Privacy policy Postbus Shuttle

"Postbus Shuttle", is a business unit of Österreichische Postbus Aktiengesellschaft. "Postbus Shuttle" offers you a flexible mobility service that will take you to your destination comfortably and easily - and at a reasonable price. Österreichische Postbus Aktiengesellschaft is a company of ÖBB.

Customer satisfaction is our top priority. The protection of your data is therefore particularly important to us. We would like to thank you for the trust you have placed in us by giving us your data for processing. As a sign that we respect your rights as well as your privacy, we have formulated our principles that apply to us when processing your data:

• We attach great importance to transparency when processing your data. Therefore we have paid special attention to our privacy policy in order to provide you with the necessary information on how we handle your data.

• It is important to us that you know for what purposes we use your data and when we store it. We inform you in our privacy policy how and to what extent we process your data.

• We process your data only to the extent necessary and use them exclusively for lawful and justified purposes.

• In certain cases we will ask you whether you consent to the use of your data. In these cases, you yourself decide how and when we use your data. For example, we will never send you unsolicited electronic advertising.

• It is our aim to continuously improve. Contact us if you have any concerns.

• We live our principles, especially in the area of data protection. Please read the next sections of this privacy policy to find out how we process your data as part of our various data applications.

The privacy policy applies to all those who book and/or use a service with the "Postbus Shuttle", make a travel request or contact us.

We are constantly developing our performance, services and support. For this reason, we will also continually adapt the data protection declaration. However, we will ensure that the latest version is always available for you.

Österreichische Postbus Aktiengesellschaft, FN 250198p, Am Hauptbahnhof 2, 1100 Vienna, Telephone +43 5 1717 is the data protection officer in the sense of Article 4 paragraph 7 DSGVO. The DSGVO defines a data controller as a natural or legal person, authority, institution or other body which alone or jointly with others decides on the purposes and means of processing personal data.

By personal data we mean any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"). An identifiable person is a natural person who can be identified, directly or indirectly, in particular by means of association with an identifier such as a name, an identification number, location data, an online identifier or one or more other special features in a specific individual case (e.g. voice), as precisely this natural person. This therefore includes in any case those data which can be assigned to you as a customer. For example, your name, e-mail address, telephone number, booking code, ticket code or customer number are personal data.

The legal basis for data processing in accordance with Article 6 DSGVO is either the fulfilment of a contract, the fulfilment of a legal obligation, your prior consent or our overriding legitimate interests, which may also include processing for a further purpose.

Data that can be assigned to your person can be derived from the following occasions, purposes and sources:

• If you book and / or use a trip of Österreichische Postbus Aktiengesellschaft for the "Postbus Shuttle", make a travel request and give us feedback.

• If you create a Postbus Shuttle account in our app (this is mandatory for our service.

• If you use the shuttle interface.

• In the event of an emergency, if it should be necessary to contact you (e.g. extensive failure of buses).

• If you wish to receive advertising (for example newsletters, product and offer information, etc.) or other information from us or wish to participate in our other activities and campaigns (for example in competitions, customer surveys, promotions or discounts, etc.)

• If you contact the Postbus Shuttle customer service with questions, requests, suggestions, complaints, criticism or other information (e.g. malfunctions)

• If you are asserting your rights as a passenger, if you are claiming a fare supplement or if you have submitted an application for reimbursement / compensation.

• For statistical research to improve our services or systems, but the results of this research will not in any way identify you personally

• In the course of the company's internal risk analysis.

In accordance with the provisions of articles 12ff DSGVO, we would like to inform you about the following topics: Österreichische Postbus Aktiengesellschaft FN 250198p, Am Hauptbahnhof 2, 1100 Vienna, Telephone +43 5 1717 is the data protection officer in the sense of Article 4 clause 7 DSGVO. If you have any questions regarding data protection or the use of your personal data, please contact our data protection officer.

Contact details for data protection officers:
Am Hautbahnhof 2, 1100 Vienna
E-Mail: datenschutz.postbus@pv.oebb.at

In the following cases and for the following purposes, personal data will be collected by ourselves in accordance with Article 13 DSGVO:

If you

• book a trip online or by phone

• create a Postbus Shuttle account

• request a journey

• Use the Shuttle Interface

• submit an application for reimbursement and compensation;

• make use of the ÖBB Customer Service or Customer Office for other services or inquiries;

• be contacted by us (e.g. change of the driving conditions)

• give us a feedback after the ride

• take part in competitions, other campaigns, direct advertising measures or customer surveys, provided you have given your prior consent

Our service is also offered through selected cooperation partners. In this case, data collection is carried out by the cooperation partner pursuant to Article 14 GDPR. We currently use ÖBB-Personenverkehr AG as a cooperation partner. When booking a ticket for a specific train journey (i.e. booking a ticket to your destination and back), you will automatically be offered the ÖBB Transfer Service if this service is available at your destination. The transfer service is provided by Österreichische Postbus Aktiengesellschaft or by third parties commissioned by us. Another cooperation partner is iMobility GmbH, which facilitates the booking of Postbus Shuttle trips via Wegfinder. In the context of these cooperations, ÖBB-Personenverkehr AG (PV AG) and iMobility (iMob) provide the following data:

• Name of the person making the booking (PV AG, iMob)

• Booking number of the order (PV AG, iMob)

• Pick-up location and pick-up time, arrival location and arrival time (coordinates and desired time of the trip) (PV AG, iMob)

• Train number for the train on which the passengers are arriving/to which the passengers are to be taken

• Number of passengers (PV AG, iMob)
• incl. date of birth for registered customers (PV AG)
• incl. notional date of birth for seniors and children (PV AG)
• incl. discount card (for price calculation) (PV AG)
• Wheelchair (to determine if the transfer service allows for the transport of a wheelchair) (PV AG)
• Dog (to determine if the transfer service allows for the transport of a dog) (PV AG)
• Bicycle (to determine if the transfer service allows for the transport of a bicycle) (PV AG)

If we do not provide the service ourselves, we use third parties (for example local taxi companies at the destination) to provide the service, to whom the following data may be disclosed where necessary.

• Name of the person making the booking
• Train number for the train on which the passengers are arriving/to which the passengers are to be taken
• Number of persons
• Fare incl. information “Paid”, as it was booked via the ticket shop
• Booking reference
• Pick-up location (name of the station or hotel, address and position on map)
• Pick-up time
• Arrival point (name of the station or hotel, address and position on map)
• Arrival time

oth ÖBB-Personenverkehr AG (as far as the train service is concerned) and Österreichische Postbus Aktiengesellschaft as well as the third party commissioned by us (as far as the transfer service is concerned) carry out this service under their own data protection responsibility. As a consequence, you must exercise your data protection rights (e.g. a request for information under data protection law) against Österreichische Postbus Aktiengesellschaft, ÖBB-Personenverkehr AG and the third parties commissioned by us separately.

In case of complaints and other inquiries, we will, if you wish, also forward them to ÖBBPersonenverkehr AG or to the commissioned third party.

The data processed for these purposes will be disclosed to the following categories of recipients in case of necessity and depending on the purpose of the processing:

To

• the regulatory authorities in the event of a conciliation procedure (for the purposes of compliance with railway law provisions and authorisations, Article 6(1)(c) DSGVO).

• the appointed legal representative in the event of civil law disputes (on the basis of our legitimate interests, which consist in the defence of legal claims, article 6 paragraph 1 letter f DSGVO).

• the administrative authority responsible in the individual case in terms of subject matter and location (in particular also tax authorities, driving licence authorities, Rundfunk und Telekom Regulierungs-GmbH or trade licensing authorities) for the purposes of compliance with statutory provisions and authorisations, Article 6 (1) c DSGVO.

• the court or other authority with jurisdiction in the individual case (on the basis of our legitimate interests in defending legal claims, Article 6 para. 1 lit. f DSGVO).

• the debt collection company commissioned by the responsible party to collect outstanding debts on the basis of our legitimate interests, which consist in the defence of legal claims (Article 6 Paragraph 1 letter f DSGVO).

• the chartered accountant for the purpose of auditing (for the purposes of compliance with statutory provisions, in particular the applicable provisions of stock corporation law, Article 6 (1) (c) DSGVO).

• to our commissioned order processors, if they process personal data on our behalf. (Based on our legitimate interests, in particular to improve, simplify and maintain our database systems, Article 6 Paragraph 1 lit. f DSGVO).

Our data processing therefore takes place in particular on the basis of the following summarised legal framework (as amended):

• Regulation EU 2016/679 on the protection of individuals with regard to the processing of personal data, on the free movement of such data (Basic Data Protection Regulation (DSGVO), in particular Article 6 para. 1 lit. a (consent), lit. b. (execution of contract), lit. c DSGVO (legal entitlement or obligation), lit. f (legitimate interests) as well as para. 4 (processing for further purposes);

• Ordinance of the Federal Minister of Public Economy and Transport on access to the passenger transport industry operated by motor vehicles (Berufszugangsverordnung Kraftfahrlinien- und Gelegenheitsverkehr - BZP-VO), Federal Law Gazette No. 889/1994 as amended

• Ordinance on the General Terms and Conditions of Carriage for Regular Motor Service (BGBl. II No. 47/2001) as amended;

• Regulation No 181/2011 of the European Parliament and of the Council of 16 February 2011 concerning the rights of passengers in bus and coach transport and amending Regulation (EC) No 2006/2004

• Industrial Code 1994;

• In the case of a criminal proceeding 1975;

• Introductory Act to the Administrative Procedure Acts 2008;

• Administrative penal code 1991;

• General Administrative Procedure Act 1991;

• General Civil Code for the entire German hereditary lands of the Austrian Monarchy;

• Telecommunications Act 2003;

• EU Directive on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010 and repealing Directive 2007/64/EC (PSD2);

• Federal law on general provisions and the procedure for the levies administered by the tax authorities of the Federation, the Länder and the municipalities (Bundesabgabenordnung, BAO)

• Federal law on special civil law provisions for companies (Corporate Code, UGB);

• Federal Act on Distance Selling and Contracts concluded away from business premises (FAGG) BGBl. I No. 33/2014 as amended by BGBl. I No. 83/2015 as amended;

• Federal Act of 8 March 1979 laying down provisions for the protection of consumers (Consumer Protection Act - KSchG), BGBl. No 140/1979 as amended;

• General Terms and Conditions (AGB) and Special Conditions of Carriage (BBB) of the responsible parties and their cooperation partners.

We do not intend to transfer personal data to a third country or to an international organization.

Duration of storage: In general, personal data is only stored by us to the extent absolutely necessary and is generally deleted after the statutory period of limitation under civil law of three years (e.g. customer correspondence) or, in the case of invoice-relevant data, after seven, maximum 10 years (e.g. booked tickets, annual tickets) in accordance with § 212 UGB or §§ 132f in conjunction with §§ 207ff BAO. A longer period of storage will only take place in justified individual cases, e.g. for the reason of a still ongoing civil court or official dispute.

In detail we would like to highlight the following different topics:

• If the data is billing-relevant data due to other ticket purchases, applications for reimbursement, additional fare claims, this data is stored for ten years.

• Otherwise, we will keep the data that can be assigned to you for a period of three years, such as customer correspondence, use of other services, or mere participation in competitions, campaigns or customer surveys.

• Revocation of a declaration of consent or assertion of an objection to direct marketing in accordance with Article 21f DSGVO (black list): This information cannot be deleted, particularly as we keep it as a negative list and thus ensure that you do not receive any promotional offers from us at the moment.

• In case of cancellation of your registration, your access data, password, e-mail address and telephone number will be deactivated. Your message will be deleted at the latest 3 years after deactivation.

Your rights

1. You, as the person concerned in the individual case, are entitled to assert the following rights of data subjects against us if we are the data controller

• Right to information (Article 15 DSGVO): You have the right to request information about what personal data about you is collected and held by us.

• Right of rectification and deletion (Article 16 DSGVO): You have the right to rectify any incorrect data concerning your person (e.g. typing errors).

• Right of deletion (Article 17 DSGVO): You have the right to have personal data deleted if such deletion is covered by the cases of application provided for in Article 17 DSGVO, for example if we would process data unlawfully.

• Right to limitation (Article 18 DPA): The data subject has the right to request the controller to limit the processing of personal data relating to him/her, provided that the conditions laid down in Article 18 DPA are met.

• Right to data portability (Article 20 DPA): You have the right of the data subject to receive the data he or she has provided in an interoperable format.

• Right of objection (Article 21 DPA): You have the right of the data subject to object to data processing, provided that the conditions of Article 21 DPA are met.

If you would like to assert a right of data subject, please contact us. The following contact options are available to you:

Österreichische Postbus Aktiengesellschaft
Am Hauptbahnhof 2
1100 Vienna
e-mail: datenschutz.postbus@pv.oebb.at

Please include the following information with your application:

• A copy/scan of an official photo ID with your date of birth (e.g. identity card, driving licence or passport) and
• E-mail address stored for the Postbus Shuttle account.

This is because we have to verify your identity before we can respond to your request or take the necessary steps. The purpose of this identity check is to enable us to establish your actual status as a data subject, in order to ensure that personal data is not disclosed to unauthorised third parties (risk of misuse). As soon as we receive your request and you have proven your identity to us, we will respond to your request within four weeks. In the event that we have specific questions in the course of answering, we will contact you and ask for your cooperation and assistance.

2. In addition, you have the right to lodge a complaint with the data protection authority in accordance with §§ 24ff DSG and Articles 77ff DSGVO if you believe that we are in breach of our obligations under the Basic Data Protection Regulation.

contact details:

Austrian data protection authority,
1030 Vienna, Barichgasse 40-422
Phone +43 1 521 52-25 69
e-mail: dsb@dsb.gv.at
www.dsb.gv.at

3. revocation of a granted consent

If you have given us your consent to process your data for a specific purpose, you have the right to revoke your consent at any time without giving reasons.

• We save the itinerary of your ticket purchase or booking so that you can always know and follow the exact course of your journey. This information also serves as booking confirmation.

• Mere travel requests that did not result in a ticket purchase are stored to improve our services.

• It is our endeavour to inform you at any time in the best possible way so that you can react in time to changes in travel data.

• You will always find the offer with the best price as the first offer.

• The booking of a trip can be done electronically via the app or by phone via the customer office.

• You can also book our service with our partners (e.g. hotels, doctors or local authorities), who have a so-called shuttle interface. In this case the booking is made on site by the staff of our partners.

When designing our service, we have taken care to ensure that data is only collected and processed to the extent absolutely necessary.

Essential in this context are the following when using our app

• First name or user name and optionally the surname

• Customer and User ID

• Contact details (e-mail address, telephone number)

• Password

• Issued approvals of the general terms and conditions,

• Ticket information, information about the booked trip including information about the travellers,

• Device information as well as IP address (for registration and deregistration as well as modification of the data provided)

• Favorites,

• method of payment

• Real-time information before, during and after the journey (in particular, changes in departure and arrival times, total cancellation, boarding and disembarkation information),

• Location information for the purpose of ticket booking or connection query, if the functionality has been agreed to

• Start address, destination address, entry stop, exit stop

• Logging data

The use of our app requires that you create a Postbus Shuttle account. It is therefore not possible to make bookings or travel enquiries without first creating a Postbus Shuttle account. To create a Postbus Shuttle account, we need at least the following information about you:

• First name or user name and optionally surname

• Email address

• Agreement incl. time stamp to the AGBs

• Telephone number to receive an unlock code and other notifications (e.g. cancellation of the trip)

• Freely selectable password

During the registration process, you will receive an activation code via SMS to the phone number you entered. After entering the unlock code and confirming it, your account is activated. After successful registration, you will receive a confirmation to the e-mail address you entered and contact details of the Postbus Shuttle. When you open the app in the future, you are automatically logged in with your account.

You have the possibility to log out of your account in the app. To do so, select the option "Log out" in your profile.

If you wish to delete your account/registration, please write to postbus.shuttle@postbus.at. Your registration will be cancelled and your access data, password, e-mail address and telephone number will be deactivated.

To book a ride on the Postbus Shuttle by telephone (where available), use the telephone number(s) provided on our website (https://www.postbus.at/de/unsere-leistungen/postbus-shuttle) to be connected to the appropriate customer centre. If you are not yet a customer of Postbus Shuttle, you will need to give your name to the customer centre and, if desired, your telephone number and e-mail address.

To make a booking, you must inform the Customer Centre of the start and destination address as well as the time and date of your desired journey. The customer centre uses this data to check whether a corresponding journey is available and, if necessary, books it for you.

To cancel a trip that has already been booked, you must contact the Customer Centre and inform them of the cancellation. The trip is then deleted.

If changes occur during a journey, e.g. delays, you will be automatically informed in the app. We plan to send an SMS with the relevant information to your mobile phone number when you make a booking by phone, if you have announced this.

We are planning the possibility that you can voluntarily rate the ride in the app. This feedback will be saved without personal reference. If you would like to give us detailed feedback, you are welcome to send us an e-mail to postbus.shuttle@postbus.at.

You have the possibility to book the trip through one of our partners. Partners are e.g. doctors, hotels, municipal offices and others. The booking through our partners can be made on site or by phone at the partners.

The following data is collected in this context by us or our partner:

• First name and surname or name of our partner;

• Details of the data subject using the Shuttle Interface;

• Contact details (address, e-mail address, fax number, telephone number of our partner);;

• Traveler information (name, number of travelers, price, payment method cash, phone number optional, e-mail address optional);

• Information about the trip (start address, destination address, entry stop, exit stop, date and time of the trip, booking date).

The Partner is not entitled to use the data entered for the customer in the context of the booking for other purposes.

By payment information we mean the information we need to process the payment. As a general rule, we do not store any payment information such as credit or debit card numbers, expiration date, the Card Validation Code (CVC) or user account and password data. We ourselves store payment information only to a limited extent, namely

• if a cancellation cannot be carried out automatically by us, but we have to transfer the cancellation amount subsequently (in this case we store the name of the applicant, IBAN, BIC, name of the bank and the address (postcode, city, country, street and house number);

• in case of a concrete booking, we store the type of payment method or the card type (VISA, MasterCard, etc.) and the last 4 digits

In all other cases, payment information (e.g. expiry date or the Card Validation Code (CVC)) is processed and used by an audited and certified payment service provider (Terminal Service Provider and Payment Service Provider).

To process the payment transaction, we use audited and PCI-certified payment service providers who process and use the payment information (e.g. CVC code or expiry date) for the booking process. The data processing is only carried out for the purpose of payment processing within the framework of the ticket booking. These payment service providers generally operate independently and therefore process your data on the basis of their own data protection responsibility.

In order to authorise a payment unambiguously, the payment service provider necessarily requests various information from us, such as identification data of the type of browser and operating system used, which we store and forward to the payment service provider for payment processing.

Further information related to this is also provided to you by the payment service provider itself.

For the purposes of payment risk management, additional personal data may be transferred to the payment service provider to the extent absolutely necessary in the course of the purchase transaction in order to carry out a risk assessment. Payment-relevant data may also be used for anonymous evaluations.

By information security we understand:

• onfidentiality of data,
• Data integrity and
• Data availability

In order to guarantee information security, we have established organisational framework conditions and protective measures that correspond to the state of the art.

These include:

• Load distribution,
• Firewalls,
• Encryption,
• Security checks,
• System checks and
• continuous monitoring.

Our employees are only granted role-specific access authorizations to the extent absolutely necessary. The use of these access authorizations is logged.

The APP is distributed through the Apple App Store and the Google Play Store (hereinafter "Store"). Therefore, the inclusion, distribution and use of the APP is subject to the separate terms and conditions of those two stores, over which we have no control and which are created and enforced under the sole responsibility of the stores.

We use personal data to send you information, offers and recommendations, either from us or from our cooperation partners. However, this is only done if you give us your prior consent to contact you by e-mail, telephone, SMS or other channels (e.g. Postbus Shuttle account, by post) in order to inform you in good time about interesting offers, new developments and services. Depending on the content of the consent granted by you, we will send you offers and other information about the Postbus Shuttle (e.g. about general services, competitions and customer surveys and about the ÖBB Group, i.e. also about other companies affiliated with the Group (e.g. information about travel offers of Rail Tours Touristik GmbH or car sharing offers of Rail Equipment GmbH or ÖBB-Personenverkehr AG) or our other cooperation partners. You may revoke your consent at any time without stating reasons. In this case, we will not send you any offers and information by e-mail or SMS, display them in your ÖBB account or contact you by phone for this purpose.

• You can unsubscribe from the newsletter with every booking by setting your consent to No.

• If you subscribe to a newsletter, please click on the unsubscribe link, then we will no longer send you electronic mail. It can take up to 24 hours until the activation of a cancellation in the systems is completed.

In all other cases, please contact our ÖBB customer service using the following e-mail address: datenschutz.postbus@pv.oebb.at

In order to improve our products and services and adapt them to customer requirements, we conduct surveys with different target groups. We commission market research companies or conduct the surveys ourselves. The selection of the persons to be interviewed can either be purely random or based on social-statistical or usage-specific factors. The contact to the participating persons is either established via the respondent pools of the market research companies - this is done without our intervention and under the sole responsibility of the partner companies. Alternatively, we generally invite interested persons to participate in the survey without individual addressing.

The establishment of a personal reference is not intended in any of the surveys. All surveys are completely anonymous. This is also the case if we contact you directly as a customer or if you have given your consent to participate in a survey in advance.

We only receive or prepare an overall evaluation of the data, in which no individual interviews or persons are identified.

When we address our customers directly, we only contact those persons who have given us their consent to do so.

If, in certain cases, we conduct the survey in cooperation with a market research company, we will conclude a separate confidentiality agreement with this company in advance of a customer survey, which regulates the secure handling of your data on a case-by-case basis. In particular, this agreement ensures that they will not pass on your data to other market research institutes and other third parties for surveys for their own purposes.

In any case, you are not obliged to participate in one of our customer surveys.

Cookies are small text files or codes that contain information units. These text files are stored on your hard disk or in the memory of your browser when you visit one of our websites. Thanks to cookies, the content of our web pages can be structured more easily and those devices can be recognised via which our web pages were previously visited. We use cookies to gain a better understanding of how applications and websites work and to analyse and optimise the user experience when using our websites online and on the move.

We do not use cookies for our app, for our shuttle interface a cookie necessary for operation is used. This is necessary to ensure that the Shuttle Interface can be used as intended and all functions are available. Without this cookie the requested services cannot be provided. This cookie does not collect any information about you and does not store any Internet locations. Unconditionally required cookies cannot be deactivated via our site. However, they can be deactivated at any time via the browser you are using. Beyond this operationally necessary cookie, no further cookies are used.

Contract processors within the meaning of the DSGVO are natural and legal persons who are commissioned by us to provide a specific service.

For example, we currently use service providers for the following activities, among others:

• for the maintenance of our databases and our applications,

• to conduct online surveys and

• to check the quality of our services

• customer service delivery

We use contract processors only for data processing that we have lawfully carried out. We always satisfy ourselves in advance that the individual processor is suitable for the provision of services, in particular that it offers sufficient guarantee for the lawful and secure use of data.

Order processors only receive personal data from us to the extent absolutely necessary. Our processors have contractually committed themselves to keep personal data

• to be used exclusively for the purpose of the order,

• after the respective purpose of the order has ceased to apply,

• not to pass on to third parties, and

• not to be used for own purposes.

Before using a processor, we shall conclude a written agreement with the processor, in which in particular the processor and his employees are subject to special obligations and are again separately bound to confidentiality. We impose certain data security measures on the processor to ensure that customer data and data processing are adequately protected.

We have informed you comprehensively about the purposes of our data processing, categories of data recipients, the legal basis and legal framework, the storage period as well as the rights you are entitled to and the scope of data processing. In all data processing, we have taken care to ensure that the collection and processing of data is limited to the extent absolutely necessary. Therefore, if we ask you to disclose your data, this is necessary in order to

• you can book and carry out your trip with the Postbus Shuttle online (via the APP), by telephone or via the Shuttle Interface

• you can give us feedback after the ride (planned feature),

• we can contact you in the event of a default or any outstanding debt,

• we can include you - provided you have given your consent in advance - in our direct advertising measures or involve you in a customer survey,

• we can answer your complaint / inquiry or

• you can assert your rights as a passenger or under the DSGVO

If you do not or not fully comply with our request for data disclosure, it is not ensured that we will be able to comply with or process your aforementioned purchase request or other request(s).