Privacy statement for int.bahn.de
It is generally possible to use our website without providing personal data. We may need to process your personal data, however, if you wish to make use of special services we offer via our website or if you are booking a trip via our website. If it is necessary to process personal data and there is no statutory basis for such processing (e.g. a contractual agreement), we will ask for your consent.
When you use the app, DB Vertrieb GmbH, DB Fernverkehr AG and DB Regio AG process your data as joint controllers.
If you have any questions or suggestions regarding this privacy statement, simply contact one of the DB companies.
DB Vertrieb GmbH
Europa-Allee 78- 84
DB Fernverkehr AG
Europa-Allee 78- 84
DB Regio AG
Dr Marein Müller is the designated privacy officer for all three companies.
The companies listed above are jointly responsible for various data processing operations in connection with a ticket purchase or other services that we make available on int.bahn.de. They have formally agreed which of them performs a given task as part of this joint processing, what the purpose of this processing is, how it is organised and who complies with the obligations arising from GDPR, in particular with information-related obligations. The key features of this agreement are described below.
DB Vertrieb GmbH, DB Fernverkehr AG and DB Regio AG are joint controllers for the following purposes:
- Use of websites and apps for the sale of products and services, and the provision of information for marketing communications
- Processes on the train (e.g. ticket sales and inspection, penalty fares)
- Processing and paying ex-gratia settlement and compensation (e.g. due to disruptions and unforeseen events)
- Implementation of data subject rights, complaint management, service concerns and customer dialogue
We collect and process your data exclusively for specific purposes. These purposes may result from technical requirements, contractual obligations or express wishes of the user.
For technical reasons, certain data must be collected and saved when you visit int.bahn.de. This includes, for example, the date and duration of your visit, the web pages used, the identification data of your browser and type of operating system used as well as information on the website via which you were routed to our site.
In order to comply with a contract, we require certain personal data from you. This data is required for booking tickets, processing payments, checking credit ratings, and for dealing with any cancellations and refunds if necessary.
In this case, the contract pursuant to Article 6(1)(b)) GDPR is the legal basis for the processing of your personal data. Article 6(1)(b) GDPR shall also apply to processing that is required in order to take steps prior to entering in to the contract, e.g. in cases of inquiries regarding our products or services.
Insofar as we obtain your consent for the processing of personal data (e.g. if you subscribe to our newsletter) this consent shall serve as the legal basis according to Art. 6 (1) (a) GDPR.
If we are subject to a legal obligation that requires us to process personal data, e.g. to fulfil tax obligations, this processing shall be based on Art. 6 (1) (c) GDPR.
We would like to use your previous and current usage patterns of int.bahn.de to provide you with customised content that will make our offers more interesting to you as a user. To do so, we store and analyse pseudonymised usage data from online activities. We can then offer you special advantages such as ticket price reductions and free seat reservations the next time you book a ticket. The legal basis for this is Art. 6 (1) (f) GDPR.
We also do this in order to maintain relations with you as a customer, and to provide you with information and offers that we think will correspond to your travel preferences and interests. We therefore process your data on the basis of Art. 6 (1) (f) GDPR (including with the help of service providers) in order to send you information and offers. We use your contact data (name, address and e-mail address which we have received as a result of our business relationship with you) for advertising by post and for similar goods or services by e-mail, in particular for market research, unless you object to such use.
You can object at any time to the future use of your data for such advertising purposes. You can send your objection by e-mail to firstname.lastname@example.org (Keyword: Advertising contradiction / Werbewiderspruch).
In the following, you will find a more detailed description of the data processing that can take place when booking a ticket on int.bahn.de. Information on further data processing, for example when you visit our pages on social networks, can be found at: https://www.db-vertrieb.com/datenschutz (in German)
List of specific examples:
To create a customer account for booking tickets on int.bahn.de, we collect the following mandatory information during the registration process:
- E-mail address (used in combination with the password for login)
- Password (assigned by yourself)
It is not possible to create a personal customer account without providing this information. All other personal information and details pertaining to the user's travel profile are optional. We store your booking data, which includes your login data and information on whether you have a BahnCard, in your customer account.
Booking a digital ticket
When booking digital tickets, we process the first name, last name and e-mail address. The date of birth may also be required when booking international tickets and some regional offers. During ticket inspections on trains, the information on the ticket (first name and last name) is displayed on the scanner (mobile terminal).
To process your payments, the necessary payment details (amount, booking reference, booking description, payer) are forwarded to the relevant payment service providers.
- When paying with PayPal, this is:
PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. You can find out how PayPal processes your data in PayPal's privacy statement.
- When paying by credit card, this is:
PAYONE GmbH, Lyoner Strasse 9, 60528 Frankfurt, Germany. You can find out how PAYONE processes your data, in PAYONE’s privacy statement. The payment service provider records the credit card data for the payment or deposit in the customer's own account. It also performs any security measures such as 3D-Secure and strong customer authentication. We do not receive access to your full credit card data. Instead, we merely save a reference in the form of an abbreviated credit card number so that you can identify it.
- When paying via giropay, this is:
paydirekt GmbH, Stephanstr. 14-16, 60313 Frankfurt, Germany. Further information is available in giropay's privacy statement.
- Registration for payment by SEPA direct debit:
When you register to use the SEPA direct debit process, you provide us with a SEPA mandate that we can use to deduct payments from your bank account by means of a SEPA direct debit when you choose this method of payment.
- Online activation of the SEPA direct debit scheme:
To ensure secure payment with the SEPA direct debit scheme, we provide methods for online verification of account access via OpenBanking through Tink Germany GmbH (Gottfried-Keller-Strasse 33, 81245 Munich) or Verimi GmbH (Oranienstrasse 91, 10969 Berlin), or for online identity verification through Verimi GmbH. Depending on which verification method you choose, your personal data (the bank details, name and e-mail address provided) will be transmitted to the service provider under your direction. You will be guided through the selected function and informed about each individual step of the data processing in the automatically opening dialogue of the service provider. Once you have successfully completed the check, you can pay by direct debit. Both service providers are independently active as controllers. Verimi GmbH will offer you the use of your Verimi customer account, if you have one, or let you create a new customer account that will later also assist you with other identity verification procedures. Tink Germany GmbH and Verimi GmbH are authorised account information services that also work for banks and only process your data for the few minutes it takes to perform the account access check.
Further information is also available in the privacy statement in the dialogue window of the respective provider.
To prevent cases of fraud, a data processor is used to process your device or browser fingerprint along with your payment-related data. This serves to protect you and us by preventing the misuse of your financial details when making payments via int.bahn.de. The legal basis for this is Article 6 (1) (f) GDPR.
Komfort Check-in service
Komfort Check-in gives you an option for automatically validating your mobile phone ticket on certain DB long-distance trains. If you use this service, we process the relevant mobile phone ticket's data, including its identification details and possible discounts, to identify and validate the ticket. Our system uses the following data for this:
- Ticket ID/order number
- First name and last name of the passenger(s)
- BahnCard number
- Name of the BahnCard holder
We collect contact details and identification information (e.g. date of birth) when users buy a BahnCard. Further information on data processing in connection with the BahnCard can be found at: www.db-vertrieb.com/datenschutz
Offers relating to similar products or services
We also use your e-mail address collected during registration or due to contractual commitments (e.g. booking a digital ticket) to inform you by e-mail about our own similar products or services. In this case, the e-mail address will be processed on the basis of our overriding legitimate interest in advertising our products and services (Article 6(1)(f) GDPR).
You can object at any time to the future use of your data for such advertising purposes. You can submit your objection via the objection link in any e-mail received for this purpose or by sending an e-mail to email@example.com (Keyword: Advertising contradiction / Werbewiderspruch).
Ordering a season ticket online
When ordering a season ticket by subscription, DB Vertrieb GmbH is responsible for and processes the necessary contact and payment data. These can be taken from your customer account if you wish. Depending on the offer, identification data such as date of birth or photo may also be required.
Adding a subscription to your customer account
To add your subscription to your customer account, e.g. for display in the DB Navigator, we collect your last name, date of birth and subscription number. If a photograph is required for the subscription and this is not yet stored in your subscription contract data, you will be asked to store this when you add the subscription. You then have the option of either selecting a photo from the gallery or taking a new photo. Separate access authorisations are required for this (for details, see the Access authorisations section).
When you send us an enquiry or comment regarding your booking using the contact form in "Feedback & Support", we will process your details from the form, including the contact details you provide there, to handle the enquiry and any follow-up queries that may arise. The legal basis for this is Article 6 (1) (b) GDPR.
If you sign up for one of our newsletters, the e-mail address will be collected as mandatory information.
When you register for a newsletter, we also store the IP address assigned by the Internet Service Provider (ISP) to your end-user device used at the time of registration, as well as the date and time of registration. The collection of this data is necessary in order to trace (possible) subsequent misuse of the e-mail address of the person concerned and it therefore serves our legal protection. We want to be able to provide you with information that is relevant to you, so we analyse your interest in the contents of the bahn.de newsletter based on clicks and the display of content via customised links.
In this case, we may use your e-mail address for promotional purposes. The legal basis for this is Art. 6 (1) (a) GDPR. You may unsubscribe from the newsletter at any time by clicking the unsubscribe link at the bottom of the newsletter. If you object to your data being used for promotional purposes, your data will only be used anonymously for statistical purposes.
We have implemented protective measures for the security and availability of our IT systems. These include web application firewall, rate limiting and DOS protection based on technologies from the service providers Akamai Technologies Inc. and F5 Inc. All requests to our systems are checked to see whether they comply with defined technical rules. We can block deviating requests or store them temporarily for further analysis, including the IP address.
Contract processing generally requires the involvement of data processors who are subject to our instructions, such as e.g. computer centre operators, printing or mail-order service providers, or other agents involved in contractual performance. We also involve external service providers in market research activities.
External service providers who process data on our behalf are carefully selected and placed under strict contractual obligations. The service providers work in accordance with our instructions and this is verified by technical and organisational actions and supplementary checks.
In addition, we only disclose your data when you have given us your express consent or where we are under a statutory obligation to do so.
Transmission to third countries outside the EU/EEA or to an international organisation will not take place unless we have been given reasonable guarantees. These include the EU standard contractual clauses and an adequacy decision by the EU Commission.
For example, we may be required to forward data in the following circumstances for the purpose of contract processing when users book services on int.bahn.de:
- Purchase of travel insurance
- Purchase of hotel services
- Use of the car rental service
- When making use of services for travellers with reduced mobility, your data is sent to the appropriate DB Group offices.
- In the case of payment irregularities or payment default, details of the account receivable may be sent to a debt collection agency.
We store your data only for as long as is necessary to fulfil the purpose for which the data was collected (as part of a contractual relationship, for example) and/or to comply with legal requirements. Thus, in the context of a contractual relationship, we will store your data at least until full and final completion of the contract. Thereafter, the data will be stored for the statutory storage period.
Generally speaking, it is possible to use int.bahn.de without the cookies that serve non-technical purposes. This means that you can prevent tracking via cookies in your browser (do not track, tracking protection list, etc.) or block the storage of third-party cookies. We also recommend regular checks of stored cookies that have not been expressly requested.
You can click the "Cookie settings" button at any time to access your cookie settings and make any changes you want.
Cookies and similar technologies that are necessary for the use of certain website functions
The measures listed below, which we use, serve the purpose of making our website more user friendly and improving its usability. In order to be able to assess the effectiveness of our measures for improving functions and your user experience, we continuously collect necessary KPIs regarding the usage. For this, we use the analysis tools Tealium, Adobe Analytics, Optimizely, Qualtrics and m-pathy. If your IP address needs to be processed, it will be made anonymous. All service providers are contractually obliged to handle your data in accordance with privacy requirements. Where required, we have concluded EU standard contractual clauses.
With the chosen technical integration and the contractual measures, we ensure that only we have access to the data.
hCaptcha by Intuition Machines Inc.
In order to protect the privacy of our customers and the availability of our website from automated and abusive access attempts even more reliably, we use the hCaptcha technology from Intuition Machines Inc. (350 Alabama St, San Francisco, CA 94110, USA). This uses bot detection and risk assessments trained through machine learning to determine whether visitors to our website are humans. If required, an interactive task for validation is displayed when using the website. If you registered for the barrier-free service from this company, the system reads the relevant cookie with the duration of one month instead of providing a validation task. The legal basis for the use of the technology is Art. 25 (2) (2) of the TTDSG in conjunction with Art. 6 (1) (f) GDPR. The legitimate interest is to protect the data of the data subjects and the infrastructure from automated and abusive access attempts.
JSC tools from Risk.Ident GmbH
We use JSC tools technology from Risk.Ident GmbH (Am Sandtorkai 50, 20457 Hamburg, Germany) to prevent fraud. This serves to protect you and us by preventing the misuse of your payment method when making payments via int.bahn.de. This can entail the processing of a cookie with a lifetime of 24 months. The legal basis for this is Art. 25 (2) (2) TTDSG in conjunction with Art. 6 (1) (f) GDPR. The legitimate interest is to enable simple and low-threshold access to booking and payment services while ensuring a high level of payment security.
We use the technologies of easy Marketing GmbH (Asselner Hellweg 124, 44319 Dortmund) to ensure that partner companies are remunerated if you have made a booking on bahn.de after clicking on a DB affiliate link or advertising material. Cookies with a duration of 12 months, to which you have previously consented on these partner sites, are evaluated for this purpose. The legal basis for the use of the technology is § 25 para. 2 no. 2 TTDSG in conjunction with Art. 6 para. 1 lit. f) DSGVO. The legitimate interest here lies in being able to remunerate the affiliate agreement accordingly for the ticket purchase contract that has been brought about.
If you are the holder of a bahn.de customer account, you can be shown personal offers and promotions after you have logged in or activated the "stay logged in" function. In order to be able to design this content, a cookie with a duration of 12 months is set in your browser when you use bahn.de. The data collected via the cookie is processed pseudonymously on servers of our service provider CrossEngage GmbH (Bertha-Benz-Str. 5, 10557 Berlin). The legal basis for the use of the technology is § 25 para. 2 no. 2 TTDSG in conjunction with Art. 6 para. 1 lit. b) DSGVO.
In order to facilitate the dynamic modification of this website and the management of dynamic content, we use the tag management service Tealium iQ (Tealium Inc., 9605 Scranton Rd., Ste. 600 San Diego, CA 92121, USA). This also includes processing your selected cookie settings. The relevant cookies have a lifetime of 12 months. The legal basis for the use of the technology is Art. 25 (2) (2) TTDSG. The legal basis for the recording of your consent is Art. 6 (1) (b) GDPR.
We may invite you to take part in surveys on our website in order to continuously improve our offering and services. For these we use technology from Qualtrics LLC (333 W. River Park Drive, Provo UT 84604, USA). The information is collected anonymously. The purpose of the cookies used by Qualtrics is to prevent users from participating multiple times within a certain period of time. The relevant cookies have a lifetime of 12 months. Participation in the surveys is voluntary. The legal basis for the use of the technology is Art. 25 (2) (2) TTDSG. If personal data is entered in free text fields, the legal basis is Art. 6 (1) (b) GDPR.
Verint Systems GmbH
On this website, session and interaction data of the website visitors are collected and stored by technologies of Verint Systems GmbH (Ziegelteich 29, 24103 Kiel, Germany). This information is used to improve the content and user-friendliness of the pages. Cookies are also used for this purpose, which have a duration of 24 months. The legal basis for the use of the technology is § 25 para. 2 no. 2 TTDSG in conjunction with Art. 6 para. 1 lit. b) GDPR.
In order to be able to show you our website with slightly different content, we carry out so-called A/B testing using the service Optimizely. For this purpose, cookies are stored on your end device with a lifetime of 24 months. The analysis service provider is Optimizely (119 5th Ave 7th floor, New York, NY 10003, USA). Only anonymised data is processed on Optimizely's servers. The legal basis for the use of the technology is Art. 25 (2) (2) TTDSG in conjunction with Art. 6 (1) (b) GDPR.
In order to manage our website and optimise its performance, we use the web analysis service of Adobe Systems Software Ireland Limited (Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland). The relevant cookies have a lifetime of 24 months. The information processed by means of the cookie is not personal or traceable to an individual. We use this information to measure and evaluate the use of the website and to create statistics. This enables us to assess how often different sections and texts on our web pages are read, and whether or not our website design influences the extent of website usage. We can use the statistics obtained to improve our offer for you. The legal basis for the use of the technology is Art. 25 (2) (2) TTDSG in conjunction with Art. 6 (1) (b) GDPR.
Cookies and similar technologies that are not necessary for the use of certain functions of the website
The following cookies are not absolutely necessary for the use of the website and are only processed if you have previously consented. The legal basis for this is § 25 para. 1 TTDSG in conjunction with Art. 6 para. 1 lit. a) GDPR. You can revoke your consent at any time by calling up the cookie settings again and changing your selection there.
Cookies for personalised offers
Marketing cookies are used on our website to adapt the content to your interests and to be able to display corresponding offers. If you have a customer account, the cookies enable us to recognise you on subsequent visits to int.bahn.de if necessary. This only happens via encrypted connections.
Cookies from AdForm A/S (Wildersgade 10B, 1, 1408 Copenhagen K, Denmark) are used to display interest-based advertising. For this purpose, information on the operating system, browser version, anonymised IP addresses, geographical location and number of clicks or views, for example, is stored in pseudonymous usage profiles. The cookie set by AdForm has a duration of 12 months. This data is used for the following purposes:
- Recording the number of visitors to int.bahn.de .
- Recording the order in which visitors visit the various pages of int.bahn .de.
- Optimisation of the website
Adform uses this information to target online advertising based on usage. In order to be able to use the advertising space from other websites, the cookies are synchronised with the following platforms: Google, Doubleclick, Appnexus, DataXu, Mediamath, TURN, TheTradeDesk, Active Agent, TheAdex.
With the technologies of Awin AG (Landsberger Allee 104 BC, 10249 Berlin), we ensure the remuneration of advertising partners if, after clicking on a DB affiliate advertising material on their website, you make a corresponding booking with us within 30 days. Cookies that you have previously consented to on these websites are evaluated for this purpose. The cookies have a term of 30 days.
Google Sync Pixel
With the Google Sync Pixel (Google Commerce Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google Cloud Platform, Data Storage)), Google tells us whether you have viewed our advertising campaigns and thus enables us to measure the success and reach of our advertising campaigns when you subsequently visit our websites for the advertised offers. The cookie set by Google for this purpose only serves this purpose and has a duration of 12 months.
We use the analysis service of Exactag GmbH (Wanheimer Straße 68, 40468 Düsseldorf) on our website. Cookies are used to store data about how you use int.bahn.de. The cookie set by Exactag has a duration of 6 months.
You can request information as to what personal data is stored.
You can request that we correct, delete or restrict the processing (block) of your personal data, provided these actions are permitted by law and in compliance with existing contractual conditions.
You have the right to file complaints with the supervisory authority. The supervisory authority responsible for DB Vertrieb GmbH is Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
You have the right to the portability of data you have made available to us on the basis of consent or a contract (data portability).
If you have given us your consent to data processing, you can withdraw it at any time by the same means by which it was given. Any processing of your personal data that took place from the time at which you granted your consent until the time at which you withdrew it will be considered to have been lawful.
You can object to data processing for reasons arising from your particular circumstances if the data processing is based on our legitimate interests or is necessary to meet an official requirement.
You can opt out of targeted advertising at any time. This takes effect for the future (advertising opt-out).
DB Vertrieb, DB Fernverkehr and DB Regio are joint controllers as per Art. 26 GDPR. The parties have formally agreed which of them complies with the obligations arising from GDPR. Independently of this, you can make a claim based on your rights vis-a-vis the above-named contracting parties at any time. If you contact us in writing but your issue relates to the area of responsibility of the service you used, we will forward your matter accordingly.
To exercise your rights, you may send a letter by post to:
DB Vertrieb GmbH
Europa-Allee 78 - 84
60486 Frankfurt am Main
Alternatively, you may send an e-mail to the following address: firstname.lastname@example.org
When you click a link to an external website, you leave int.bahn.de website. DB Fernverkehr AG is not responsible for the content, services or products available via this external website. Similarly, DB Fernverkehr AG is not responsible for your data privacy or technical safety when you are on this external website.
We modify the privacy statement to ensure that it is in line with changes relating to functions or legislation. We therefore recommend that you review our privacy statement at regular intervals.
Last modified: September 2023
Data protection statement in the Passenger Rights Service Centre (SC FGR)
Find out here what data we collect for the purpose of processing your passenger rights (only in German).