Privacy policy Rheinbahn website
A. General provisions on data processing
1. Subject of this privacy policy
We, Rheinbahn AG (Rheinbahn), are glad to see your interest in our website and our offers on the website.
We care very deeply about protecting your personal data. Below we would like to inform you in detail about which data is collected when you visit our website and use our offers there and how this is processed or used by us subsequently. Furthermore, we would also like to inform you about the accompanying protective measures we have taken in technical and organisational terms.
The processing of personal data, such as the name, address, email address, or telephone number of a data subject shall always be in line with the applicable data protection regulations. Through this privacy policy, we would like to inform you about the type, scope and purpose of the personal data collected, used and processed by us and, insofar as you are affected by the data processing, to clarify this.
Although we, as the party responsible for processing personal data, have implemented numerous technical and organisational measures, internet-based data transmission can always have security vulnerabilities, and so absolute protection cannot be guaranteed. We would like you to take this into account when using our website.
2. Definitions
In this privacy policy, terms are used that were specified by the legislator in the General Data Protection Regulation (hereinafter also GDPR).
You can access the GDPR here.
The aim of our privacy policy is to inform you about the processing of your personal data on our website in a simple and understandable way.
3. Name and address of the data controller
The responsible party in terms of the data protection law is:
Rheinbahn AG
Lierenfelder Straße 42
40231 Düsseldorf
Phone: 0211.582-01
Fax: 0211.582-1855
Email: rheinbahn@rheinbahn.de
Internet: www.rheinbahn.de
4. Contact details of the data protection officer
Company Data Protection Officer:
c/o Rheinbahn AG
Lierenfelder Straße 42
40231 Düsseldorf
Phone: 0211.582-01
Fax: 0211.582-4466
Email: datenschutzbeauftragter@rheinbahn.de
5. Deletion and blocking of personal data/storage period
Unless otherwise stipulated for the respective processing of personal data in Section B. of this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations. If the data of the data subject is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. That is, the data is blocked and not processed for other purposes. This applies, for example, to data of the data subject that must be retained for reasons of commercial or tax law.
According to the legal requirements, data is stored for six years in accordance with § 257 para. 1 of HGB (Commercial Code) (commercial books, inventories, opening balances, annual financial statements, commercial letters, accounting vouchers, etc.) and for ten years in accordance with § 147 para. 1 of AO (Tax Code) (books, records, management reports, accounting vouchers, commercial and business letters, etc.).
6. Rights of the data subject
6.1. Right to obtain confirmation
Every data subject shall have the right, granted by the European Directive and the Regulation, to obtain confirmation from the controller as to whether personal data concerning him or her is being processed. If a data subject wishes to exercise this right of confirmation, he or she may, at any time, contact us.
6.2. Right to information
Any person affected by the processing of personal data shall have the right to obtain from the controller, at any time and free of charge, information about the personal data stored about him or her and a copy of that information. Furthermore, the data subject shall be entitled to access the following information:
The processing purposes.
The categories of personal data that is processed.
The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations.
If possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration.
The existence of a right to rectification or erasure of personal data concerning the data subject or to restriction of processing by the controller or a right to object to such processing.
The existence of a right of appeal to a supervisory authority.
If the personal data is not collected from the data subject: All available information about the origin of the data.
The existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
Furthermore, the data subject has the right to be informed whether personal data has been transferred to a third country or to an international organisation. If this is the case, the data subject also has the right to obtain information on the appropriate safeguards in connection with the transfer.
If a data subject wishes to exercise this right to information, he or she may contact us at any time.
6.3. Right to rectification
Any person affected by the processing of personal data has the right to have personal data relating to him or her which is inaccurate rectified immediately. Furthermore, the data subject shall have the right, taking into account the purposes of the processing, to request the completion of incomplete personal data with a supplementary statement.
If a data subject wishes to exercise this right of rectification, he or she may contact us at any time.
6.4. Right to erasure
Any person affected by the processing of personal data has the right to obtain from the controller the erasure of personal data relating to him or her without any delay, where one of the following grounds applies and insofar as the processing is not necessary:
The personal data was collected or otherwise processed for purposes for which it is no longer required.
The data subject revokes the consent on which the processing was based pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR and there is no other legal basis for the processing.
The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR.
The personal data has been processed unlawfully.
The deletion of the personal data is necessary for compliance with a legal obligation under Union or Member State laws to which the controller is subject.
The personal data was collected in relation to information society services offered pursuant to Art. 8(1) GDPR.
If one of the aforementioned reasons applies, and the data subject wishes to arrange for the deletion of personal data stored by the Rheinbahn, he or she may, at any time, contact us. We will arrange for the deletion request to be complied with immediately.
If the personal data has been made public by Rheinbahn and our company as the controller is obliged to erase the personal data pursuant to Article 17 (1) of the Data Protection Regulation, Rheinbahn shall, taking into account the available technology and the cost of implementation, implement reasonable measures, including those of a technical nature, to inform other data controllers which process the published personal data, that the data subject has requested from those other data controllers the erasure of all links to the personal data or to copies or replications of the personal data, unless the processing is necessary. We will take the necessary steps in individual cases.
6.5. Right to restrict processing
Any person affected by the processing of personal data has the right to obtain from the controller the restriction of processing where one of the following conditions is met:
The accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data.
The processing is unlawful, the data subject objects to the erasure of the personal data and requests instead the restriction of the use of the personal data.
The controller no longer needs the personal data for the purposes of processing, but the data subject needs it for the establishment, exercise or defence of legal claims.
The data subject has objected to the processing pursuant to Article 21(1) of the GDPR and it is not yet clear whether the legitimate grounds of the controller override those of the data subject.
If one of the aforementioned cases applies, and a data subject wishes to request the restriction of personal data stored by the Rheinbahn, he or she may, at any time, contact us. We will then arrange for the restriction of processing the data.
6.6. Right to data portability
Any person affected by the processing of personal data shall have the right to receive the personal data relating to him or her which has been provided by the person to a controller in a structured, commonly used and machine-readable format. The data subject shall also have the right to transmit such data to another controller without hindrance from the controller to whom the personal data has been provided, provided that the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the GDPR and the processing is carried out by automated means, unless the processing is necessary to perform a task carried out in public interest or in the exercise of official authority vested in the controller.
Furthermore, when exercising his or her right to data portability pursuant to Article 20(1) of the GDPR, the data subject shall have the right to get the personal data transferred directly from one controller to another controller, to the extent that this is technically feasible and provided that this does not adversely affect the rights and freedoms of other individuals.
To assert the right to data portability, the data subject may contact us at any time.
6.7. Right to object
Any person affected by the processing of personal data has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is carried out on the basis of Article 6(1)(e) or (f) of the GDPR. This also applies to profiling based on these provisions.
Rheinbahn shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the assertion, exercise or defence of legal claims.
If Rheinbahn processes personal data for the purpose of direct marketing, the data subject shall have the right to object at any time to processing of personal data for such marketing. This also applies to profiling insofar as it is associated with such direct marketing. If the data subject objects to Rheinbahn to the processing for direct marketing purposes, Rheinbahn will no longer process the personal data for these purposes.
In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her which is carried out by the Rheinbahn for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the Data Protection Regulation, unless such processing is necessary for the performance of a task carried out in the public interest.
To exercise the right to object, the data subject may contact us directly. The data subject shall also be free to exercise his or her right to object by means of automated procedures using technical specifications in the context of the use of information society services, notwithstanding Directive 2002/58/EC.
6.8. Automated decisions in individual cases including profiling
Any person affected by the processing of personal data shall have the right, granted by the European Parliament and the Council, not to be subject to a decision based solely on automated processing, including possible profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision is necessary for entering into, or the performance of, a contract between the data subject and the controller, or is permitted by Union or Member State law to which the controller is subject, and that law provides for adequate measures to safeguard the data subject's rights and freedoms and legitimate interests, or has the data subject's explicit consent.
If the decision is necessary for entering into, or the performance of, a contract between the data subject and the data controller, or if it is made with the data subject's explicit consent, Rheinbahn shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, which include at least the right to get the data subject's involvement on the part of the controller, to express his or her point of view and to contest the decision.
If the data subject wishes to assert rights relating to automated decisions, he or she may contact us at any time.
6.9. Right to revoke consent under data protection law
Any person affected by the processing of personal data has the right to withdraw consent to the processing of personal data at any time.
If the data subject wishes to exercise the right to withdraw consent, he or she may contact us at any time.
Any data subject may contact us directly at any time with any questions or suggestions regarding data protection.
6.10. Right of appeal to a data protection supervisory authority
Any person affected by the processing of personal data has the right to file a complaint with a data protection supervisory authority about our processing of your personal data.
7. Legal basis of the processing
Unless otherwise stated in the description of the respective data processing procedure in the following section B. of this privacy policy, the following regulations apply. Article 6 I point a of the GDPR serves as the legal basis for the processing operations for Rheinbahn for which consent must be obtained for a specific processing purpose.
If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, the processing is based on Art. 6 I point b of the GDPR. The same applies to processing operations that are necessary for the implementation of pre-contractual measures, for example in the case of enquiries about our services and products.
If Rheinbahn is subject to a legal obligation by which the processing of personal data becomes necessary, the processing is based on Art. 6 I point c of the GDPR. In rare cases, the processing of personal data might become necessary to protect vital interests of the data subject or another natural person. In this case, the processing is based on Article 6 I point d of the GDPR. Ultimately, processing operations could be based on Art. 6 I point f of the GDPR. Processing operations which are not covered by any of the aforementioned legal grounds are based on this legal basis if the processing is necessary to protect a legitimate interest of Rheinbahn or a third party, provided that the interests, fundamental rights and freedoms of the data subject are not overridden. We are permitted to carry out such processing operations in particular because they have been specifically mentioned by the European legislator (cf. recital 47 sentence 2 of the GDPR).
8. Taking legitimate interests into account
Unless otherwise regulated in the description of the respective data processing operation in Section B. of this privacy policy and the processing of personal data is based on Article 6 I point f GDPR, our legitimate interest is the performance of our business activities and the associated economic interest.
9. Data protection when using our contact details
If you use the contact data provided on our website (such as our email address or fax number) to contact us, the personal data you provide will only be processed for the purpose of contacting you.
If the reason for you contacting us is your interest in our services or products or the fulfilment of an existing contract with us, the legal basis is Art. 6 para. 1 point b of the GDPR. For all other reasons of contacting us, we have a legitimate interest pursuant to Art. 6 (1) point f of the GDPR in the processing of data based on the communication initiated by you.
We store the data required for processing the contract until the expiry of the statutory warranty and, if applicable, contractual guarantee periods. We store the data required under commercial and tax law for the periods specified by law, usually ten years (cf. § 257 HGB (Commercial Code), § 147 AO (Tax Code)). The data processed to carry out pre-contractual measures is deleted as soon as the measures have been carried out and there is no recognisable conclusion of a contract.
The personal data stored by us on the basis of a legitimate interest will be stored until the purpose of the contact has been achieved. You have the right to object at any time to data processing that is based on Art. 6 (1) f) of the GDPR and does not serve direct advertising for reasons that arise from your particular situation. In the case of direct advertising, on the other hand, you can object to the processing at any time without giving reasons.
Recipients of the personal data processed in accordance with this provision are IT service providers (in particular hosters) with whom we have concluded a corresponding commissioned data processing agreement in accordance with Article 28 of the GDPR.
10. Amendments to this privacy policy
Rheinbahn reserves the right to amend this privacy policy at any time with effect for the future. An up-to-date version is available on the website. Please visit the website regularly and inform yourself about the applicable data protection regulations.
B. Special provisions on data processing on our website
1. Collection and use of your data
The extent and type of collection and use of your data differs depending on whether you visit our website merely to get information or make use of services offered by us, such as concluding a contract via the website, and registering yourself if necessary.
2. Informative use/collected data/cookies
In the case of merely informational use of the website, i.e. if you do not, for example, make a booking via our website or otherwise transmit information to us, we only collect the personal data that your browser transmits to our server. If you want to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure its stability and security (legal basis is Art. 6 para. 1 p. 1 point f of the GDPR):
IP address
Date and time of the visit to the website
Time zone difference to Greenwich Mean Time (GMT)
Content of the visit (specific page)
Access status/HTTP status code
Data volume transferred each time
Website from which the visit to the page is made
Browser
Operating system and its interface
Language and version of the browser software.
The data processed in accordance with paragraph 1 of this provision shall be stored for the specified purposes for a period of 90 days and then deleted.
In addition to the previously mentioned data, no cookies are currently stored on your computer when you use our website. This will happen due to our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR in the optimisation and economic operation of our online offer. Cookies are small text files that are assigned and saved on your hard drive by the browser you use, and through which certain information flows to the point that installs the Cookie (here us). Cookies cannot execute any programs or transmit viruses to your computer. Cookies are used to make the website more user friendly and effective as a whole.
Recipients of the data processed in accordance with the above paragraphs are IT service providers (in particular hosters) with whom we have concluded corresponding commissioned data processing agreements in accordance with Art. 28 of the GDPR.
3. Google reCAPTCHA
We use "Google reCAPTCHA" (hereinafter "reCAPTCHA") on our websites. The provider is Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”).
Google is certified under the Privacy Shield agreement and thereby offers a guarantee of compliance with the European data protection law.
The purpose of reCAPTCHA is to check whether the data input on our websites (especially in the contact form) is made by a human or by an automated programme. For this purpose, reCAPTCHA analyses the behaviour of the website visitor on the basis of various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For analysis purposes, reCAPTCHA evaluates various information (e.g. IP address, time spent by the website visitor on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google.
The reCAPTCHA analyses run completely in the background. Website visitors are not made aware that an analysis is taking place.
The data processing is based on Art. 6 para. 1 point f of the GDPR. The website operator has a legitimate interest in protecting its web offerings from abusive automated spying and from SPAM.
For more information on Google reCAPTCHA and Google's privacy policy, please see the following links: https://www.google.com/intl/de/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html.
4. Using offers on our website
If you wish to make use of the services offered on our website, such as paid ticket bookings, it is necessary for you to provide additional personal data. Details can be found in the following regulations.
4.1. Contact form, info service, filming permit and journalist enquiry form
When voluntarily using our above-mentioned services, you will be asked to enter the subject, the description of your request or question, your email address, your name, your telephone number and your address. Optionally, you can type what you want in the text field provided. Mandatory fields are marked accordingly.
The legal basis for the processing of your personal data is the consent expressly given by you in accordance with Art. 6 (1) a of the GDPR as well as our legitimate interest in accordance with Art. 6 (1) f of the GDPR in answering your enquiry about our services or offers and providing evidence of potential misuse of the email address used for this purpose.
After your confirmation, we will store the information you provide via the contact form until the purpose of your request has been fulfilled. We store the personal data stored in addition in accordance with para. 2 for a maximum of one month after receipt of the confirmation.
4.2. Newsletter
With your consent and by providing your email address, you can subscribe to our newsletter, with which we inform you about our ongoing interesting offers. The advertised goods and services are mentioned in the declaration of consent. To subscribe to the newsletter, you can enter your email address, your name, your address, the transport line you are possibly interested in and your customer number in the input field provided beforehand. Mandatory details to be provided are marked accordingly.
To register for our newsletter, we deploy the so-called double opt-in process. This means that after you have registered, we send you an email to the given email address in which we request a confirmation from you that you want to receive the newsletter. If you do not confirm your registration within 48 hours, your information is blocked and automatically deleted after one month. Furthermore, we always save the IP addresses used by you and the time of registration and confirmation. The purpose of the process is to verify your registration and if necessary, to be able to clarify a potential misuse of your personal data. After your confirmation of the newsletter order, we store the information you have provided in accordance with para. 2 for the purpose of sending the newsletter and proving potential misuse of your email address in accordance with para. 2.
Furthermore, we check access to the newsletter by attaching a so-called “web beacon” to each newsletter, i.e. a pixel-sized file that is retrieved from our server when the newsletter is opened. As part of your newsletter access, information is collected about the browser you are using, the ID of the click, which provides information about your email address and the specific e-mailing, your IP address or DNS name and the time of the access. This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behaviour based on their retrieval locations (which can be determined through the IP address) or the access times. The statistical surveys also include finding out things like whether newsletters are opened, when they are opened and which links are clicked. For technical reasons, it is possible to assign this information to individual newsletter recipients. However, it is not our intention to monitor individual users. The analyses serve us much more to identify the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.
The legal basis for the processing of your personal data is the consent expressly given by you pursuant to Art. 6 (1) a of the GDPR and, with regard to the data processed pursuant to (2), our legitimate interest pursuant to Art. 6 (1) f of the GDPR in providing evidence of possible misuse of the e-mail address used for this purpose.
You can revoke your permission to have the newsletter sent at any time and unsubscribe from the newsletter. You can declare the revocation by clicking on the link which is provided in every newsletter email, by sending an email to marketing@rheinbahn.de, or by sending a message to the contact details given on the company information page.
Your email address will only be stored for sending the newsletter for the duration of your subscription of the newsletter. The other data stored in accordance with para. 1 will be deleted by us after a maximum of one month after you unsubscribe.
Recipients of the data processed in accordance with this provision are IT service providers (in particular hosters) with whom we have concluded corresponding commissioned data processing agreements in accordance with Art. 28 of the GDPR.
5. Security measures
We take organisational, contractual and technical security measures in accordance with the state of the art to ensure that the provisions of data protection law are complied with and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorised persons.
The security measures especially include the encrypted transmission of data between your browser and our server.