. 

Opt out
You can opt out of the remain-logged-in option via the link "You are not [Vorname][Nachname]? Opt out". You will find the link by clicking on your name, which is displayed on the website. In addition, in your customer account on the "Change login data" page, you can opt out, in a single step, of the remain-logged-in option on all browsers or end-user devices on which you gave consent. This opt-out option is only displayed in the customer account, however, if consent to the remain-logged-in option was given on at least one end-user device.
If you delete the cookies on your browser, you will also opt out of the option. If a third party uses your end-user device (browser) and logs in to his/her customer account, the remain-logged-in option will also be deleted. 

  • You can request information to find out if and what information is stored about you.
  •  You can request the correction, deletion and restriction of the processing (blocking) of your personal data as long as this is legally permissible and possible within the framework of an existing contractual relationship.
  •  You have the right to file complaints with the supervisory authority. The supervisory authority responsible for DB Vertrieb GmbH is Der Hessische Datenschutzbeauftragte, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany; e-mail: poststelle@datenschutz.hessen.de
  • You have the right to the transferability of the data that you have submitted to us based on consent or under a contract (data transferability).
  • If you have given us your consent to data processing, you can withdraw it at any time by the same means by which it was given. Withdrawal of consent does not affect the legitimacy of processing carried out on the basis of consent prior to its withdrawal.
  • You can object to data processing for reasons arising from your particular circumstances if the data processing is based on our legitimate interests.
  •  You can opt out of advertising messages at any time with future effect (advertising opt-out).    

DB Vertrieb, DB Fernverkehr and DB Regio share joint responsibility as per Article 26 GDPR. As part of this agreement, the companies have identified which GDPR-related obligations each of them must to meet. Independently of this, you can assert your rights vis-a-vis the above-named companies whenever necessary. 
To exercise your rights relating to your customer account, simply contact us at the following address:

DB Vertrieb GmbHEuropa-Allee 78-84
60486 Frankfurt 
Germany
or send an e-mail to ecommerce-datenschutz@bahn.de.

If you contact one company but another company is responsible for your particular issue, we will forward your communication to the relevant party. As a result, it may be the case that you will not hear from us but from the relevant DB unit that provides that service.

 

We update our privacy notice to bring it into line with new functionalities or legal requirements. We therefore recommend that you check the notice at regular intervals. Where your consent is required or if elements of the privacy notice contain provisions from the contract with you, any changes will be made only with your consent.

Last updated: October 2021