Privacy statement for customer accounts

 

The privacy statement for customer accounts supplements the general bahn.de/int.bahn.de privacy statement.

This statement describes what personal data we process in connection with customer accounts and how you can opt out of this data processing.

When you use your customer account, the DB companies DB Vertrieb GmbH, DB Fernverkehr AG and DB Regio AG process your data as joint controllers. The companies have agreed which of them is responsible for privacy-related obligations. The essence of this agreement can be found in this privacy statement.

If you have any questions or suggestions regarding this privacy statement, simply contact one of the DB companies.

DB Vertrieb GmbH
Europa-Allee 78- 84
60486 Frankfurt
Germany

p.d-datenschutz@deutschebahn.com

DB Fernverkehr AG
Europa-Allee 78- 84
60486 Frankfurt
Germany

fv‐datenschutz@deutschebahn.com

DB Regio AG
Europa-Allee 70-76
60486 Frankfurt
Germany

datenschutz.regio@deutschebahn.com

Dr Marein Müller is the designated privacy officer for all three companies.

Further information about the customer account is available in the terms of use for customer accounts.

The aforementioned companies have formally agreed which of them performs a given task as part of this joint processing. The key features of this agreement are described below.

DB Vertrieb GmbH is responsible for the following

  • Payment processing in connection with sales services and objections handling 
  • Credit assessment and fraud prevention measures 

DB Fernverkehr AG is responsible for the following

  • Provision, operation and fault management of the sales infrastructure
  • Loyalty programme (BahnBonus)
  • Sale of long-distance tickets, including digital provision, as well as ordering and sale of BahnCard and BahnBonus 
  • Marketing, communication and customer support 
  • Carrying out statistical analyses 

DB Vertrieb GmbH and DB Regio AG are responsible for the following

  • Writing to customers (e.g. subscription customers) and advertising measures
  • Regional offers

DB Vertrieb GmbH, DB Fernverkehr AG and DB Regio AG are responsible for the following

  • Use of websites and apps for the sale of products and services, and the provision of information for marketing communications
  • Processes on the train (e.g. ticket sales and inspection, penalty fares)
  • Processing and paying goodwill gestures and compensation (e.g. due to disruptions and unforeseen events)
  • Implementation of data subject rights, complaint management, service concerns and customer dialogue

We collect and process your customer account data exclusively for specific purposes. These may arise due to technical necessity, contractual obligations or express requests on the part of users.

Processing personal data in connection with your customer account is based on Article 6 (1) (b) GDPR. This also applies to processing that is required in order to take steps prior to entering into the contract, e.g. in cases of inquiries regarding our products or services.

Insofar that we obtain your consent for the processing of personal data (i.e. if you subscribe to our newsletter or use the remember me option), this consent shall serve as the legal basis according to Article 6 (1) (a) GDPR.

If we are subject to a legal obligation that requires us to process personal data, for example to fulfil tax obligations, this processing shall be based on Article 6(1)(c)) GDPR.

We would like to use your previous and current usage patterns regarding your customer account to provide you with customised contents that will make our range of products more interesting to you. To do so, we store and analyse pseudonymised usage data from online activities. We can then offer you special advantages such as ticket price reductions and free seat reservations the next time you book a ticket. The legal basis for this is Article 6 (1) (f) GDPR.

The following contains a more detailed description of the data processing activities that take place when you register for and use a customer account.

List of specific examples:

Creating a customer account
The following mandatory information is required when users create a customer account:

  • User name (e-mail address) and password
  • First name and surname

It is not possible to create a personal account without supplying this information. All other personal information and details pertaining to the user's travel profile are optional. We save your booking and login data in your customer account and use it for performing internal analyses and marketing research.

Booking a digital ticket
When you book a digital ticket, our system uses the address details as well as surname and first name in your customer account. In addition, when you book an international ticket via international-bahn.de/bahn.com or certain regional offerings, our system uses the date of birth in your customer account, if you have included it. When the tickets are inspected on board the train, the train attendant's mobile terminal will display the information contained in the ticket.

Buying BahnCards
When you purchase a BahnCard, our system uses the contact and identification data in your customer account. Further information on data processing in connection with the BahnCard can be found at: www.db-vertrieb.com/datenschutz/datenschutz-bahncard.

Payment details in customer accounts
We process your payment details when handling transactions, such as when you buy a product via bahn.de/bahn.com. Depending on the payment method chosen, we may forward your payment details to a third party, as we work with partner companies in order to process certain payment options. You can use the payment services of PayPal, paydirekt and Klarna without payment details being stored in your customer account.

  • Registration for payment by SEPA direct debit
    When you register to use the SEPA direct debit process, you provide us with a SEPA mandate that we can use to deduct payments from your bank account by means of a SEPA direct debit if you have selected this payment option. The legal basis for this is Article 6 (1) (b) GDPR.
     
  • Online activation of the SEPA direct debit scheme 
    To ensure secure payment with the SEPA direct debit scheme, we provide methods for online verification of account access via OpenBanking through Tink Germany GmbH (Gottfried-Keller-Strasse 33, 81245 Munich) or Verimi GmbH (Oranienstrasse 91, 10969 Berlin), or for online identity verification through Verimi GmbH. Depending on which verification method you choose, your personal data (the bank details, name and e-mail address provided) will be transmitted to the service provider under your direction. You will be guided through the selected function and informed about each individual step of the data processing in the automatically opening dialogue of the service provider. Once you have successfully completed the check, you can pay by direct debit. Both service providers are independently active as controllers. Verimi GmbH will offer you the use of your Verimi customer account, if you have one, or let you create a new customer account that will later also assist you with other identity verification procedures. Tink Germany GmbH and Verimi GmbH are authorised account information services that also work for banks and only process your data for the few minutes it takes to perform the account access check. 
    Further information is also available in the privacy statement in the dialogue window of the respective provider.
     
  • Payment by credit card
    To ensure that your payments are processed securely, payment-related data (amount, booking reference, booking description, payer) in your customer account is forwarded to a payment service provider. The legal basis for this is Article 6 (1) (b) GDPR. Our payment service provider for processing credit card payments is PAYONE GmbH, Lyoner Strasse 9, 60528 Frankfurt am Main, Germany. To learn how Payone processes your data, please read its privacy statement at https://www.payone.com/dsgvo/. The payment service provider performs the following: processing of credit card data in order to perform payments and store details in your customer account; application of security measures used by your card’s issuer (such as 3D Secure and strong authentication). No other institution handles your data. We do not receive access to your full credit card data. Instead, we merely save a reference in the form of an abbreviated credit card number so that you can identify it. To prevent cases of fraud, a data processor is used to process your device or browser fingerprint along with your payment-related data. This serves to protect you and us by preventing the misuse of your payment method when making payments via bahn.de/bahn.com. The legal basis for this is Article 6 (1) (f) GDPR.

Enquiry regarding bookings
If you use the contact form / chatbot to ask questions regarding a booking, our system uses the details in your customer account, including the contact details it contains, to process your enquiry and in the event of follow-up questions.

Offers relating to similar products or services
We take steps in order to maintain customer relations with you and to provide you with information and offers which we think will correspond to your travel preferences and interests. We therefore process your data on the basis of Art. 6 (1) (f) GDPR (including with the help of service providers) in order to send you information and offers. We use your contact data (name, address and e-mail address which we have received as a result of our business relationship with you) for advertising by post and for similar goods or services by e-mail, in particular for market research, unless you object to such use.

You can object at any time to the future use of your data for such advertising purposes without incurring costs other than those for your internet connection, which you need for communicating with us. Simply send your objection by e-mail to p.d-datenschutz@deutschebahn.com or by post to of the above-named companies (advertising opt-out).

Ordering subscriptions online
When you purchase a season ticket as a subscription, our system uses the contact and payment data in your customer account. Depending on the offer, identification data such as date of birth or a photograph may also be required. Your customer account displays your current subscription.

Newsletter registration
If you use your customer account to register for a newsletter, our system uses the relevant data in your account.
When you register for a newsletter, we also store the IP address assigned by the Internet Service Provider (ISP) to your end-user device used at the time of registration, as well as the date and time of registration. The collection of this data is necessary in order to trace (possible) subsequent misuse of the e-mail address of the person concerned and it therefore serves our legal protection. We want to be able to provide you with information that is relevant to you, so we analyse your interest in the contents of the newsletter based on clicks and the display of content via customised links. You may unsubscribe from the newsletter at any time by clicking the unsubscribe link at the bottom of the newsletter.

Participating in competitions
When we run competitions, we collect data for managing the process. The precise details, i.e. what data is collected and for what purpose, are available on the web page of the relevant competition.

Virtual chat assistants
Virtual chat assistants (also known as chatbots) are used on bahn.de/int.bahn.de. They are part of our sales channel and help you find information on bahn.de/bahn.com and in the DB Navigator app. The chat assistants are familiar with our websites' contents and provide keyword-based answers to customers' questions, recommend links to relevant websites or suggest using a different channel if they want to contact us.

We are constantly upgrading our chatbots, which help website and app users to navigate our website and mobile services. At the moment, they cannot process queries about specific contract-related issues. Anyone who has questions of this type can continue to contact us via live chat, phone or e-mail. Users should not provide any personal information when interacting with chatbots.

Our chatbots store customers' queries for a maximum of 34 days so their self-learning feature can optimise how they operate. The chatbot does not evaluate personal data. Usage-related metrics like chat duration, message timestamps, number of dialogues and users’ approximate location are stored only for statistical purposes. We process user information only in order to handle their queries and for internal purposes, e.g. managing and improving processes related to our business and services.

Booking a digital ticket after visiting a partner website (as part of affiliate marketing activities)
If you make a booking on an external partner website after clicking a DB affiliate advertisement, the business partner's cookies on that website are read. The relevant cookies have a lifetime of 30 days. This step is necessary for paying the business partner for the booking you make. We work with the Awin network for the purposes of affiliate marketing.

Contract processing generally requires the involvement of data processors who are subject to our instructions, such as e.g. computer centre operators, printing or mail-order service providers, or other agents involved in contractual performance.

External service providers who process data on our behalf are carefully selected and placed under strict contractual obligations. The service providers work in accordance with our instructions and this is verified by technical and organisational actions and supplementary checks.

In addition, we only disclose your data when you have given us your express consent or where we are under a statutory obligation. Transmission to third countries outside the EU/EEA or to an international organisation will not take place unless we have been given reasonable guarantees. These include the EU standard contractual clauses and an adequacy decision by the EU Commission. For example, we may be required to forward data in the following circumstances for the purpose of contract processing when users book services on bahn.de/int.bahn.de:

  • Purchase of travel insurance
  • Purchase of hotel services
  • Use of the car rental service
  • When making use of services for travellers with reduced mobility, your data is sent to the appropriate offices of the DB Group departments involved.
  • Credit check when registering for the direct debit procedure by Experian Solutions GmbH
  • In the case of payment irregularities or payment default, details of the account receivable may be sent to a debt collection agency.

You purchase our partners' services on bahn.de/bahn.com directly from these partner companies. Further information on this is available under "Do you incorporate data from third parties?"

We only store your data for as long as necessary so we can achieve the purpose for which it was collected (e.g. in the context of a contractual relationship) or insofar as permitted by law. Thus, in the context of a contractual relationship, we will store your data at least until full and final completion of the contract. Thereafter, the data will be stored for the statutory storage period.

Your access to your customer account will be automatically suspended following 24 months of inactivity.

Cookies are set when you visit your account. The following cookies are also set when you use your account.

CrossEngage
If you have a bahn.de/bahn.com customer account, personal offers and promotions can be displayed when you are logged in. In order to design and display this content, we have to place a cookie on your browser when you use bahn.de/bahn.com. It has a lifetime of 12 months. The data collected via the cookie is pseudonymised and processed on servers of our service provider CrossEngage GmbH (Bertha-Benz-Str. 5, 10557 Berlin, Germany). The legal basis for this is Art. 25 (2) (2) of the German Telecommunication and Telemedia Data and Privacy Protection Act (Gesetz über den Datenschutz und den Schutz der Privatsphäre in der Telekommunikation und bei Telemedien, “TTDSG”) in conjunction with Art. 6 (1) (b) GDPR.

  • You can request information to find out if and what information is stored about you.
  • You can request the correction, deletion and restriction of the processing (blocking) of your personal data as long as this is legally permissible and possible within the framework of an existing contractual relationship.
  • You have the right to file complaints with the supervisory authority. The supervisory authority responsible for DB Vertrieb GmbH is Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
  • You have the right to the portability of data you have made available to us on the basis of consent or a contract (data portability).
  • If you have given us your consent to data processing, you can withdraw it at any time by the same means by which it was given. Any processing of your personal data that took place from the time at which you granted your consent until the time at which you withdrew it will be considered to have been lawful.
  • You can object to data processing for reasons arising from your particular circumstances if the data processing is based on our legitimate interests.
  • You can opt out of targeted advertising at any time. This takes effect for the future (advertising opt-out).

Joint responsibility exists between DB Vertrieb, DB Fernverkehr and DB Regio as per Art. 26 GDPR. The parties have formally agreed which of them complies with the obligations arising from GDPR. Independently of this, you can assert your rights vis-a-vis the above-named companies whenever necessary.

To exercise your rights relating to your customer account, simply contact us at the following address:

DB Vertrieb GmbH
Europa-Allee 78-84
60486 Frankfurt
Germany

or send an e-mail to p.d-datenschutz@deutschebahn.com.

If you contact one company but another company is responsible for your particular issue, we will forward your communication to the relevant party.

We update our privacy statement to bring it into line with new functions or legal requirements. We therefore recommend that you check the privacy notice at regular intervals.

Last modified: April 2023