Privacy statement for subscription sales

DB Vertrieb GmbH, Europa-Allee 70 - 76, 60486 Frankfurt am Main, Germany, is responsible for collecting and processing your data.

The appointed data protection officer is Dr Marein Müller.

If you have any questions or suggestions regarding data protection in relation to our subscription sales, please contact us using the subject "Subscription":

DB Vertrieb GmbH
Subscription Sales
Postfach 800 250
21002 Hamburg, Germany

p.d-datenschutz@deutschebahn.com

What data do we collect, how do we collect it and why do we process it?
We collect and process your data only for specific purposes. These purposes may relate to contractual obligations or specific user requests.

To fulfil a contract, we require you to provide us with personal data. This data is needed to book tickets, settle payments, check creditworthiness, make a postal delivery if necessary to the specified address and to perform cancellations and reimbursements.

This applies in the following cases:

Booking a subscription ticket
To order a subscription ticket, we require the following data from you:

• Title, surname, first name
• Date of birth
• Address (street, postcode, town/city)
• Bank details
• Any other ticket-specific data (e.g. e-mail address, photo) required for certain ticket types (e.g. job tickets, mobile phone tickets) or data known to the fare provider.

If the order is placed by a minor, we also require the personal data of the customer who will be the contracting party. If a different payer is named in the order, we also require the personal data of this individual.

Payment data
Payment data, such as account details, contact and identification data, is collected for the processing of subscription-related payments.

Action list management
Several transport associations give customers the option of placing orders with the customer contracting partner for amending tickets stored on their chip card. Instead of customers being sent a new chip card with the amended data, the amendments are transmitted to their chip card automatically, for instance the next time their card is checked by a ticket inspector. Using an action, a new ticket can be saved on the chip card, for example. The following data is required to this end:

• the ID of the chip card
• the details of the newly issued ticket.

This data is provided by the customer contracting partner of the DB Vertrieb customers in question and shared to the inspection devices. The devices use this data to store the relevant authorisation on the customer's chip card during an inspection and report this storage back to the transport association and the customer contracting partner concerned. Depending on the transport association, customers can also have amendments transferred to their chip card at a ticket machine offering this service.

Special features when ordering a semester ticket
On the basis of agreements made with colleges/universities, it is possible for their students to order so-called semester tickets.

The following data may be collected for the order:

• Title, surname, first name
• Date of birth
• E-mail address
• Postal address (in the case of paper tickets)
• Photograph

Legal basis for data processing
To the extent that we have obtained your consent to process personal data, the legal basis is Article 6 (1) (a) GDPR.
If we process personal data that is required in order to perform a contract that we have concluded with you, then the contract forms the legal basis in accordance with Article 6 (1) (b) GDPR. Article 6 (1) (b) GDPR also applies to processing operations that are required in order for us to take steps before a contract is concluded; for example, in the event of enquiries relating to our products or services.

If our company is subject to a legal obligation that requires the processing of personal data, for example fulfilment of tax requirements, this is considered processing in accordance with Art. 6 (1) (c) GDPR.

If the processing is necessary for the purposes of our legitimate interests or those of a third party, and your interests, fundamental rights, and freedoms do not override these interests, Article 6(1)(f) of the GDPR serves as the legal basis for the processing.

This is the case, for example, when processing a photograph for the purpose of creating a digital ticket (mobile ticket/smart card). In this context, our legitimate interest under Article 6(1)(f) of the GDPR lies in the prevention of fraud attempts.

It is within our interest to maintain the customer relationship with you and to send you information and offers that we believe match your travel wishes and interests. For this reason, we process your data on the basis of Article 6 (1) (f) GDPR (with the help of service providers where necessary) to send you information and offers. We use your contact details (last name, first name and postal address) for advertising by post and for market research purposes, provided that you have not opted out of this. We may also use the e-mail address that we have obtained from our business relationship to send you advertising.

The processing of contracts generally requires the involvement of data processors working under orders, e.g. data centre operators, printing service providers, delivery service providers or other parties involved in contract performance.

The external service providers that we hire to process data are carefully selected and subject to strict contractual obligations. The service providers follow our instructions, and this is guaranteed by strict contractual regulations, technical and organisational measures, and supplementary checks and controls.

Moreover, we share your data with third parties only when you have given your express consent or on the basis of a statutory requirement.

Data will not be transferred to third countries outside the EU/EEA or to an international organisation unless appropriate guarantees have been provided. These include standard EU contract clauses and an EU Commission decision regarding suitability.

Data may be forwarded in the following situations, for example, where it is required for the purpose of contract processing:  
 

• When subscribing to a contract partner's subscription. You can find the involved railway companies (EVUs) on your route at www.bahn.de/abo-evu. The legal basis for the transfer is Article 6(1)(b) of the GDPR.
• Credit check upon registering for the direct debit procedure by Infoscore Consumer Data GmbH, Rheinstraße 99, 76532 Baden-Baden. The legal basis is Article 6(1)(f) of the GDPR. Our legitimate interest lies in preventing existing payment default risks.
• In the event of payment irregularities/default, we may pass on claims data to a debt collection agency. The legal basis for the transfer is Article 6(1)(b) of the GDPR. For this purpose, we cooperate with the following service providers:
  • Riverty Service GmbH, Gütersloher Straße 123, 33415 Verl
  • Universum Inkasso GmbH, Hanauer Landstraße 164, 60314 Frankfurt
  • EOS Deutscher Inkasso-Dienst GmbH, Steindamm 71, 20099 Hamburg.

We store your data only for as long as is necessary to fulfil the purpose for which the data was collected (as part of a contractual relationship, for example) and/or to comply with legal requirements. Thus, in the context of a contractual relationship, we will store your data at least until full and final completion of the contract. The data will then be stored for the mandatory retention period.

• You may request information about the data that has been stored about you.
• You can request that we correct, delete or restrict the processing of (block) your personal data, provided these actions are permitted by law and in compliance with existing contractual conditions.
• You have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for DB Vertrieb GmbH is: Der Hessische Datenschutzbeauftragte, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany.
• You have the right to the portability of data that you have made available to us on the basis of consent or a contract (data portability).
• If you have given us consent to process your data, you can revoke this consent at any time, using the same method you used to give your consent. Any processing of your personal data that took place from the time at which you granted your consent until the time at which you withdrew it will still be considered lawful.
• You may opt out of data processing for reasons associated with your particular situation if the data processing is performed on the basis of our legitimate interests.
• You can opt out of targeted advertising at any time. This takes effect for the future (advertising opt-out).

To exercise your rights, simply write to us at the following address:

DB Vertrieb GmbH
Europa-Allee 70 - 76
60486 Frankfurt, Germany

or e-mail us at

p.d-datenschutz@deutschebahn.com using the subject “Subscription”.

We update our privacy statement whenever there are changes to functions or legislation. We therefore recommend that you review our privacy statement at regular intervals.

Updated July 2024