Our data privacy statement contains explanations on the following subjects

• When does this data privacy statement apply?

  Our data privacy statement applies to anyone who makes use of one of our products or services, visits our websites or uses our apps. This includes: buying a ticket, including ancillary services, such as making a reservation, purchase of a customer card or use of our services. We are continually developing our performance, provision and services. As a result we also continuously adapt the data privacy statement. However, we shall ensure that the latest effective version is always available to you.

• Who is responsible for data processing?

  Rail Tours Touristik GmbH (Rail Tours) offers two product lines, namely Rail Tours Classic and MyRailTour (dynamic.railtours.at).

  Where the product Rail Tours Classic is concerned, Rail Tours Touristik GmbH FN [company registration number] 76787y, Am Hauptbahnhof 2, 1100 Vienna, tel. +43 (0)1 89930, is the sole controller under data protection law, as defined in Article 4(7) GDPR. In the case of the MyRailTour product, several independent controllers are involved in the processing and use of the data, namely all those companies that provide a certain part of the service in order to complete the entire dynamic offer. In particular Onlinetravel AG who combine the individual service parts (e.g. hotel, train ticket, admission tickets and vouchers for excursions) into a complete package and who supply specific software for this purpose to which the individual responsible persons are connected via specific interfaces. Providers of the individual service components would be, for example, Bedsonline S.L.U. for the various hotel services and the passenger transport companies providing the services, such as ÖBB-Personenverkehr AG or Deutsche Bahn AG.

  GDPR defines a controller as a natural person or legal entity, authority, institution or other body, which, on its own or in conjunction with others, decides on the purposes and means of processing personal data. Rail Tours Touristik GmbH (Rail Tours) offers two product lines, namely Rail Tours Classic and MyRailTour (dynamic.railtours.at). Where the product Rail Tours Classic is concerned, Rail Tours Touristik GmbH FN [company registration number] 76787y, Am Hauptbahnhof 2, 1100 Vienna, tel. +43 (0)1 89930, is the sole controller under data protection law, as defined in Article 4(7) GDPR. In the case of the MyRailTour product, several independent controllers are involved in the processing and use of the data, namely all those companies that provide a certain part of the service in order to complete the entire dynamic offer. In particular Onlinetravel AG who combine the individual service parts (e.g. hotel, train ticket, admission tickets and vouchers for excursions) into a complete package and who supply specific software for this purpose to which the individual responsible persons are connected via specific interfaces. Providers of the individual service components would be, for example, Bedsonline S.L.U. for the various hotel services and the passenger transport companies providing the services, such as ÖBB-Personenverkehr AG or Deutsche Bahn AG. GDPR defines a controller as a natural person or legal entity, authority, institution or other body, which, on its own or in conjunction with others, decides on the purposes and means of processing personal data.

• What do we mean by personal data?

  By personal data we mean all information relating to an identified or identifiable natural person (hereinafter “data subjects”).

  A natural person shall be regarded as identifiable if he or she can be directly or indirectly identified as this particular natural person, especially by means of allocation to an identifier, such as name, identification number, location data, online identification or several other special features in the particular individual case (e.g. voice). As a result, this includes data which can be assigned to you as a customer. For example your name, email address, phone number, booking code, ticket code or customer number constitute personal data.

• Causes, purposes and sources of personal data and our legal basis

  The legal basis for data processing under Article 6 GDPR consists of contractual performance, fulfilment of a statutory obligation, your prior consent or our prevailing legitimate interests, which may also include processing for other purposes.

  Data which can be assigned to your person may be derived from the following causes, purposes and sources:

  • If you book a trip on our two websites or make a booking request: You can book the product Rail Tours Classic via www.railtours.at, while the product MyRailTour can be booked via https ://dynamic.railtours.at
  • If you buy travel vouchers or order catalogues from us.
  • If you buy our products through one of our external sales partners, for example through a travel agency (e.g. Ruefa Reisen) or on the booking platform of one of our third-party sales partners (e.g. ÖAMTC).
  • If you submit an application for a complaint, reimbursement and/or compensation.
  • If there are outstanding debts which have not been paid by a customer.
  • If you contact us with any questions, requests, suggestions or other information (e.g. queries about the itinerary).
  • For statistical analyses and internal risk analyses, in order to improve our services or systems, whereby the findings of such analyses do not allow any conclusions to be drawn on your person.
  • In the event that it should become necessary to contact you (e.g. large-scale train cancellations or other disruptions such as route interruptions).
  • Direct marketing measures for existing customers.
  • If you have granted prior consent: to the electronic sending of offers and other general news about the ÖBB Group, its cooperating partners and information and recommendations adapted to you for the purposes of direct marketing.
  • Postal delivery of offers for customer acquisition, until you advise us that you do not wish to be sent such offers.
  • If you voluntarily take part in pilot projects, sweepstakes and other campaigns or in other customer loyalty programmes.
• Information of data subjects according to Articles 12 et seq. of the General Data Protection Regulation (GDPR)

  According to the provisions of Article 12 et seq. GDPR, we would like to inform you on the following topics:
  Rail Tours Touristik GmbH is the controller under data protection law, as defined in Article 4(7) GDPR.
  
  In the event of any questions on data protection or the use of your personal data, feel free to contact our data protection officers.
  Contact data for data protection officers:
  Rail Tours Touristik GmbH
  Am Hautbahnhof 2
  1100 Wien
  E-Mail: datenschutz.railtours@pv.oebb.at
  
  We will collect personal data ourselves, pursuant to Article 13 GDPR, in the following cases and for the following purposes:
  If:
  • you book the product Rail Tours Classic with us or one of our external sales partners or make a booking enquiry, order a catalogue or buy vouchers.
  • you submit any other application for a complaint, reimbursement, compensation or any other possible queries.
  • you take part in sweepstakes and other campaigns.
  • you take part in a customer survey.
  • you sign up for the newsletter.
  If the product in question is MyRailTour, you can make a booking with Onlinetravel AG via a link on our website. Onlinetravel AG will compile your personal travel package. In this case, Rail Tours Touristik GmbH becomes your tour operator.
  Data processing and the responsibility within the context of the booking, however, lies with Onlinetravel AG and the providers involved in the individual travel components, each of whom is to be qualified as an independent controller within the meaning of Article 4(7) GDPR.
  When a binding booking is made, Rail Tours Touristik GmbH will receive the personal data that it requires as tour operator for the purpose of executing the contract (e.g. travel dates and travel details, number of persons including names, address data, date of birth etc.). This data is transferred to Rail Tours Touristik GmbH’s processing systems and stored for the purpose of executing the contract.
  Data processed for these purposes shall be disclosed as required and according to the intended use to the following categories of recipients:
  To:
  - the responsible banking institution / payment service provider for the purpose of handling payments (for the purposes of executing the contract, Article 6(1) b) GDPR).
  - the assigned legal representative in the event of disputes under civil law (based on our legitimate interests in defending legal claims, Article 6(1) f) GDPR).
  - the locally competent administrative authority in the individual case (in particular tax authorities, Rundfunk und Telekom Regulierungs-GmbH or trade authorities) for the purposes of observing statutory regulations and rights, Article 6(1) c) GDPR.
  - the locally competent courts in the individual case or other competent authority in the individual case (based on our legitimate interests in the defence of legal claims, Article 6(1) f) GDPR).
  - the responsible contractual partners, which provide services related to a booked journey to the destination and/or at the destination itself (hotels, airline, partner railways, local organisers, etc.)
  - booking portals in order to provide dynamic travel offers
  - the visa-issuing authorities, as required in the course of long-distance journeys, whereby reference is made to the fact that we implement the service of data recording and transfer to the competent authority, as processor in the individual case, as defined in Article 28f GDPR. Visa and passport data are not automatically stored if procuring a visa forms part of the order placed by the data subject. Data are therefore generally stored by the competent visa-issuing authority as required, which assumes sole responsibility for the use of stored data.
  - the competent domestic and international partner railway in the individual case for handling the case of compensation or within the framework of an international journey (for the purpose of execution of the contract Article 6(1) b) GDPR).
  - the debt collection agency assigned by the controller for the recovery of outstanding debts based on our legitimate interests in the defence of legal claims, Article 6(1) f) GDPR.
  - the chartered accountant for the purpose of auditing (in order to observe statutory regulations, in particular applicable provisions of stock corporation law, Article 6(1) c) GDPR).
  - to our commissioned processors, if they process personal data on our behalf. (Based on our legitimate interests, in particular in improving, simplifying and maintaining our database systems or other cooperations, Article 6(1) f) GDPR).

  We therefore carry out data processing in particular based on the legal framework conditions summarized again below (as amended):
  - Trade Regulations (Gewerbeordnung) 1994
  - Directive (EU) 2015/2302 of the European Parliament and of the Council of 25 November 2015 on package travel and linked travel arrangements,
  - Federal Act on Package Travel and Linked Travel Arrangements (Package Travel Act, Pauschalreisegesetz)
  - General Civil Code for all German hereditary lands of the Austrian Monarchy
  - Telecommunications Act (Telekommunikationsgesetz) 2003
  - Federal Act on General Regulations and Procedures for Fees Administered by the Tax Authorities of the Federal Government, Regional States and Municipalities (Federal Fiscal Code, BAO)
  - Federal Act on Special Regulations of Civil Law for Companies (Austrian Commercial Code, UGB)
  f- General terms of use for our website and online purchasing.
  - EU Directive on Payment Services in the Internal Market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No. 1093/2010 and repealing Directive 2007/64/EC (PSD2)
  We shall not transmit personal data to a third country or an international organization.

  
  Storage period
  In general, personal data are only stored by us to the extent that is absolutely necessary and are essentially deleted following expiry of the statutory period of limitations under civil law of three years (e.g. customer correspondence) or in the event of invoice-relevant data after ten years (e.g. booked tickets, customer cards), according to § 212 UGB (Austrian Commercial Code) or §§ 132 et seq. BAO (Federal Fiscal Code). A longer storage period is only implemented in justified individual cases, for example as a result of an ongoing civil law or regulatory dispute.
  In particular we would like to highlight the following different subject areas:
  • In the event of invoice-related data based on booked trips, applications for reimbursement, a travel voucher or a catalogue order, this data is stored for ten years.
  
  • Otherwise we save data that can be assigned to you for a period of three years, such as customer correspondence, use of other services, merely taking part in sweepstakes, campaigns or customer surveys.
  
  • If you have registered specifically for catalogue orders with postal delivery. In the event of unsubscribing, such data will still be stored for a period of three years. In case you have selected electronic catalogue mailing via the bookmark function, these data will be deleted within 24 hours.
  
  • Withdrawal of a declaration of consent or assertion of an objection to direct marketing according to Article 21f GDPR (blacklist): this information cannot be deleted, especially as it is kept as a negative list, thereby ensuring that you will not receive any advertising offers from us.
  
  Your Rights
  (1) Rights of data subjects
  As the data subject in the individual case, you are entitled to assert the following rights of data subjects with us if we are the controller for the data processing:
  
  a. Right of access (Article 15 GDPR)
  You have the right to demand information on which personal data are collected about you and held by us.
  
  b. Right to rectification and deletion (Article 16 GDPR)
  You have the right to rectify any incorrect data concerning your person (e.g. spelling mistakes).
  
  c. Right to erasure (Article 17 GDPR)
  You have the right for personal data to be deleted, provided such deletion is covered by the cases set out in Article 17 GDPR, for example if we were to wrongfully process data.
  
  d. Right to restriction (Article 18 GDPR)
  You have the right of a data subject to demand that the controller restrict the processing of personal data about you if the requirements under Article 18 GDPR are present.
  
  e. Right to data portability (Article 20 GDPR)
  You have the right of a data subject to receive the data provided by you in an interoperable format.
  
  f. Right to object (Article 21 GDPR)
  You have the right of a data subject to raise an objection to data processing, provided the requirements of Article 21 GDPR are present.
  
  If you wish to assert a right of the data subject, please contact us. The following contact options are available:
  
  Contact data:
  Rail Tours Touristik GmbH
  Am Hautbahnhof 2
  1100 Wien
  E-Mail: datenschutz.railtours@pv.oebb.at
  
  Please attach the following information to your application:
  • Copy/scan of an official photo ID, indicating your date of birth (e.g. identity card, driving licence or passport); and
  $bull; in the event of an existing customer account, your registered email address.
  This is because before we can reply to your request or make the necessary arrangements, we have to check your identity. The purpose of this identity check is to enable us to establish your actual capacity as a data subject, in order to ensure that personal data are not disclosed to unauthorized third parties (risk of misuse).
  
  Once we have received your request and you have proven your identity, we will respond to your request within four weeks. In the event that we have specific questions as part of the reply, we will contact you and ask you to cooperate and assist.
  
  (2) Complaints
  Furthermore, you have the right to submit a complaint to the data protection authority, according to §§ 24 et seq. DSG [Data Protection Act] and Article 77 et seq. GDPR if you believe that we have breached obligations under the General Data Protection Regulation.
  
  Contact data:
  Österreichische Datenschutzbehörde,
  1030 Wien, Barichgasse 40-42
  Telefon: +43 1 52 152-0
  E-Mail: dsb@dsb.gv.at
  www.dsb.gv.at
  
  (3) Withdrawal of consent
  If you have consented to your data being processed for a specific purpose, you have the right to withdraw your consent at any time, without indicating reasons. We have described the method for exercising the right of withdrawal in the Chapter “Direct marketing - general and personalized advertising offers”.

• Which personal data are essentially relevant if you book a trip with us, purchase a travel voucher or a catalogue?

  With regard to your person, we essentially store the following data:

  First and last name of all persons travelling

  Address data

  Telephone number / email address

  All data relevant to the booked trip

  Date of birth if disclosed to us or if required for our products and services. If you store children as passengers, we will always ask for the date of birth. Given that the age limits are different for our contractual partners, this is the only way we can present you with the right offer.

  Discount cards that you have disclosed to us.

  If you have a family discount card, we store this so that we can take family discounts into account for your next trip.

  Passenger (adult/child/adolescent) Information on any mobility restrictions, if you wish to save such information.

• Direct marketing - general and personalized advertising offers

  We use personal data in order to allow general information, offers and recommendations to be forwarded to you by our company or our cooperating partners. However, this is only the case if you grant your consent in advance to let us contact you by email, telephone, SMS or other channels in order to inform you in a timely manner about interesting offers, new developments and services.

  Your personal data will exclusively be used by us and not transferred to cooperating partners or other affiliated companies.

  Depending on the content of the consent granted by you, you will receive offers and other information from us concerning our services and also from the ÖBB Group, i.e. including other affiliated companies and our other cooperation partners.

  You are entitled to revoke your consent at any time, without indicating reasons. In this case we will not send you any offers or information by email or SMS or contact you by phone for this purpose.

  • In case of a newsletter, please click on the unsubscribe link and we will then no longer send you any emails. Activation of revocation may take up to 24 hours to be completed in the systems.

  • In all other cases please make use of the following email address:

  If you do not wish to be included in our direct marketing activities, you have the right to file an objection thereto (Article 21(2) and Article 22 GDPR).

• Anonymized data analyses

  Statistical analyses shall be conducted for the following purposes in particular: • Are functions used regularly in our software? This allows us to check on whether specific functions are important for users of our website.
  • Which trips are being booked preferentially? This allows us to check on whether our product portfolio meets the demands of our customers.
  • Does navigation comply with the behaviour of software users? This allows us to check on whether we can design the purchase process more acceptably for our customers.
  We also create anonymized data analyses, in which we evaluate personal data and information about age, gender, region, postcode, products, driving, purchase and user behaviour, in order to draw conclusions on the development of new products and services or to improve our existing service portfolio.

• Market and opinion research, customer surveys

  In order to improve our products and services and adapt them to customer requirements, we conduct surveys with different target groups: on the one hand with people who do not use the train and on the other hand with people who use a railway operator (irrespective of which) or people who use ÖBB. We thereby commission market research companies or conduct the surveys ourselves. Persons to be surveyed can be selected either completely randomly or based on social statistics or usage-specific factors. Contact with participants can be implemented via the pools of respondents for market research companies ‒ carried out without our input at the sole responsibility of partner operators. Or we invite interested persons in general, without individually addressing participation in the survey. In case of specific survey topics we also address customers of ÖBB PV AG. Establishing personal reference is not intended for any surveys. All surveys are conducted completely anonymously. This is true even if we write to you directly as customer or you have declared your consent in advance to participate in a survey. We only receive or compile an overall evaluation of data, which do not show individual interviews or persons. If we address our customers directly, we will then exclusively contact people who have given consent thereto. Should we conduct the survey in cooperation with a market research company in specific cases, we shall conclude a separate confidentiality agreement with said company in advance of a customer survey, laying down the secure handling of your data specifically for the individual case. In particular this Agreement shall ensure that the company will not transfer your data to other market research institutions and other third parties for surveys for their own purposes. In any case you are not obliged to take part in any of our customer surveys.

  Usability tests If you apply as a test user, you can take part in usability tests conducted by our company for the further development and improvement of our ticket and timetable tools. Each test is subject to separate conditions of participation (see website). In this case we will contact you as a possible test user and request your participation in future tests. Naturally your participation in each individual test is voluntary. You are entitled to revoke your consent at any time and declare that you no longer want to be contacted for further tests.
• Cookies, web analysis and social media

  Use of cookies

  Cookies are small text files or codes, which contain information units. These text files are stored on your hard drive or in the main memory of your browser if you visit one of our websites. Thanks to cookies, the contents of our websites can be structured more easily and devices on which you have previously visited our websites can be identified. We use cookies to gain a better understanding of the functioning of applications and websites and to analyse and optimize the user experience when using our websites online and on mobile devices.
  Cookie categories
  We primarily use cookies from the following categories on our websites:
  Operationally necessary cookies
  These cookies are necessary to allow you to use our websites as intended and make all functions available to you. Without such cookies the requested services cannot be provided. These cookies do not record information about you and do not store Internet locations. Absolutely necessary cookies cannot be deactivated on our site. However, they can be deactivated at any time on the browser that you use.
  Functional cookies
  These cookies are necessary for certain applications or functions of the website, allowing them to be duly executed. This may for example include cookies, which store implemented settings such as a visitor’s language setting or even – assuming your prior consent – pre-completed forms. Storage period: in the event of a session cookie for the period of the session, or in the event of your prior consent for the period of your consent.
  Analytical cookies
  These cookies collect information on user behaviour for visitors to our websites. For example, a record is kept of which websites are most frequently visited and which links are clicked on. All recorded data are stored anonymously with information for other visitors. Using data obtained by these cookies, we can compile analytical evaluations on our website using Piwik and thereby continually improve the user experience. Storage period: in the event of a session cookie for the period of the session, in all other cases (for example for our web analysis service PIWIK) for a maximum three years.
  How long are cookies stored on my device?
  The time that a cookie stays on your device depends on whether it is a persistent cookie or a session cookie. Session cookies only remain on your device until your browser session is finished. Persistent cookies remain stored on your device, even after you have completed a browser session, until such time as the preset time for the cookie has expired or it has been deleted.

  
  Web analysis MATOMO
  Our websites and digital dialogue with our customers (e.g. newsletter) use Matomo, a web analysis service. Matomo uses cookies, which allow us to conduct an analysis of the use of our websites.
  For this purpose, usage information generated by the cookie (including your abbreviated IP address) will be transferred to our server and stored for usage analysis purposes, which on our part serves for website optimization. Your IP address is immediately anonymized in this operation, meaning that you remain anonymous to us.
  Information generated by cookies on the use of our websites shall not be transferred to third parties.
  You can prevent the use of cookies through an appropriate setting in your browser software. However, in this case it may happen that not all functions of our websites can be used in full. If you do not agree to the storage and evaluation of data in relation to your visit and the use of our websites, storage and usage may be objected to at any time (see terms of use for the website www.oebb.at). In this case a so-called opt-out cookie is stored in your browser, resulting in Matomo not collecting session data.
  For technical reasons, specific data and information must be collected and stored for visits to our websites, e.g. websites used, time and duration of visit and data made available by the used browser (e.g. on the operating system and used system settings). We use such data and information anonymously in order to design our offer in a user-friendly way and technically optimize our offer.
  Should you provide personal data or information on our websites, we can continue to use such data or information without your further consent. Use for advertising or marketing purposes, or transfer to third parties, which requires your separate prior consent, shall be exempt from this. We will separately inform you about any communications to other ÖBB affiliated companies (e.g. in the event of a concern, complaint, etc.).
  Should you access the abovementioned offers on our websites or switch to these websites, we will share data provided by the browser with such operators. We are generally not responsible for contents offered on these external sites, both with regard to data protection and to the technical security of the data and information provided. Please note in this context that external providers use technologies for personalization of advertising. If we provide a contact option through an input screen on our website, this communication is encrypted on the https protocol. Please note that the confidentiality of other communications on the Internet, in particular via email, is not guaranteed, and we therefore recommend not transmitting confidential data and information by email.

  
  Social media plugins
  We have embedded contents from external providers, such as Facebook, youtube, Twitter, on individual websites or we will transfer you to the websites of external providers. We could not identify any legal violations at the time of linking. When disclosing such a legal violation, we will immediately remove the link. In order to be able to recommend and share contents in social networks, for example Facebook, Twitter and Google+, corresponding buttons are integrated into the platform.
  These buttons only transfer data to external providers or other third parties if you press the corresponding button as participant. We have prevented an immediate transfer of data to external providers or other third parties in case of mere access to our websites. As a result, it is completely up to you to activate transfer in the individual case.

• How we protect your data

  By information security we mean:
  • confidentiality of data;
  • data integrity; and
  • data availability.
  In order to guarantee information security, we have established organizational framework conditions and protective measures, which conform to the latest technology.
  This includes:
  • load distribution;
  • firewalls;
  • encryption;
  • security tests;
  • system reviews;
  and • ongoing monitoring.
  Access rights are only granted to our employees in the absolutely necessary extent, specifically to the role. The use of such access rights is recorded.
  Your data shall be protected by a secure online connection (TLS) between your PC and our servers, depending on the browser configuration, with at least 128 Bits.

• Use of processors

  By processors we mean our contractual partners, who process personal data on our behalf (example: maintenance of our databases).
  We currently employ processors for the following activities:
  • for the dispatch of travel vouchers,
  • for the maintenance and operation of our website,
  • for the operation and maintenance of our customer databases,
  • for postal dispatch as well as • for the provision of other services via our sales partners.

  We use contract processors only for data processing that we have lawfully carried out. We always satisfy ourselves in advance that the individual processor is suitable for the provision of services, in particular that it offers sufficient guarantees for the lawful and secure use of data.
  The contract processors selected by us receive personal data from us only to the extent absolutely necessary.
  Our contract processors have contractually committed themselves to store personal data
  - to be used exclusively for the purpose of the order,
  - according to the purpose of the respective order,
  - not to be passed on to third parties,
  - not to use it for own purposes and
  - to comply with the new obligations under the basic data protection regulation (e.g. keeping a register of processing activities, conducting a data protection impact assessment when necessary, etc.)
  Before employing a processor, we will conclude a written agreement with the processor, in which in particular the processor and his employees will be subject to special obligations and will again be separately bound to confidentiality. We impose certain data security measures on the processor in order to ensure that customer data and data processing are adequately protected.