bahn.com Privacy Notice
Use of our website is generally possible without providing personal data. If you wish to make use of special services offered by our company via our website or you are booking a trip via our website, we may need to process your personal data. If it is necessary to process personal data and there is no statutory basis for such processing (e.g. a contractual agreement), we will ask for your consent.
This Notice aims to inform you which data we will collect from you, how we will use it and how you can opt out of the use of your data.
Who is responsible for data collection and processing?
DB Vertrieb GmbH, Stephensonstr.1, 60326 Frankfurt is responsible for collecting and processing your data.
Ms Chris Newiger is the designated Privacy Officer. If you have any questions or comments about data privacy on bahn.com, please contact us at the following address:
DB Vertrieb GmbH
What data do we collect and how and why do we process your data?
We collect and process your data exclusively for specific purposes. These may arise due to technical necessity, contractual obligations or express requests on the part of users.
For technical reasons, certain data must be collected and saved when you visit bahn.de. This includes, for example, the date and duration of your visit, the web pages used, the identification data of your browser and type of operating system used as well as information on the website via which you were routed to our site.
In order to comply with a contract, we require certain personal data from you. This data is required for ticket bookings, processing payments, checking credit ratings, for delivery by post to the specified address, where applicable, and for dealing with any cancellations and refunds.
In this case, the contract pursuant to Article 6(1)(b) GDPR is the legal basis for the processing of your personal data. Article 6(1)(b) GDPR shall also apply to processing that is required in order to take steps prior to entering in to the contract , e.g. in cases of inquiries regarding our products and services.
Insofar that we obtain your consent for the processing of personal data (e.g. if you subscribe to our newsletter or use the Remain-logged-in option), this consent shall serve as the legal basis according to Article 6(1)(a) GDPR.
If our company is subject to a legal obligation that requires us to process personal data, for example to fulfil tax obligations, this processing shall be based on Article 6(1)(c) GDPR.
In order to ensure the continuous improvement of our content, we store and analyse pseudonymized usage data from online activities. The legal basis for this is Art. 6 (1)(f) GDPR.
We also do this in order to maintain customer relations with you and to provide you with information and offers which we think will correspond to your travel preferences and interests. We therefore process your data on the basis of Article 6(1)(f) GDPR (including with the help of service providers) in order to send you information and offers. We use your contact details (name and e-mail address obtained through our business relationship with you) for postal advertising and market research, unless you object to such use.
You can object at any time to the future use of your data for such advertising purposes. Send your objection by e-mail to firstname.lastname@example.org (Advertising Objection).
In the following you will find a more detailed description of the data processing that can take place when booking a ticket on bahn.de. Further information, for example on data processing at ticket machines or if you visit our pages on social networks, can be found at: www.db-vertrieb.com/datenschutz
Specific examples are as follows:
- Registering on bahn.com
The following mandatory information is required when users create a customer account on bahn.com:
- First name and surname
- E-mail address
It is not possible to create a personal account without supplying this information. All other personal information and details pertaining to the user's travel profile are optional. We store your booking data (which includes information on whether you have a BahnCard, your registration data and - if you are a registered customer who receives our newsletter - information which you have provided on your areas of interest) in your customer account, and also use it for internal analyses and market research purposes. We do this to obtain general insights that help us to improve our content. Storing and analysing pseudonymized usage data from online activities also helps us to achieve this aim. We do not create a link between these activities and your personal data. In addition, we want to adjust our content to meet your needs and requirements in the best way possible. You can at any time opt out of the pseudonymized use of data generated when you use Deutsche Bahn's online services.
Further information can be found in the "Are cookies used?" section.
- Payment data on bahn.com
We collect payment details, such as account or credit card numbers, contact details and identification-related information, so that we can process payments relating to the purchase of tickets and BahnCards.
Each transaction made using a credit card requires the user to provide the CVV code on the back of the card as authorisation. We do not store the CVV code.
- Booking a digital ticket
When booking a digital ticket, address details as well as surname and first name are saved. During ticket inspections on trains, the information on the ticket (first name and surname) is displayed on the scanner (mobile terminal).
- Purchasing a BahnCard
Beim Erwerb einer BahnCard werden Kontakt- und Identifizierungsdaten (bspw. Geburtsdatum) erfasst. Further information on data processing in connection with the BahnCard can be found at: www.db-vertrieb.com/datenschutz
- Offers relating to similar products and services
We also use your e-mail address collected during registration or due to contractual commitments (e.g. booking a digital ticket) to inform you by e-mail about our own similar products and services. In this case, the e-mail address will be processed on the basis of our overriding legitimate interest in advertising our products and services (Article 6(1)(f) GDPR).
You can object at any time to the future use of your data for such advertising purposes. You can submit your objection via the objection link in any e-mail received for this purpose or by sending an e-mail to email@example.com (Advertising Objection).
Using the subscription portal
In order to use the subscription portal, a customer account on bahn.de and a valid subscription are required. In the subscription portal, the customer account and subscription details are linked with each other. You can unlink them at any time.
Ordering subscriptions online
Contact and payment details are collected when ordering a season ticket as a subscription. Depending on the offer, identification data such as date of birth or a photograph may also be required.
- Newsletter registration
If you sign up for one of our newsletters, the e-mail address will be collected as mandatory information.
In this case, we may use your e-mail address for advertising purposes. The legal basis for this is Article 6(1)(a) GDPR. Sie When you register for a newsletter, we store the IP address assigned by the Internet Service Provider (ISP) to your end-user device used at the time of registration, as well as the date and time of registration. The collection of this data is necessary in order to trace (possible) subsequent misuse of the e-mail address of the person concerned and it therefore serves our legal protection.
You may unsubscribe from the newsletter at any time at firstname.lastname@example.org or by clicking the relevant link at the bottom of the newsletter.
If you object to your data being used for promotional purposes, your data will only be used anonymously for statistical purposes.
- Participating in competitions
When we run competitions, we collect data for managing the process. The precise details, i.e. what data is collected and for what purpose, are available on the web page of the relevant competition.
Do you disclose data to third parties?
Contract processing generally requires the involvement of order processors who are subject to our instructions, such as e.g. computer centre operators, printing or mail-order service providers or other agents involved in contractual performance.
External service providers who process data on our behalf are carefully selected and placed under strict contractual obligations. Service providers follow our instructions and this is guaranteed by technical and organisational measures, as well as by means of supplementary checks and controls.
In addition, we only disclose your data when you have given us your express consent or where we are under a statutory obligation.
Transmission to third countries outside the EU/EEA or to an international organisation, will not take place unless we have been given reasonable guarantees. These include the EU standard contractual clauses and an adequacy decision from the EU Commission. For example, we may be required to forward data in the following circumstances for the purpose of contract processing when users book services on bahn.com:
- Travel insurance from our partner Europäische Reiseversicherung AG
- Hotel services from our hotel reservations partner HRS
- Use of DB's car hire offers from the leasing firms DB Rent, Europcar and Sixt
- Credit rating checks by Infoscore Consumer Data GmbH when registering for direct debit services
- When making use of services for travellers with reduced mobility, your data is sent to the appropriate offices of the DB Group departments involved.
- When you purchase a BahnCard on bahn.com, you enter into a contract with DB Fernverkehr AG. To complete this process, we forward the data, which you provide, to DB Fernverkehr AG. Further information is available in the relevant General Terms and Conditions. We merely handle the payment process and store the data provided for this purpose.
- In the case of payment irregularities / payment default, details of the account receivable may be sent to a debt collection agency.
- When you use the contact form on bahn.com for communicating with DB Fernverkehr or DB Regio, the details you supply are forwarded to the customer dialogue units of the relevant transport companies. bahn.com merely serves as the platform hosting these forms.
You purchase our partners' services on bahn.com directly from these partner companies. Further information on this is available under "Do you incorporate data from third parties?"
How long is your data stored?
We only store your data for as long as necessary to achieve the purpose for which it was collected (e.g. in the context of a contractual relationship) or insofar as permitted by law. Thus, in the context of a contractual relationship, we store your data until final completion of the contract. Thereafter, the data will be stored for the statutory storage period.
Your user account will be automatically deleted if left inactive for 24 months.
Are cookies used?
Generally speaking, it is possible to use bahn.com without the cookies that serve non-technical purposes. This means that you can prevent tracking via cookies in your browser (do not track, tracking protection list, etc.) or block the storage of third-party cookies. We also recommend regular checks of stored cookies that have not been expressly requested.
Please note: Deleting cookies also deletes any opt-out cookies you might have set so you will need to reactivate any opt-out function when using the relevant services.
- Cookies that are essential for using the website:
We use session cookies in the booking dialogue and the "My Bahn" service area for providing additional services (e.g. "Managing my routes"). These cookies are automatically deleted when you close your browser.
- Cookies that are not essential for using the website:
If you use the Remain-logged-in option, you will be recognised the next time you visit bahn.com and addressed by your name. You can use bahn.com faster and receive personal offers on the website.
Use of the "Remain-logged-in option" does not enable direct access to your personal customer account. In order to access personally sensitive data such as e.g. address, account or booking information or personal offers, you must always log into your customer account with your user name and password.
bahn.com will be pre-set with your user name every time you log in. Our aim is to provide a faster and more convenient log-in. We will never pre-set your password. If your end-user device is used by several people, please make sure that the Auto-fill-in option in your browser is switched off in order to avoid misuse.
If you would like to use the "Remain-logged-in option", we require your consent. This is the legal basis for data processing pursuant to Art. 6 (1) (a) GDPR.
You can give your consent to the "Remain-logged-in option" on registration and when logging in to your user account. By entering your user name and password, ticking the "Remain-logged-in" box and clicking the "Login" button, you consent to the option.
You have to give your consent for every end-user device and every browser used. Following your consent, we place two cookies on your browser. These are first-party cookies that can only be read by bahn.com. One cookie allows us to give your browser a randomly generated ID and thereby enables us to clearly recognise it and/or you as user of the browser. The other cookie indicates whether the "Remain-logged-in option" has been set in your browser. If this is the case, the randomly generated cookie ID from your browser is decoded in our systems and allocated to your customer account. This only takes place by way of encrypted connections.
Both cookies thereby enable us to recognise you on subsequent visits to bahn.com and to address you by your name. Important: Personal data is never collected by way of cookies. Furthermore, we do not use the cookies to collect usage data from your browser or link this usage data with data from other browser sessions.
The "Remain-logged-in option" cookies have a lifetime of 24 months. After every login to your user account with your user name and password, the lifetime of the cookies will be extended by a further 24 months as from this login.
You can unsubscribe from the "Remain-logged-in option" via the link "> Do not [Name][Surname]? log off". You will find the link by clicking on your name which is displayed on the website. In addition, in your customer account on the "Change login data" page, you can unsubscribe from the "Remain-logged-in option" on all browsers or end-user devices on which you gave consent, in a single step. This unsubscribe option is only displayed in the customer account, however, if consent to the "Remain-logged-in option" was given on at least one end-user device.
If you delete the cookies on your browser you will also unsubscribe from the option. If a third-party uses your end-user device (browser) and logs in to his/her bahn.com customer account, the "Remain-logged-in option" will also be deleted.
- Improving the user experience
In order to ensure continual improvement of the user experience, we collect statistics on the usage of bahn.com. For this we use the analysis tools Adobe Analytics, Optimizely, Qualtrics and m-pathy.
The following tracking measures that we use are carried out on the basis of Art. 6 (1) (f) GDPR. By using these tracking measures, we aim to ensure that our website is designed to meet the requirements and is continually being optimised. We also use tracking measures to statistically record the use of our website which we evaluate in order to optimise our content. These are legitimate interests within the meaning of the aforesaid Act.
In order to ensure the dynamic adaptability of bahn.com and to manage the dynamic content, we use the Tag Management service Tealium iQ (Mindspace, Viktualienmarkt 8, 80331 Munich).
We evaluate your data without identifying you personally. For this purpose, the IP address is anonymized.
Information about your opt-out rights as regards the third-party providers provided via Tealium iQ can be found in the relevant sections on the providers concerned (e.g. Adform, Exactag, Criteo, Google AdWords).
Our service providers are contractually obliged to handle your data in accordance with privacy requirements.
- Use of Adobe Analytics
The information generated by the cookie is transferred to and stored on an Adobe server in the USA. Prior to this, since a procedure for anonymizing your IP address is activated on this website, your IP address will be shortened. Adobe will use this information in order to evaluate for us your use of the website, to compile reports on website activities and to carry out additional services, on our behalf, relating to use of the website and the internet. This enables us to assess how often different sections and texts on our web pages are read, and whether or not our website design influences the extent of website usage. The statistics obtained enable us to improve our content and make it more interesting for you as a user.
Adobe shares this information with us exclusively as aggregate data showing general site usage. This data has no personal content and cannot be traced back to an individual.
You can opt out of the creation of pseudonymized user profiles at any time. There are several ways of doing this:
1.) One way to opt out of web analysis by Adobe Analytics is to set an opt-out cookie which tells Adobe not to store or use your data for web analysis purposes. Please note that with this option, the web analysis will only be blocked for as long as the opt-out cookie is stored by the browser. If you want to set the opt-out cookie now, please click here: www.adobe.com/en/privacy/opt-out.html
2.) You can also prevent storage of the cookies used for creating profiles by setting your browser software accordingly.
Please note: if you delete the cookies on your device, the opt-out cookie will also be deleted so you will need to reactivate your opt-out.
- Use of Optimizely
This website analyses user behaviour by means of what is called A/B testing, using the web analysis service "Optimizely". It enables us to vary the content shown on our website according to your profile.
For the purposes of this evaluation, cookies are stored on your end-user device for 24 months. The information thus generated is generally transferred to and stored on an Optimizely server in the USA.
The analysis service provider is Optimizely (631 Howard Street, Suite 100, San Francisco, CA 94105, United States). Its information about data privacy can be found at: optimizely.com/de/privacy
How to deactivate this analysis: You can deactivate Optimizely's tracking activities at any time by following the instructions at: www.optimizely.com/opt_out You can also prevent storage of the cookies by setting your browser software accordingly. However, we would like to point out that in this case you may not be able to use all functions of this website to their full extent.
In Member States of the European Union or in other member states of the European Economic Area, the IP address is shortened beforehand. Only in exceptional cases such as e.g. server failure, can the full IP address be transmitted to an Optimizely server in the USA where it will be shortened. The IP address transmitted by Optimizely from your browser will not be combined with other Optimizely data.
- Use of Qualtrics
In order to ensure continual improvement of our content and services, we invite users of our website to take part in surveys. For these we use technology from Qualtrics LLC (333 W. River Park Drive, Provo UT 84604, USA). Data is collected anonymously.
The purpose of the cookies used by Qualtrics is to prevent users from participating multiple times within a certain period of time. The relevant cookies have a lifetime of 12 months. Participation in the surveys is voluntary.
If you no longer wish to receive invitations to take part in customer surveys by Qualtrics, please click here.
- Use of m-pathy
This website uses m-pathy, a product from m-pathy GmbH (Königsbrücker Str. 34, 01099 Dresden, Germany), to collect and store session-related and interaction-related data about visitors to our website. This information is used for improving the content and usability of the web pages. Cookies are stored for this purpose and have a lifetime of 24 months.
You can opt out of the future collection of your data, at any time, on this website: Your decision to opt out is stored in a cookie that does not identify you personally.
- Interest-based online advertising
The advertisements displayed on our website are based on interest that you have previously shown in certain products. We collect information about your surfing patterns in order to provide you with interest-based online advertising. This requires cookies with multi-digit ID numbers to be set on your computer.
If you do not want your use of our website to be analysed, you can set your browser so that it does not install an analysis cookie.
- Use of Google AdWords
By using the online advertising program Google AdWords from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter referred to as "Google"), advertisements for offers are displayed on bahn.com and sorted thematically based on the keywords used in a Google search. To do this, Google sets a cookie in the browser when a user clicks on an advertisement in the Google search network or advertising network. The legal basis for this is Art. 6 (1) (f) GDPR.
Click here to opt out of this: www.google.com/ads/preferences
Using the AdWords cookie and conversion methods, Google can assess the number of people who choose an advertised offer after clicking on a relevant AdWords advertisement. Where Google's advertisements refer to offers on bahn.com, Google provides bahn.com with statistics about the number of purchases that users make after clicking on a Google AdWords advertisement.
If you want to opt out: You can set your browser so that it blocks cookies originating from googleadservices.com or from third parties in general. You can also delete the Google conversion cookie "Conversion" in your browser's cookie settings.
- Use of Google Doubleclick
bahn.com also uses Google Remarketing based on Doubleclick from Google Inc. for placing interest-based advertising. The Doubleclick cookie uses a pseudonymous identification number to check the pages displayed and to assign advertisements. The information about displayed pages generated by this cookie is forwarded to Google's server for evaluation and storage. The legal basis for this is Art. 6 (1) (f) GDPR.
If you want to opt out: www.google.com/ads/preferences
- Use of Exactag
This website uses the analysis service from Exactag GmbH (Philosophenweg 17, 47051 Duisburg, Germany). Cookies store information about how you use bahn.com, including your IP address which is first anonymized. The cookie set by Exactag has a lifetime of 12 months.
The legal basis for this is Art. 6 (1) (f) GDPR.
If you want to opt out: Click on the following link to install Exactag's deactivation cookie in your browser: www.exactag.com/datenschutz/optout
- Use of AdForm
Cookies from AdForm A/S
(Wildersgade 10B, 1, 1408 Copenhagen K, Denmark) are used for placing interest-based advertising. These cookies create pseudonymized usage profiles containing information about different features, such as users' operating systems, browser versions, anonymized IP addresses, geographic location, number of clicks and number of views. The cookie set by AdForm has a lifetime of 12 months. The data is used for the following purposes:
- Identifying the number of visitors to bahn.com
- Identifying the sequence in which different web pages are accessed by visitors to bahn.com
- Optimising the website
The legal basis for this is Art. 6 (1) (f) GDPR.
If you want to opt out: Click on this link to set an opt-out cookie to prevent any further collection of data. site.adform.com/datenschutz-opt-out
On behalf of DB Vertrieb GmbH, Adform uses this information for more targeted, usage-based online advertising. In order to be able to use the advertising space from other websites, the cookies are synchronised with the following platforms: Google, Doubleclick, Appnexus, DataXu, Mediamath, TURN, TheTradeDesk, Active Agent, TheAdex.
- Use of Criteo
We are interested in providing you with offers which we think will correspond to your travel preferences and interests. This advertising placement is based on interest that you have previously shown in our products and offers. In order to collect information about your surfing patterns and send you interest-based online advertising, we use retargeting software from Criteo (Criteo SA, 32 Rue Blanche, 75009 Paris). This requires cookies with pseudonymized multi-digit ID numbers to be set on your end-user device. The relevant cookies have a lifetime of 12 months. No other personal data is stored.
The legal basis for this is Art. 6 (1) (f) GDPR.
You can opt out by deactivating the retargeting at the following link: www.criteo.com/privacy
- Personal offers and campaigns
Based on your previous and current use of bahn.com, we would like to show you customised content in order to make our website more interesting for you as a user. The legal basis for this data processing is Art. 6 (1) (f) GDPR.
If you are the holder of a bahn.com customer account, you can look at customised offers and campaigns if you go on to bahn.com at the same time as being logged in to your bahn.com customer account. In order to be able to design and display this content, a cookie with a lifetime of 12 months will be set when bahn.com is used. We forward the pseudonymized information generated by this cookie to our service provider CrossEngage GmbH (Gontardstr. 11, 10178 Berlin, Germany) for evaluation.
To this end, we have concluded a commissioned data processing agreement with CrossEngage.
If you do not want cookies to be used for analysing your usage patterns, you can at any time set your browser to block cookies.
What rights do users of bahn.com have?
- You can request information to find out what information is stored about you.
- You may request the correction, deletion and restriction of the processing (blocking) of your personal data as long as this is legally permissible and possible within the framework of an existing contractual relationship.
- You have the right to file complaints with the supervisory authority. The supervisory authority responsible for DB Vertrieb GmbH is: Der Hessische Datenschutzbeauftragte, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, e-mail: email@example.com
- You have the right to transferability of the data that you have submitted to us based on consent or under a contract (data transferability).
- If you have given us your consent to data processing, you can withdraw it at any time by the same means by which it was given. Withdrawal of consent does not affect the legitimacy of processing carried out on the basis of consent prior to its withdrawal.
- You can object to the data processing for reasons arising from your particular situation, if the data processing is based on our legitimate interests.
- You can opt out of advertising messages at any time with future effect (advertising opt-out).
To exercise your rights, simply write to us at the following address:
DB Vertrieb GmbH
or send an e-mail to firstname.lastname@example.org
Do you incorporate information from third parties?
We incorporate data from third parties into our website in order to provide you with offers along the entire length of the mobility chain (partner offers). This requires you to submit your information directly on the relevant third parties' websites. These are integrated into bahn.com and have been modified to suit our website's visuals. Third-party content always features its own site notice and data privacy information.
We incorporate content from the following partners:
- AMEROPA -> rail holidays and city breaks
- FlyLoco -> city breaks by air
- Weg.de -> all-inclusive flights and last-minute journeys
- HRS -> hotel provider
- Eventim -> tickets for concerts and other events
- ERV -> travel insurance
- Avis -> car hire
- Europcar -> car hire
- Sixt -> car hire
- Ypsilon.Net -> car hire price comparison
- Auto Europe -> car hire broker in Ypsilon.Net care hire price comparison
What happens with links to external websites?
When you click on a link to an external website, you leave the bahn.com website. As a result, DB Vertrieb GmbH is not responsible for the content, services or products available on this linked website. Similarly, DB Vertrieb GmbH is not responsible for data privacy or technical safety on the linked website.ple, we may be required to forward data in the following circumstances relating to contractual obligations when users book services on bahn.com:
How up-to-date is this data privacy information?
We update our Privacy Notice to bring it into line with new functionalities or legal requirements. We therefore recommend that you regularly check the Privacy Notice. Where your consent is required, or components of the Privacy Notice involve provisions contained in our contract with you, changes shall only take place with your consent.
Last amended: September 2018
Changes to the version dated May 2018:
- Adaptation of the text under "What data do we collect and how and why do we process your data?
- Added information about the subscription portal and ordering online subscriptions.
- Added more information to the paragraph on AdForm.
Changes to the version dated August 2017:
- Adaptation to the requirements of the EU General Data Protection Regulation
Changes to the version dated June 2017:
- Section name changed from "Website analytics" to "Interest- and usage-based website analyses"
- Inclusion of CrossEngage as partner for interest-based and usage-based website analysis
- Removal of section regarding on-site bannering using performance media
- Removal of Clicktale as partner for UX analyses
- Inclusion of m-pathy as partner for UX analyses
Changes to the version dated February 2017:
- Inclusion of Performance Media as partner with technology from ADITION technologies AG for on-site bannering
Changes to the version dated October 2016:
- Removal of Xplosion as partner for retargeting technology
- Supplementary provisions regarding anonymized statistical evaluations