DeutschDeutsch

Data protection regulations for Rheinbahn App and OnlineShop

We would like to inform you below about the processing of your personal data according to Art. 4 no. 1 GDPR in conjunction with use of our Rheinbahn App Shop to purchase tickets in the Rheinbahn App and Rheinbahn OnlineShop and explain to you your rights according to the  General Data Protection Regulation (hereinafter known as “GDPR”) and the German Data Protection Act (hereinafter known as “BDSG”). The terms used are not gender-specific. 

I. Who is responsible for your data?

Rheinbahn AG
Lierenfelder Straße 42
40231 Düsseldorf
Telephone: 0211 582-01
Telefax: 0211 582-1855
Email: rheinbahn@rheinbahn.de
Internet: www.rheinbahn.de

Data Protection Officer:

Company Data Protection Officer
c/o Rheinbahn AG
Lierenfelder Straße 42
40231 Düsseldorf
Telephone: 0211 582-01
Telefax: 0211 582-4466
Email: datenschutzbeauftragter@rheinbahn.de

II. What kind of data do we process on your behalf and for what purposes do we use it?

We process your personal data in accordance with the regulations of GDPR and BDSG. The nature of the data processed and the way in which it is used is based largely on the respective services you use. You will find below an overview of the individual purposes and the legal bases of the respective processing:

1. Registration
The Rheinbahn App Shop is linked to Rheinbahn’s single sign on service so that customers are registered and enrolled and data stored there is transmitted to the Rheinbahn App Shop. The following data is transmitted:

  • First name
  • Surname
  • Email address

More information on the processing of your data in conjunction with this can be found here in the data protection information for “My Rheinbahn”.

You are registered with the Rheinbahn App shop user account after signing up via “My Rheinbahn”. We store your first name, surname, email address, date and time of registration, login sessions, consent to General Terms and Conditions of the Rheinbahn App Shop, consent to these data protection regulations and, if requested, to marketing and advertising.

Data is processed for registration on the basis of Art. 6 Section 1 lit. b GDPR.

2.1 Ticket sales

If you use local transport services, you can choose digitally between various types of tickets. These include electronic tickets according to the respectively valid fares and price structures. You can order these tickets using the Rheinbahn App Shop. Alternatively, you can use the new eezy-tariffs via the app. These fares enable you to check in and check out easily with your smartphone. In this case, the fare is calculated as the crow flies between the start and destination of the journey. You will find information below on the processing of your data in conjunction with ordering electronic tickets using the Rheinbahn App Shop and purchasing tickets using the eezy tariffs. In order to record and process your order for tickets, we collect the following additional data from you as part of the ordering process:

Full address

Date of birth

Depending on the selected method of payment the following data is also collected and processed in addition by the payment provider:

  • Desired method of payment
  • Account details with IBAN (for SEPA direct debit procedure)
  • Credit card data (for credit card payment)

2.2 Logpay

We forward your personal data (first name, surname, date of birth, address, email address, account details, credit card data, where required telephone number and data regarding your respective purchases) and all amendments to LogPay Financial Services GmbH for the purposes of selling and assigning our claims against you that arise in conjunction with your purchase, rental or booking. This is based on Art. 6 Section 1 Sentence 1  (f) GDPR. The legitimate interest on our part is the outsourcing of payment processing and receivables management, the assessment of the admissibility of payment methods and the avoidance of payment defaults. You can object to the transmission of this data to LogPay Financial Services GmbH at any time, however, in this event, it is not possible to place another order using the electronic distribution channel. You can find LogPay Financial Services GmbH’s data protection information at

https://documents.logpay.de/de/datenschutzinformationen.pdf

Moreover, we process your personal data which we obtain from LogPay Financial Services GmbH (information on the decision whether to acquire the receivable).

In the event of processing personal data for the fulfilment of tasks in the public interest (Art. 6 Section 1 P. 1 lit. e GDPR) or the fulfilment of legitimate interests (Art. 6 Section 1 P. 1 lit. f GDPR), you can object to the processing of your personal data at any time and with effect for the future. In the event of an objection, we must refrain from any further processing of your data for the above-specified purposes, unless,

  • there are compelling legitimate grounds for processing which override your interests, rights and freedoms,
  •  or processing is necessary for the establishment, exercise or defence of legal claims.

2.3 PayPal

We also use the financial service provider PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. Registration is direct with PayPal. Personal data is processing by PayPal as its own data controller. No registration for the single sign on service (My Rheinbahn) is required to use the “Direct to PayPal” button. Your personal data is processed within the context of the order process to fulfil the contract with you according to Art. 6 Section 1 lit. b GDPR.

2.4 Assessing and invoicing of fares using the eezy tariffs.

If you use the eezy tariffs in the app, you receive a corresponding travel authorisation at check in. The specific fare is invoiced using the (assisted) check out. To assess the fare there is a requirement for your travel data to be collected for the duration of the journey and for the corresponding travel route to be mapped. Your travel data includes location and movement data (check in time, check in station, check out time, check out station, no. of kilometres, time, waypoints (station, arrival, departure), additional travel data (journey ID, journey date, journey status, accompanying children, accompanying bicycles, class) and also order and invoicing data additionally provided by the system (order ID, order status, fare, discount level, price level cap, 24-hour cap, 30-day cap, basis price, total amount, customer contract partner). The above-mentioned data is recorded primarily via GPS and Bluetooth signal of your mobile end device. The travel route created on the basis of the journey data consists of initial boarding stop after check in, stations travelled through and stations where you have changed trains, last exit stop before check out, and also lines used. The journey price is actually assessed by assigning the travel route to the respectively applicable fare regulations of the individual transport companies and fare organisations. When determining the fare to be paid, your stored master data and contact details lodged at the time of registration are used again (see 2.3). Your personal data is processed within the context of using the eezy tariffs to fulfil the contract with you according to Art. 6 Section. 1 lit. b GDPR.

2.5 Data processing for revenue distribution

On the basis of mutual contracts, the participating transport companies may sell tickets from other fare zones and other transport areas in their own name and for their own account.  In this way, the selling transport companies assume the role of customer contract partners. To ensure that the transport companies providing the physical transport service receive revenue in proportion with the service provided, a revenue split is required. Data processing is based on Art. 6 Section 1 Sentence 1 lit. f GDPR. For this  purpose, data is transmitted for sales within the framework of the eTariffs of the individual associations, by Rheinbahn to VRR, VRS, AVV and ZWL, as these companies carry out revenue allocation in their respective areas of responsibility. To this end, contracts on joint responsibility were concluded according to Art. 26 GDPR between VRR, VRS, AVV and ZWL and Rheinbahn. For journeys covering several fare zones (eTarif NRW), KCM (Kompetenzcenter Marketing), as specialist department of VRS (Verkehrsverbund Rhein-Sieg) takes over revenue distribution. For this purpose, Rheinbahn transmits data on sales to KCM which distributes the revenue for journeys across the fare zones. To this end, a contract for joint responsibility according to Art. 26 GDPR was concluded between KCM and Rheinbahn.

2.6 Data processing for revenue offsetting

Due to the structure of the eTariff, there is a financial shortfall in relation to the existing traditional fare structure. The transport company has a legitimate interest in offsetting this shortfall by the public sector. Data is transmitted to carry out the calculations required. The processing of data is based on Art. 6 Section 1 Sentence 1 lit. f GDPR. Data may be transmitted to the following partners:

Verkehrsverbund Rhein-Ruhr AöR (VRR)
Augustastraße 1
45879 Gelsenkirchen
info@vrr.de
Telephone +49 209 15840

Verkehrsverbund Rhein-Sieg GmbH (VRS)
Kompetenzcenter Marketing NRW (KCM)
Glockengasse 37 – 39
50667 Köln
info@vrs.de oder kcm-nrw@vrs.de
Telephone +49 221 208080

Aachener Verkehrsverbund GmbH (AVV)
Neuköllner Straße 1
52068 Aachen
info@avv.de
Telephone +49 241 968970

WestfalenTarif GmbH (ZWL)
Willy-Brandt-Platz 2
36602 Bielefeld
info@westfalentarif.de
Telephone +49 521 55766644

2.7 Data processing for fare control and fare calculation

The NRW eTariff and the VRR, VRS, AVV und ZWL eTariffs are an additional product across the entire ticket portfolio of VRR/ the transport associations in NRW. Fares are controlled comprehensively to analyse commercially the impact of these fares on the other fares and the fare landscape. To this end, invoicing data is transmitted to VRR, VRS, AVV and ZWL for the monitoring of eTariffs in the associations and to KCM for monitoring the NRW eTariff. Fare monitoring is the basis for the fare calculation. Data processing is based on Art. 6 Section 1 Sentence 1 lit. f GDPR. The data transmitted does not include any personal master data. Due to the transmission of customer ID and the time-space references of the journeys, re-personalisation can occur when this data is merged with the invoicing data and the personal master data stored by the transport companies. Due to this re-personalisation, a temporal and spatial movement profile of all journeys made by the customer can be created in a personalised way. To prevent this, the datasets of VRR, VRS, AVV, ZWL and KCM are strictly separated from the datasets of the transport companies where the personal master data is processed.

2.8 Analysis

In addition, from 1 October 2024, personal data will be used on the basis of our legitimate interest to conduct market research and improve our offers and services. This processing of your data is carried out on the basis of Art. 6 para. 1 lit. f GDPR.

2.9 Ticket Generation

The tickets (barcodes) are generated by Rheinbahn and can be provided as a PDF, Wallet file (pkpass), or directly within the Rheinbahn app.

If you are using a device with the iOS (Apple) or Android (Google) operating system, you can also store the ticket in the Apple or Google Wallet of your device. When doing so, the following data is transmitted along with the ticket to the respective Apple or Google Wallet:

  • First and last name

  • Date of birth

  • Ticket validity period (start and end date)

  • Ticket type

  • Fare zone

  • Ticket ID

  • Additional services (fare class and travel companion options)

If you wish to store the ticket in Apple Wallet, you must manually transfer it from the app into the Wallet. This transfer of the ticket into Apple Wallet occurs locally on your device, as do any necessary updates. Tickets stored in Apple Wallet must be manually deleted by you; the app has no access to them.

If you want the ticket to also be displayed on additional iOS devices via Apple Wallet, the ticket data will be transferred via iCloud to those devices (e.g., Apple Watch). This function must be activated on the device beforehand.

As part of storing the ticket data in iCloud, encrypted data is transmitted to involved subprocessors in third countries. However, according to information provided by Apple regarding iCloud, these subprocessors do not receive the decryption key. Further information on Apple Wallet can be found at https://support.apple.com/de-de/HT204003.

If you wish to store the ticket in Google Wallet, the necessary data will be forwarded to Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland upon your confirmation.

In this case, Google acts as an independent data controller for the storage and display of the ticket in Google Wallet with regard to the data transmitted to it. Further information about data processing can be found at https://policies.google.com/privacy?hl=de. We have no influence over Google's data processing. Further information on Google Wallet is available at https://wallet.google/intl/de_de/.

3. Access data

To ensure that our app is presented to you in as effective a way as possible and to guarantee stability and security, we collect the following data on every visit which your end device automatically transmits to us: IP address, operating system used, referrer URL, time of server request. The IP address is deleted after no later than one month from all systems which are used in conjunction with operation of the app. Processing of the above personal data is based on our legitimate interest according to Art. Section 1 (f) GDPR.

4. Contacting us

In order to be able to process your contact with us by email or via a contact form, we process your email address and, if specified by you, your name and telephone number and some other information notified to us by you. The processing of this personal data is based on the legal principles of Art. 6 Section 1 lit. b GDPR, if there is communication in conjunction with carrying out your ticket purchase. Processing for other communications occurs on the basis of our legitimate interest according to Art. 6 Section 1 lit. f GDPR.

5.1 Local data processing in the app for users without a Rheinbahn App Shop account

To offer our services via the app, some of your personal data is also stored locally in the app. According to the functionality of the app you use, the following data is stored locally in the app: history of the points entered, history of the connections entered, specific conditions of the app, specific content retrieved from the timetable information server, (e.g. ticket tiles), and travel authorisation.

The GPS position is not stored but is sent once to the timetable information server when timetable information is provided to enable an address for calculating timetable information. Processing of locally stored data is based on our legitimate interest according to Art. 6 Section 1 (f) GDPR to provide you with a functional and user-friendly app. The data stored in the local app storage of the app can be deleted by you by opening the menu and clicking delete map data and history under settings.

5.2 Data processing in the app for registered users with a Rheinbahn App Shop account

The following settings and information are saved on your Rheinbahn App Shop account and are therefore available to you again after you change your mobile device with the same account after logging in again:

  • Environmental balance (CO2 savings, value in grams)
  • Connection favorites (start and destination in combination)
  • Location favorites (stops, points of interest, addresses)
  • Line favorites (line number)
  • Ticket favorites (product ID and name)
  • (de-)activated transport filters (in the departure monitor and fault reports)
  • App settings (timetable information settings such as (de-)activated modes of transport, connection type, walking options, accessibility settings, the desired home page of the app, consent to usage statistics yes or no, favorite language)
  • Push message notification
  • Navigation adjustments at the bottom of the menu (position)
  • Dashboard tiles (position and configuration)

Deleting a favorite (yellow star icon active) is done using the respective delete function of a list entry (on iOS: swipe gesture on the entry to the left, Android: hold down on the entry for more options)

6. Tracking

We use Google Firebase, a cloud platform for Google app developers (service provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, or Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). Regarding the services used, we have concluded an agreement with Google on order processing according to Art. 28 GDPR. You can find more information on Google Firebase and Google’s data protection regulations on the following external links: https://firebase.google.com/terms/crashlytics-app-distribution-data-processing-terms We use the following functions for Google Firebase:

Firebase Crashlytics
We use Firebase Crashlytics to improve our app by evaluating anonymised and aggregated crash reports. To provide us with anonymised crash reports, Firebase  Crashlytics records information in the event of a crash or malfunction and transmits this to Google servers in the USA (condition of the app at the time of the crash, UUID installation, crash trace, manufacturer and operating system of the mobile device, last log notices, time and duration of fault, nature of fault, functions of the app used at the time of the fault). We use Google Firebase without cross-device tracking of users (user ID) and without activating the target group option for (re)marketing purposes. We have also deactivated the product link so that the data collected is not shared with other Google services. We have also deactivated data sharing with Google, so that Google can only use the data collected to provide utilisation reports. The processing of personal data in conjunction with Google Firebase is based on our legitimate interest according to Art. 6, Section 1 (f) GDPR.


  • Matomo
    To further develop and improve the Rheinbahn App, the data for use by Rheinbahn App is evaluated without attribution to individuals (anonymised). For example, certain click paths are analysed when operating the app and using services to improve the user-friendly nature of the app. Usage date is pseudonymised for analysis so that it cannot be attributed directly to individuals. Any additional analyses are only carried out with completely anonymised data which cannot be attributed to individuals. We use the services of the provider Matomo for the analysis (formerly Piwik). The data is not forward to Matomo. You may withdraw your consent subsequently at any time using the app (in Settings) or reactivate it https://matomo.org/privacy-policy/
    The legal basis for data processing is Art. 6 Section 1 (f) GDPR.

7. Other purposes

In addition to the above-mentioned processing purposes, we also process your personal data for the following purposes:

  • To comply with our statutory retention obligations or obligations under data protection law. This processing is based on the legal principle of Art. 6 Section 1 (c) GDPR.
  • To exercise any legal claims or to defend ourselves against claims. This processing is based on the legal principle of Art. 6 Section a (f) GDPR.
  • To answer and comply with official requests. This processing is based on the legal principle of Art. 6 Section 1 (c) GDPR.

8. Information use 

For use of the Rheinbahn App for information purposes (i.e. without registration), the following personal data is collected. This is required to enable  use of the Rheinbahn App. This data includes: 

  • IP address
  • Date and time of query
  • Amount of data transferred in each case
  • Information regarding interactions with Rheinbahn App such as selected content (e.g. selected start, destination, etc.)
  • Settings in the timetable information
  • Any other queries (weather etc.)

This personal data which is collected automatically is processed by us to ensure a functional, stable app, optimisation of the app and to guarantee the security of technical information systems. Data is processed for information use on the basis of Art. 6 Section 1 (f) GDPR.

III. Do you have an obligation to provide data?

When you use our app, your user data is automatically transmitted by your browser. It is not possible to provide our app for you without this technical data. For services offered such as ticket sales, or to get in contact with us, you must provide the data required or which we are legally required to collect. Without this data we are unable to offer the corresponding service.

IV. For how long do we store your data?

We will only keep your data for as long as is required to fulfil the purposes set out above. Moreover, we are subject to various storage and documentation obligations based on the German Commercial Code (HGB) and the Tax Code (AO). The periods specified for storing of documentation are up to ten years. Finally, the storage period is also assessed according to the statutory limitation periods which are, for example, up to thirty years according to §§ 195 ff. of the German Civil Code (BGB) according to which the regular statutory limitation period is three years.

Information on deletion of your data can be found in data protection information for “My Rheinbahn” here

If you wish to delete your Rheinbahn App Shop account and My Rheinbahn account, please contact the email address specified there.

V. To what extent is there automated decision-making including profiling in individual cases?

When you use our app and our ticket shop, there is no automatic decision-making according to Art. 22 GDPR.

VI. To whom do we transmit your data?

We use external service providers to fulfil our services which process your data on our behalf. These include companies in the following categories. Regarding the specific recipients, we refer to the information on purposes of data processing in II.

  • Technical service providers for the operation and maintenance of our IT
  • Marketing service providers for our advertising activities
  • Market research organisations

Moreover, we also forward your data to other third parties who process your data under their own responsibility. These include companies in the following categories. With regard to specific recipients, we refer to the information on the purposes of data processing in II.

  • Payment service providers in so far as they are required in the context of order processing.
  • Authorities or other government institutions in so far as are legally required.

VII. What data do we process under joint responsibility?

Within the context of provision of the Rheinbahn App Shop, we work with various cooperation partners who are jointly responsible with us for processing your personal data (Art. 26 GDPR). This regards processing your personal data in conjunction with:

1. Market research (Section II. 8. ).

The joint responsibility in conjunction with market research relates to the following tariff organisations in NRW:

  • Verkehrsverbund Rhein-Sieg GmbH (Kompetenzcenter Marketing NRW), Glockengasse 37-39, 50667 Kőln
  • Verkehrsverbund Rhein-Ruhr AöR, Augustastraße 1, 45879 Gelsenkirchen

The respective transport companies and distribution service providers which offer and distribute transport services in NRW, in so far as they provide personal data to market research to the above-mentioned tariff organisations.

2. Data processing for revenue sharing, revenue equalisation and tariff control and tariff calculation (Section II.2.5, II.2.6. II.2.7).

Joint responsibility in conjunction with this relates to the following cooperation partners:

  • Verkehrsverbund Rhein-Ruhr AöR (VRR), Augustastraße 1, 45879 Gelsenkirchen, info@vrr.de, Telephone +49 209 15840
  • Verkehrsverbund Rhein-Sieg GmbH (VRS), Kompetenzcenter Marketing NRW (KCM), Glockengasse 37-39, 50667 Köln, info@vrs.de oder kcm-nrw@vrs.de, Telephone +49 221 208080
  • Aachener Verkehrsverbund GmbH (AVV), Neuköllner Straße 1, 52068 Aachen, info@avv.de, Telephone +49 241 968970
  • WestfalenTarif GmbH (ZWL), Willy-Brandt-Platz 2, 36602 Bielefeld, info@westfalentarif.de, Telephone +49 521 55766644
  • Verkehrsverbund Rhein-Sieg GmbH (Kompetenzcenter Marketing NRW), Glockengasse 37-39, 50667 Köln

We and our cooperation partners have come to an agreement as to who will fulfil which obligations according to GDPR. Parties fulfil the data protection obligations as follows:

We and our cooperation partners make accessible to the persons concerned the information required according to Art. 13 and 14 GDPR in a precise, transparent comprehensible and easily accessible form in clear and simple language free of charge in their data protection declarations. Each party shall provide the other party with all necessary information from its sphere of activity.

We and the cooperation partners inform one another immediately about legal positions asserted by affected parties. They provide one another with all necessary information for answering questions regarding the persons concerned.

You are free to decide whether you assert your data protection rights with us or with a cooperation partner, in so far as they affect processing which is in our joint sphere of responsibility. Data subjects generally obtain information from the body to which the rights were asserted.

VIII. Will your data be transferred to recipients in a third-party country?

We transfer your tracking data indicated in II.6 to the USA. Please note that in the USA, no data protection level exists which is comparable to that of the EU/European Economic Area and thus it cannot be completely ruled out that your data may be potentially disclosed to government authorities without adequate means of redress. Your other personal data is not transferred to any countries outside the EEA.

IX. What are your rights as a data subject?

As a data subject, you can assert the following rights against us at any time. Kindly refer to the contact data specified in Section I.

a) Revocation of your consent to data processing

In so far as we process your data  on the basis of your consent, you may revoke this consent at any time in the future. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

b) Right to data portability
You can have your personal data which we process automatically on the basis of your consent or in fulfilment of a contract with you, handed over to you or to a third party in a common, machine-readable format. If you require direct transfer of data to another data controller, this can only occur in so far as it is technically feasible.

c) Right to information
You have the right to information regarding your personal data stored with us at any time, and also, if required, a copy of this data.

d) Right to correction
You have the right to request the immediate correction of your personal data stored by us if this data is inaccurate or incomplete.

e) Right to deletion
According to the current legal provisions, you have the right to ask us to delete your personal data stored with us.

f) Right to restriction of processing
Under the legal requirements, you have the right to require us to restrict the processing of your personal data.

g) Right of objection 
You have the right, for reasons arising from your specific situation to object at any time to the processing of your personal data occurring as a result of Art. 6 Section 1 (f) of GDPR (data processing on the basis of a balancing of interests); this also applies to profiling based on this regulation according to Art. 4 Section 4 GDPR. If you object, we will no longer process your data, unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing  serves the assertion, exercise or defence of legal claims. Moreover, you have a right of complaint to the competent data protection supervisory authority according to Art. 77 GDPR, if you think that your data is not being processed legally. The right of complaint exists without prejudice to any other administrative or judicial remedy. The address of our competent data protection supervisory authority is

Landesbeauftragte für Datenschutz und Informationsfreiheit NRW, Kavalleriestr. 2-4, 40213 Düsseldorf, Germany, Tel.: 0211/38424-0, Fax: 0211/38424-10, E-Mail: poststelle@ldi.nrw.de

X. Amendment of this data protection notice

We revise this data protection notice in the event of changes to the app or in other circumstances which make this necessary. You can always find the respective current version in the app.