Privacy policy of the Hafas Fleet App for rail replacement transport contractors

Österreichische Postbus Aktiengesellschaft, FN 195030i, Am Hauptbahnhof 2, 1100 Vienna, telephone +43 (0)5 1717

Österreichische Postbus Aktiengesellschaft

Am Hauptbahnhof 2

1100 Vienna

E-mail: postbus.datenschutz@postbus.at

The use of the Hafas Fleet App by rail replacement transport contractors enables actual data to be determined on the basis of geo-coordinates and entry and exit reports. In addition, the position of the vehicles involved in the rail replacement service (hereinafter “RRS”) is transmitted electronically and used for the following purposes:

1. Real-time calculation of RRS journeys

2. Operational control based on the actual situation of RRS operations (e.g. scheduling of RRS operations)

3. Delivery of actual information to the timetable information systems and to RRS clients

4. Anonymous analysis and reporting for quality management purposes

5. Exchange of information between RRS drivers and dispatchers for operational control (e.g. notification that a stop is to be approached differently)

6. Signalling a callback request to the app user (currently inactive)

The first time you open the application on your device, the Android permissions “Location”, “Phone” and “Notifications” must be checked. The app cannot be used without these permissions. This does not constitute consent within the meaning of Art. 7 GDPR.

Article 6 Para 1 lit. f GDPR, legitimate interests of the controller, which consists in the fulfilment of the contract with the RRS contractor

This data will not be used for any automated decision making, including profiling.

• Company registration number (vehicle ID)
• Geocoordinates of the device while the app is running
• Completed trip, including trip registration and deregistration
• Rerouting and other disruptions
• Text communication and instructions from the RRS coordinator to the user

Client of those responsible for bus transport services

The competent courts and administrative authorities for the defence of legal claims, as applicable in individual cases

The controller has no intention of transferring the data in question to a third country or to an international organisation.

Personal data collected for this purpose will be stored for the following period and then automatically deleted, unless there is a special reason for storage in individual cases (e.g. ongoing civil court proceedings) that justifies or requires a longer storage period:

• GPS coordinates: 180 days (after 30 days of GPS track point thinning - “optimised” tracks)
• Text messages: 365 days
• Error messages: 365 days
• Journeys: 1096 days
• Statistics: 30 days
• Manual exports: 365 days.

As a data subject, you are entitled to exercise the following data subject rights against Österreichische Postbus Aktiengesellschaft:

(1) Right to information (Article 15 GDPR)

(2) Right to rectification and deletion (Article 16 GDPR)

(3) Right to deletion (Article 17 GDPR)

(4) Right to restriction (Article 18 GDPR)

(5) Right to data portability (Article 20 GDPR)

(6) Right to objection (Article 21 GDPR)

If you wish to assert a data subject right, please contact us. To do so, the following contact options are available to you:

postbus.datenschutz@postbus.at

In the event of alleged breaches of obligations under the GDPR, you are also entitled to lodge a complaint with the data protection authority in accordance with Sections 24 et seq. of the DSG [Data Protection Act] and Article 77 et seq. of the GDPR.

Contact: Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, Telephone: +43 1 52 152-0, e-mail: dsb@dsb.gv.at and www.dsb.gv.at

The provision of personal data is contractually required. Without this provision, the contract between the controller and the contractor cannot be fulfilled and the app cannot be used properly.