Privacy Policy

As required by EU Regulation 2016/679 (“GDPR”), the information below describes the processing operations and the purpose of processing the personal data of passengers (“Passengers”).

Any terms used in this Privacy Notice that are not expressly defined shall have the meaning set forth in the GDPR.

1. Contact Details of the Data Controller

The controller is FlixTrain GmbH, Friedenheimer Brücke 16, 80639 Munich (“FlixTrain” or “controller”).

2. Contact Details of Data Protection Officer

The controller has appointed a data protection officer, who is located at Flix SE, Friedenheimer Brücke 16, 80639 Munich, Germany, and can be contacted at the following email address:

data.protection@flixbus.com

3. Purposes of Processing and Legal Basis

The controller shall process the categories of personal data referred to in Section 5 in order to:

a. fulfill the contractual obligations entered into towards the traveler or certain contractual obligations towards the traveler or special requests of the traveler before conclusion of the contract.

The legal basis for processing is the fulfillment of a contractual obligation, Art. 6 I sentence 1 b GDPR.

b. investigate and appropriately deal with the complaint filed by the passenger in all its stages, including any litigation.

The legal bases for the processing are (i) the fulfillment of a contractual obligation (ii) the legal obligations to which FlixBus is subject, and (iii) the legitimate interests pursued by the Controller, i.e. the right to establish, exercise or defend legal claims, Art. 6 I sentence 1 b, c, f GDPR.

c. sell a ticket to the passenger on board in individual cases.

The legal basis for the processing is (i) the fulfillment of a contractual obligation or for the implementation of pre-contractual measures, (ii) the legitimate interests pursued by the controller, i.e. in particular the forwarding of payment data to the payment service provider for processing the payment you have arranged, Art. 6 I sentence 1 b, f GDPR.

d. video surveillance for the following purposes:

  • enforcement of house rules
  • prevention of crime
  • protecting the lives, health and freedom of employees and customers
  • preservation of evidence in case of an incident
  • protection of property and ownership

The legal basis for the processing is Art. 6 para. 1 sentence 1 letter f GDPR in conjunction with Section 4 Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).

Legitimate interests are the investigation and prevention of criminal offences as well as the protection of life, health and freedom of employees and customers, as well as the preservation of evidence in the event of an incident.

e. Auto-Check-In (Ticket Control Support System).
FlixTrain uses an automated ticket inspection and check-in support system for passenger check-in to assist train personnel at work and reduce the need for ticket inspections. For this purpose, sequential individual images are recorded, which are subsequently converted into a statistical probability for the occupancy of an individual seat in an anonymization process and then compared with the stored
target occupancy of the seat.

The processing is necessary for the fulfillment of the contract with the passengers,
Art. 6 para. 1 sentence 1 b GDPR:

Refer to Section 6 for data retention time.

4. Categories of Recipients

a. Internal controllers
Under certain conditions, we share personal data about you for the purpose of internal management within the companies of FlixBus, as far as this is permissible.

For example, personal data can also be forwarded to Flix SE for the purpose of internal management on the basis of the legitimate interest of the controller of the processing - e.g. the need for correct and appropriate processing and handling of passenger complaints. Further details can also be found in the Flix SE privacy policy at the following link: [Privacy → FlixBus]

b. External controller
As with any major company, we also use external domestic and foreign service providers to handle our business transactions and work with partner companies at home and abroad. These include, for example:

  • sales partners

  • shop operators

  • security companies

  • other partners engaged for our business operations (e.g. auditors, banks, insurance companies, lawyers, supervisory authorities, other parties participating in company acquisitions)

  • In particular, for the secure processing of the payment you have arranged for when purchasing tickets on board the train, the required payment data will be forwarded to our payment service provider

    Adyen N.V.
    Simon Carmiggeltstraat 6-50, 1011 DJ, The Netherlands
    Privacy Policy:
    https://www.adyen.com/policies-and-disclaimer/privacy-policy.

c. Internal Processors

  • customer service providers (internal)
  • (IT) service providers

d. External Processors

  • customer service providers (external)
  • (IT) service providers
  • Operating partners

To the extent that the recipients work for us as processors, we enter into a contract with them and they must provide guarantees that appropriate technical and organizational measures are in place, that the processing meets legal requirements and that the rights of the data subjects are respected.

Passenger personal data is only accessible to persons acting on behalf of the controller or Processor.

We transmit personal data to public bodies and institutions (e.g. police, public prosecutor’s office, supervisory authorities) if there is a corresponding obligation/authorization.

5. Categories of Personal Data Processed

The personal data processed in connection with the processing purposes referred to in Section 3 a. are as follows:

a. Identification data and contact details

b. travel data, type of service

for the purposes stated in Section 3 b. in addition to 5 a, b:

c. date of receipt of the complaint, reasons for the complaint as indicated in the form completed by the passenger

d) any additional information provided by the passenger together with the complaint, including special categories of personal data where applicable (e.g. health data).

For the purpose mentioned under 3 c. in addition to 5 a, b:

e) payment data

The provision of the passenger’s personal data is voluntary: in principle, there is also no statutory or contractual obligation to provide us with your personal data; however, we may only be able to provide certain offers to a limited extent, or not at all, if you do not provide the data required for this.

For the purposes set out in Section 3 d. and e.:

g) Image data

6. Data Source

If the personal data does not come directly from you, we have received it in principle as part of your booking process on the Flixbus website of Flix SE, Friedenheimerbrücke 16, 80639 Munich.

7. Data Storage

Passengers’ personal data will be deleted or blocked as soon as the purpose for which the data is collected and subsequently processed has been omitted.

This is the case regularly with contract performance. However, longer storage can take place if we are subject to retention periods, e.g. according to the Tax Code (10 years).

The image data collected under 3 d. is stored for up to 48 hours and automatically deleted after the storage period has expired.

The image data collected under 3 e. is processed “on-the-fly”. There is no storage.

In any case, the controller may be obliged and/or entitled to retain the personal data of passengers in whole or in part for longer - for example, but not exclusively, for the establishment, exercise or defense of legal claims within the applicable limitation period.

8. Data Transfer for a Foreign Country

In connection with the processing referred to in section 3, personal data may be transferred to a third country (in particular the USA). A third country is a country outside the European Union (EU) and outside the European Economic Area (EEA). In this case, we ensure through suitable measures that the level of data protection of the recipient/recipient country is not lower than the level of protection applicable in the EU/EEA. Suitable measures can be, for example:

9. Rights of the Data Subjects

You may assert your rights as a data subject regarding your personal data at any time, in particular by contacting us using the contact details provided in Section 2. Data subjects have the following rights under the GDPR:

Right to Information

You can request information in accordance with Art. 15 GDPR about your personal data processed by us. In your request for information, you should clarify your concern to make it easier for us to compile the necessary data. Upon request, we will provide you with a copy of the data that are the subject matter of the processing. Please note that your right to information may be limited under certain circumstances in accordance with statutory provisions.

Right to Rectification

If the information relating to you is not (any longer) correct, you may request a correction in accordance with Art. 16 GDPR. If your data is incomplete, you may request completion.

Right to Erasure

You may request the erasure of your personal data in accordance with the provisions of Art. 17 GDPR. Your right to erasure depends, among other things, on whether the data relating to you are still required by us to perform our statutory duties.

Right to Restriction of Processing

In accordance with the provisions of Art. 18 GDPR, you have the right to demand a restriction of the processing of the data relating to you.

Right to Data Portability

In accordance with the provisions of Art. 20 GDPR, you have the right to receive the data that you have provided to us in a structured, commonly-used and machine-readable format, or to request the transmission to another controller.

Right to Object

In accordance with Art. 21 para. 1 GDPR, you have the right to object to the processing of your data at any time for reasons relating to your particular situation. You can object to receiving advertising at any time with effect for the future, in accordance with Art. 21 para. 2 GDPR (objection to advertising in the case of direct marketing).

Right to Appeal

If you are of the opinion that we have not complied with the provisions of data protection regulations when processing your data, you can complain to a data protection supervisory authority about the processing of your personal data, such as to the data protection supervisory authority under whose jurisdiction we fall:

Bavarian State Office for Data Protection Supervision, Promenade 18, 91522 Ansbach

Right to Withdraw Consent (to the extent given)

You may withdraw consent to the processing of your data at any time in the future without affecting the lawfulness of the processing based on consent before its withdrawal. This also applies to declarations of consent that were issued before the GDPR came into force, i.e. before 05/25/2018.

10. Amendment

This Privacy Notice may be amended from time to time due to the introduction of new purposes and methods of processing. The controller will inform passengers of this in a timely and appropriate manner at its discretion.