Privacy statement for int.bahn.de
It is generally possible to use our website without providing personal data. We may need to process your personal data, however, if you wish to make use of special services we offer via our website or if you are booking a trip via our website. If it is necessary to process personal data and there is no statutory basis for such processing (e.g. a contractual agreement), we will ask for your consent.
When you use the app, DB Vertrieb GmbH, DB Fernverkehr AG and DB Regio AG process your data as joint controllers.
If you have any questions or suggestions regarding this privacy statement, simply contact one of the DB companies.
DB Vertrieb GmbH
Europa-Allee 70-76
60486 Frankfurt
Germany
E-Mail: p.d-datenschutz@deutschebahn.com
DB Fernverkehr AG
Europa-Allee 78-84
60486 Frankfurt
Germany
E-Mail: fv‐datenschutz@deutschebahn.com
DB Regio AG
Europa-Allee 70-76
60486 Frankfurt
Germany
E-Mail: datenschutz.regio@deutschebahn.com
Dr Marein Müller is the designated privacy officer for all three companies.
The companies listed above are jointly responsible for various data processing operations in connection with a ticket purchase or other services that we make available on int.bahn.de. They have formally agreed which of them performs a given task as part of this joint processing, what the purpose of this processing is, how it is organised and who complies with the obligations arising from GDPR, in particular with information-related obligations. The key features of this agreement are described below.
DB Vertrieb GmbH, DB Fernverkehr AG and DB Regio AG are joint controllers for the following purposes:
- Use of websites and apps for the sale of products and services, and the provision of information for marketing communications
- Processes on the train (e.g. ticket sales and inspection, penalty fares)
- Processing and paying ex-gratia settlement and compensation (e.g. due to disruptions and unforeseen events)
- Implementation of data subject rights, complaint management, service concerns and customer dialogue
We collect and process your data exclusively for specific purposes. These purposes may result from technical requirements, contractual obligations or express wishes of the user.
For technical reasons, certain data must be collected and saved when you visit int.bahn.de. This includes, for example, the date and duration of your visit, the web pages used, the identification data of your browser and type of operating system used as well as information on the website via which you were routed to our site.
In order to comply with a contract, we require certain personal data from you. This data is required for booking tickets, processing payments, checking credit ratings, and for dealing with any cancellations and refunds if necessary.
In this case, the contract pursuant to Article 6(1)(b)) GDPR is the legal basis for the processing of your personal data. Article 6(1)(b) GDPR shall also apply to processing that is required in order to take steps prior to entering in to the contract, e.g. in cases of inquiries regarding our products or services.
Insofar as we obtain your consent for the processing of personal data (e.g. if you subscribe to our newsletter) this consent shall serve as the legal basis according to Art. 6 (1) (a) GDPR.
If we are subject to a legal obligation that requires us to process personal data, e.g. to fulfil tax obligations, this processing shall be based on Art. 6 (1) (c) GDPR.
We would like to use your previous and current usage patterns of int.bahn.de to provide you with customised content that will make our offers more interesting to you as a user. To do so, we store and analyse pseudonymised usage data from online activities. We can then offer you special advantages such as ticket price reductions and free seat reservations the next time you book a ticket. The legal basis for this is Art. 6 (1) (f) GDPR.
We also do this in order to maintain relations with you as a customer, and to provide you with information and offers that we think will correspond to your travel preferences and interests. We therefore process your data on the basis of Art. 6 (1) (f) GDPR (including with the help of service providers) in order to send you information and offers. We use your contact data (name, address and e-mail address which we have received as a result of our business relationship with you) for advertising by post and for similar goods or services by e-mail, in particular for market research, unless you object to such use.
You can object at any time to the future use of your data for such advertising purposes. You can send your objection by e-mail to p.d-datenschutz@deutschebahn.com (Keyword: Advertising contradiction / Werbewiderspruch).
In the following, you will find a more detailed description of the data processing that can take place when booking a ticket on int.bahn.de. Information on further data processing, for example when you visit our pages on social networks, can be found at: https://www.db-vertrieb.com/datenschutz (in German)
List of specific examples:
Customer account
To create a customer account for booking tickets on int.bahn.de, we collect the following mandatory information during the registration process:
- E-mail address (used in combination with the password for login)
- Password (assigned by yourself)
It is not possible to create a personal customer account without providing this information. All other personal information and details pertaining to the user's travel profile are optional. We store your booking data, which includes your login data and information on whether you have a BahnCard, in your customer account.
Booking a digital ticket
When booking digital tickets, we process the first name, last name and e-mail address. The date of birth may also be required when booking international tickets and some regional offers. During ticket inspections on trains, the information on the ticket (first name and last name) is displayed on the scanner (mobile terminal).
Payment details
To process your payments, the necessary payment details (amount, booking reference, booking description, payer) are forwarded to the relevant payment service providers.
- When paying with PayPal, this is:
PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. You can find out how PayPal processes your data in PayPal's privacy statement. - When paying with Apple Pay (only on IOS devices), this is:
Apple Distribution International (Apple), Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. You can find out how Apple processes your data for Apple Pay in the "Wallet & Apple Pay" privacy statement on your device or at Apple. - When paying by credit card, this is:
PAYONE GmbH, Lyoner Strasse 9, 60528 Frankfurt, Germany. You can find out how PAYONE processes your data, in PAYONE’s privacy statement. The payment service provider records the credit card data for the payment or deposit in the customer's own account. It also performs any security measures such as 3D-Secure and strong customer authentication. We do not receive access to your full credit card data. Instead, we merely save a reference in the form of an abbreviated credit card number so that you can identify it.. - Registration for payment by SEPA direct debit:
When you register to use the SEPA direct debit process, you provide us with a SEPA mandate that we can use to deduct payments from your bank account by means of a SEPA direct debit when you choose this method of payment. - Online activation of the SEPA direct debit scheme:
To ensure secure payment with the SEPA direct debit scheme, we provide methods for online verification of account access via OpenBanking through Tink Germany GmbH (Gottfried-Keller-Strasse 33, 81245 Munich) or Verimi GmbH (Oranienstrasse 91, 10969 Berlin), or for online identity verification through Verimi GmbH. Depending on which verification method you choose, your personal data (the bank details, name and e-mail address provided) will be transmitted to the service provider under your direction. You will be guided through the selected function and informed about each individual step of the data processing in the automatically opening dialogue of the service provider. Once you have successfully completed the check, you can pay by direct debit. Both service providers are independently active as controllers. Verimi GmbH will offer you the use of your Verimi customer account, if you have one, or let you create a new customer account that will later also assist you with other identity verification procedures. Tink Germany GmbH and Verimi GmbH are authorised account information services that also work for banks and only process your data for the few minutes it takes to perform the account access check.
Further information is also available in the privacy statement in the dialogue window of the respective provider.
To prevent cases of fraud, a data processor is used to process your device or browser fingerprint along with your payment-related data. This serves to protect you and us by preventing the misuse of your financial details when making payments via int.bahn.de. The legal basis for this is Article 6 (1) (f) GDPR.
Komfort Check-in service
Komfort Check-in gives you an option for automatically validating your mobile phone ticket on certain DB long-distance trains. If you use this service, we process the relevant mobile phone ticket's data, including its identification details and possible discounts, to identify and validate the ticket. Our system uses the following data for this:
- Ticket ID/order number
- First name and last name of the passenger(s)
- BahnCard number
- Name of the BahnCard holder
Buying BahnCards
We collect contact details and identification information (e.g. date of birth) when users buy a BahnCard. Further information on data processing in connection with the BahnCard can be found at: www.db-vertrieb.com/datenschutz/datenschutz-bahncard
Offers relating to similar products or services
We also use your e-mail address collected during registration or due to contractual commitments (e.g. booking a digital ticket) to inform you by e-mail about our own similar products or services. In this case, the e-mail address will be processed on the basis of our overriding legitimate interest in advertising our products and services (Article 6(1)(f) GDPR).
You can object at any time to the future use of your data for such advertising purposes. You can submit your objection via the objection link in any e-mail received for this purpose or by sending an e-mail to p.d-datenschutz@deutschebahn.com (Keyword: Advertising contradiction / Werbewiderspruch).
Booking a digital ticket after visiting a partner site (affiliate marketing)
When you click on a DB affiliate advertising material on an external partner site, you will be redirected to our booking. A process identifier is also sent, which we process in order to provide the partner with remuneration for the initiated booking. We do not transmit any personal data. The remuneration is processed via the affiliate network of AWIN AG, Otto-Ostrowski-Straße 1A, 10249 Berlin.
Ordering a season ticket online
When ordering a season ticket by subscription, DB Vertrieb GmbH is responsible for and processes the necessary contact and payment data. These can be taken from your customer account if you wish. Depending on the offer, identification data such as date of birth or photo may also be required.
Adding a subscription to your customer account
To add your subscription to your customer account, e.g. for display in the DB Navigator, we collect your last name, date of birth and subscription number. If a photograph is required for the subscription and this is not yet stored in your subscription contract data, you will be asked to store this when you add the subscription. You then have the option of either selecting a photo from the gallery or taking a new photo. Separate access authorisations are required for this (for details, see the Access authorisations section).
Contact form
If you submit an enquiry via the contact form under 'Help & Contact', your data will be processed by us for the purpose of handling the request and in case of follow-up questions based on Article 6(1)(b) of the GDPR.
Newsletter registration
If you sign up for one of our newsletters, the e-mail address will be collected as mandatory information.
When you register for a newsletter, we also store the IP address assigned by the Internet Service Provider (ISP) to your end-user device used at the time of registration, as well as the date and time of registration. The collection of this data is necessary in order to trace (possible) subsequent misuse of the e-mail address of the person concerned and it therefore serves our legal protection. We want to be able to provide you with information that is relevant to you, so we analyse your interest in the contents of the bahn.de newsletter based on clicks and the display of content via customised links.
In this case, we may use your e-mail address for promotional purposes. The legal basis for this is Art. 6 (1) (a) GDPR. You may unsubscribe from the newsletter at any time by clicking the unsubscribe link at the bottom of the newsletter. If you object to your data being used for promotional purposes, your data will only be used anonymously for statistical purposes.
Security measures
We have implemented protective measures for the security and availability of our IT systems. These include web application firewall, rate limiting and DOS protection based on technologies from the service providers Akamai Technologies Inc. and F5 Inc. All requests to our systems are checked to see whether they comply with defined technical rules. We can block deviating requests or store them temporarily for further analysis, including the IP address.
Convenience functions
We use the device memory of modern browsers to keep the history of the last locations used in the "from" and "to" input fields available for subsequent travel searches. All details are only stored in the individual device and can be deleted at this point.
Contract processing generally requires the involvement of data processors who are subject to our instructions, such as e.g. computer centre operators, printing or mail-order service providers, or other agents involved in contractual performance. We also involve external service providers in market research activities.
External service providers who process data on our behalf are carefully selected and placed under strict contractual obligations. The service providers work in accordance with our instructions and this is verified by technical and organisational actions and supplementary checks.
In addition, we only disclose your data when you have given us your express consent or where we are under a statutory obligation to do so.
Transmission to third countries outside the EU/EEA or to an international organisation will not take place unless we have been given reasonable guarantees. These include the EU standard contractual clauses and an adequacy decision by the EU Commission.
For example, we may be required to forward data in the following circumstances for the purpose of contract processing when users book services on int.bahn.de:
- Purchase of travel insurance
- Purchase of hotel services
- Use of the car rental service
- When making use of services for travellers with reduced mobility, your data is sent to the appropriate DB Group offices.
- In the case of payment irregularities or payment default, details of the account receivable may be sent to a debt collection agency.
We store your data only for as long as is necessary to fulfil the purpose for which the data was collected (as part of a contractual relationship, for example) and/or to comply with legal requirements. Thus, in the context of a contractual relationship, we will store your data at least until full and final completion of the contract. Thereafter, the data will be stored for the statutory storage period.
We use cookies on our website for functional, measurement and analysis purposes. Cookies are data packets that are generated by a website and stored on your browser. We distinguish between cookies that are necessary for the technical functioning of the website (e.g. for temporary storage) and cookies that are not essential for the technical functioning of the website (e.g. for range measurement). Some of these cookies (known as session cookies) are automatically deleted or become invalid at the end of the browser session.
Generally speaking, it is possible to use int.bahn.de without the cookies that serve non-technical purposes. This means that you can prevent tracking via cookies in your browser (do not track, tracking protection list, etc.) or block the storage of third-party cookies. We also recommend regular checks of stored cookies that have not been expressly requested.
You can click the "Cookie settings" button at any time to access your cookie settings and make any changes you want.
Cookies and similar technologies that are necessary for the use of certain website functions
The measures listed below, which we use, serve the purpose of making our website more user friendly and improving its usability. In order to be able to assess the effectiveness of our measures for improving functions and your user experience, we continuously collect necessary KPIs regarding the usage. For this, we use the analysis tools Tealium, Adobe Analytics, Optimizely, Qualtrics and m-pathy. If your IP address needs to be processed, it will be made anonymous. All service providers are contractually obliged to handle your data in accordance with privacy requirements. Where required, we have concluded EU standard contractual clauses.
With the chosen technical integration and the contractual measures, we ensure that only we have access to the data.
hCaptcha by Intuition Machines Inc.
In order to protect the privacy of our customers and the availability of our website from automated and abusive access attempts even more reliably, we use the hCaptcha technology from Intuition Machines Inc. (350 Alabama St, San Francisco, CA 94110, USA). This uses bot detection and risk assessments trained through machine learning to determine whether visitors to our website are humans. If required, an interactive task for validation is displayed when using the website. If you registered for the barrier-free service from this company, the system reads the relevant cookie with the duration of one month instead of providing a validation task. The legal basis for the use of the technology is Art. 25 (2) (2) of the TDDDG in conjunction with Art. 6 (1) (f) GDPR. The legitimate interest is to protect the data of the data subjects and the infrastructure from automated and abusive access attempts.
JSC tools from Risk.Ident GmbH
We use JSC tools technology from Risk.Ident GmbH (Am Sandtorkai 50, 20457 Hamburg, Germany) to prevent fraud. This serves to protect you and us by preventing the misuse of your payment method when making payments via int.bahn.de. This can entail the processing of a cookie with a lifetime of 24 months. The legal basis for this is Art. 25 (2) (2) TDDDG in conjunction with Art. 6 (1) (f) GDPR. The legitimate interest is to enable simple and low-threshold access to booking and payment services while ensuring a high level of payment security.
easy Marketing
We use the technologies of easy Marketing GmbH (Asselner Hellweg 124, 44319 Dortmund) to ensure that partner companies are remunerated if you have made a booking on bahn.de after clicking on a DB affiliate link or advertising material. Cookies with a duration of 12 months, to which you have previously consented on these partner sites, are evaluated for this purpose. The legal basis for the use of the technology is § 25 para. 2 no. 2 TDDDG in conjunction with Art. 6 para. 1 lit. f) GDPR. The legitimate interest here lies in being able to remunerate the affiliate agreement accordingly for the ticket purchase contract that has been brought about.
CrossEngage
If you have a bahn.de customer account, you can be shown personalised offers and promotions after you have logged in. If you have consented to the use of marketing cookies, your online usage behaviour will also be taken into account. Cookies with a duration of 13 months are set in your browser for the design of personalised content on bahn.de. The data used for this purpose is processed in pseudonymised form on the servers of our service provider CrossEngage GmbH (Bertha-Benz-Str. 5, 10557 Berlin). The legal basis for the use of the technology is § 25 para. 2 no. 2 TDDDG in conjunction with Art. 6 para. 1 lit. b) GDPR.
Tealium
In order to facilitate the dynamic modification of this website and the management of dynamic content, we use the tag management service Tealium iQ (Tealium Inc., 9605 Scranton Rd., Ste. 600 San Diego, CA 92121, USA). This also includes processing your selected cookie settings. The relevant cookies have a lifetime of 12 months. The legal basis for the use of the technology is Art. 25 (2) (2) TDDDG. The legal basis for the recording of your consent is Art. 6 (1) (b) GDPR.
Qualtrics
We may invite you to take part in surveys on our website in order to continuously improve our offering and services. For these we use technology from Qualtrics LLC (333 W. River Park Drive, Provo UT 84604, USA). The information is collected anonymously. The purpose of the cookies used by Qualtrics is to prevent users from participating multiple times within a certain period of time. The relevant cookies have a lifetime of 12 months. Participation in the surveys is voluntary. The legal basis for the use of the technology is Art. 25 (2) (2) TDDDG. If personal data is entered in free text fields, the legal basis is Art. 6 (1) (b) GDPR.
Verint Systems GmbH
On this website, session and interaction data of the website visitors are collected and stored by technologies of Verint Systems GmbH (Ziegelteich 29, 24103 Kiel, Germany). This information is used to improve the content and user-friendliness of the pages. Cookies are also used for this purpose, which have a duration of 24 months. The legal basis for the use of the technology is § 25 para. 2 no. 2 TDDDG in conjunction with Art. 6 para. 1 lit. b) GDPR.
Optimizely
So that we can provide the best possible design of our website, we show you slightly varied content as part of so-called A/B testing and measure the reaction to it. The web analysis service Optimizely (119 5th Ave 7th floor, New York, NY 10003, USA) used for this purpose stores the necessary information on your end user device. The information is processed on Optimizely's servers in the USA for the duration of the individual test run without personal reference. The legal basis for this is § 25 para. 2 no. 2 TDDDG in conjunction with Art. 6 para. 1 lit. b) GDPR.
Adobe Analytics
In order to manage our website and optimise its performance, we use the web analysis service of Adobe Systems Software Ireland Limited (Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland). The relevant cookies have a lifetime of 24 months. The information processed by means of the cookie is not personal or traceable to an individual. We use this information to measure and evaluate the use of the website and to create statistics. This enables us to assess how often different sections and texts on our web pages are read, and whether or not our website design influences the extent of website usage. We can use the statistics obtained to improve our offer for you. The legal basis for the use of the technology is Art. 25 (2) (2) TDDDG in conjunction with Art. 6 (1) (b) GDPR.
Using the map functionality
For the purpose of directions or local information, you can have travel details displayed graphically on a map of the surrounding area by selecting this function using the map symbol. The map service Google Maps from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) is used for this purpose. After you have consented to activation, your IP address and position data (if enabled) as well as the desired content data will be processed by the map service on its own responsibility and the map will be displayed. The legal basis for this is Art. 6 para. 1 lit. a) GDPR. The activation is noted in a separate cookie and remains valid until you click the "Deactivate map" button in the bottom left-hand corner of the map or delete the cookie. The legal basis for this is Art. 6 para. 1 lit. b) GDPR.
Cookies and similar technologies that are not necessary for the use of certain functions of the website
The following cookies are not absolutely necessary for the use of the website and are only processed if you have previously consented. The legal basis for this is § 25 para. 1 TDDDG in conjunction with Art. 6 para. 1 lit. a) GDPR. You can revoke your consent at any time by calling up the cookie settings again and changing your selection there.
Cookies for personalised offers
Marketing cookies are used on our website to adapt the content to your interests and to be able to display corresponding offers. If you have a customer account, the cookies enable us to recognise you on subsequent visits to int.bahn.de if necessary. This only happens via encrypted connections.
AdForm
Cookies from AdForm A/S (Wildersgade 10B, 1, 1408 Copenhagen K, Denmark) are used to display interest-based advertising. For this purpose, information on the operating system, browser version, anonymised IP addresses, geographical location and number of clicks or views, for example, is stored in pseudonymous usage profiles. The cookie set by AdForm has a duration of 12 months. This data is used for the following purposes:
- Recording the number of visitors to int.bahn.de .
- Recording the order in which visitors visit the various pages of int.bahn .de.
- Optimisation of the website
Adform uses this information to target online advertising based on usage. In order to be able to use the advertising space from other websites, the cookies are synchronised with the following platforms: Google, Doubleclick, Appnexus, DataXu, Mediamath, TURN, TheTradeDesk, Active Agent, TheAdex.
Exactag
We use the analysis service of Exactag GmbH (Wanheimer Straße 68, 40468 Düsseldorf) on our website. Cookies are used to store data about how you use bahn.de. Process identifiers are also processed, which are transmitted when you are redirected from other websites (e.g. LinkeId.com, Bing.com, Google.com, Youtube.com), and the successful redirection may be reported back to the operator of the respective website. We do not transmit personal data. The cookie set by Exactag has a duration of 6 months.
-
You can request information as to what personal data is stored.
-
You can request that we correct, delete or restrict the processing (block) of your personal data, provided these actions are permitted by law and in compliance with existing contractual conditions.
You have the right to file complaints with the supervisory authority. The supervisory authority responsible for DB Vertrieb GmbH is Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany -
You have the right to the portability of data you have made available to us on the basis of consent or a contract (data portability).
-
If you have given us your consent to data processing, you can withdraw it at any time by the same means by which it was given. Any processing of your personal data that took place from the time at which you granted your consent until the time at which you withdrew it will be considered to have been lawful.
-
You can object to data processing for reasons arising from your particular circumstances if the data processing is based on our legitimate interests or is necessary to meet an official requirement.
You can opt out of targeted advertising at any time. This takes effect for the future (advertising opt-out). -
DB Vertrieb, DB Fernverkehr and DB Regio are joint controllers as per Art. 26 GDPR. The parties have formally agreed which of them complies with the obligations arising from GDPR. Independently of this, you can make a claim based on your rights vis-a-vis the above-named contracting parties at any time. If you contact us in writing but your issue relates to the area of responsibility of the service you used, we will forward your matter accordingly.
To exercise your rights, you may send a letter by post to:
DB Vertrieb GmbH
Europa-Allee 70-76
60486 Frankfurt am Main
Germany
Alternatively, you may send an e-mail to the following address: p.d-datenschutz@deutschebahn.com
When you click a link to an external website, you leave int.bahn.de website. DB Fernverkehr AG is not responsible for the content, services or products available via this external website. Similarly, DB Fernverkehr AG is not responsible for your data privacy or technical safety when you are on this external website.
We modify the privacy statement to ensure that it is in line with changes relating to functions or legislation. We therefore recommend that you review our privacy statement at regular intervals.
Last modified : October 2024
Data protection statement in the Passenger Rights Service Centre (SC FGR)
Find out here what data we collect for the purpose of processing your passenger rights (only in German).