Privacy policy of the Agency for Passenger Rights

The Agency for Passenger Rights (apf) is the statutory arbitration and enforcement body for rail, bus, ship and air transport with the purpose of settling disputes and complaints relating to the transportation of passengers or air passengers out of court.

The best possible protection of personal data is very important to us and we have taken technical and organizational measures to ensure this. As a matter of principle, we only process personal data for the fulfillment of the legal obligations imposed on us and in accordance with the provisions of the General Data Protection Regulation (GDPR).

1 What is personal data?

Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (see Article 4(1) GDPR).

2. why we do not require the consent of the applicant

Insofar as we are acting on the basis of legal obligations and within the scope of our legal responsibility, we do not require an additional declaration of consent or consent from the applicant to process the data in accordance with the provisions of the GDPR.

3. processing of personal data in the context of arbitration procedure

The following data is requested for our onlinearbitration request :

  • First and last name, postal address, e-mail address, (mobile) telephone number
  • Information on the case in dispute
  • Documents and records related to the case (tickets, fines, reminders, etc.)

If you cannot submit your arbitration request via the online form, please send us your data with relevant documents and information by post or fax. Irrespective of the way in which the request for conciliation is submitted, personal data will be processed exclusively for the purpose of handling the case and conducting the proceedings. Data without personal reference is used in the context of publications, such as the annual report on the fulfillment of our tasks as an agency (in accordance with Section 8 (2) of the Federal Act on Agency for Passenger Rights [PFAG] and Section 9 of the Alternative Dispute Resolution Act [AStG]). We also use collected data in anonymized form for statistical evaluations due to legal obligations.

4. retention and deletion periods

The retention and deletion period for data in arbitration procedure is set out in Section 8(2)(2) AStG. Accordingly, we must generally delete personal data within a period of three months after the expiry of three years from the notification of the result of the arbitration procedure.

5. disclosure of personal data

Personal data will only be passed on to third parties if this is necessary to fulfill our legal mandate or if you have expressly consented to this. In the context of arbitration procedure , we only pass on personal data to the companies concerned and, if necessary, to authorities for the purpose of carrying out the arbitration procedure . Anything else only applies if we have your express consent.

6 Rights of the data subjects

Data subjects have the following rights under the provisions of the GDPR

  • to request information about which data is being processed (Article 15 GDPR) and
  • to have the data rectified (Article 16 GDPR).

According to the provisions of the GDPR, the right to data portability (Article 20 GDPR) does not apply to the performance of tasks in the public interest on a legal basis by controllers.

If the data are no longer necessary for the purpose and/or fulfillment of the legal obligations for which they were collected, you have the right to

  • to have the data deleted (Article 17 GDPR),
  • to restrict the processing of the data (Article 18 GDPR).

The assertion of data subject rights may be subject to exceptions or only possible to a limited extent in individual cases when performing tasks in the public interest on a legal basis or in the case of processing that serves the assertion, exercise or defense of legal claims.

Pursuant to Article 21 GDPR, data subjects generally have the right to object to the processing of personal data concerning them. However, a prerequisite for the successful assertion of this right is a special situation that justifies the objection to otherwise permissible processing.

Data subjects who believe that the processing of their personal data violates the General Data Protection Regulation can lodge a complaint with the data protection authority at any time.

If the rights of the data subject are asserted, we will respond to the request immediately, in any case within one month of receipt. In justified cases (Article 12 (3), 2nd sentence GDPR), this response period may be extended by up to two months.

You can submit requests to the data protection officer by e-mail or post:
Ass. iur. Dipl.-Jur. Caroline Trefil
Schienen-Control GmbH
Linke Wienzeile 4/1/6
1060 Vienna
c.trefil@schienencontrol.gv.at

Responsible for the processing of personal data
Schienen-Control GmbH
Linke Wienzeile 4/1/6
1060 Vienna
office@schienencontrol.gv.at
T: +43 1 5050707 120

Responsible supervisory authority
Data protection authority
Barichgasse 40-42
1030 Vienna
T: +43 1 52152 0
dsb@dsb.gv.at
www.dsb.gv.at

Privacy policy apf

20-01-08_Data protection declaration apf complaints_final.pdf (145.3 KiB)

Privacy policy of Schienen-Control GmbH

Schienen-Control GmbH is established in accordance with Section 76 of the Austrian Railway Act 1957 (EisbG), Federal Law Gazette 1957/60 as amended, and fulfills the function of the office of the Schienen-Control Commission in addition to the other responsibilities listed in Section 77 EisbG. Furthermore, the statutory conciliation and enforcement body for rail, bus, ship and air transport, Agency for Passenger Rights (apf), is located at Schienen-Control GmbH.

Responsible handling of personal data is a top priority for Schienen-Control GmbH.

If Schienen-Control GmbH processes personal data, this is always done within the scope of the tasks assigned to it by law. Insofar as Schienen-Control GmbH acts on the basis of legal obligations and acts within the scope of its legal responsibilities, no additional declaration of consent or consent of the data subject to the processing of the data is required in accordance with the provisions of the EU General Data Protection Regulation (GDPR).

Schienen-Control GmbH has taken appropriate technical and organizational measures to ensure the security of the processing of personal data, in particular precautions to protect against unauthorized access and unlawful processing. The technical and organizational measures include, in particular, regular audits, data backup and access authorization concepts as well as physical and digital protective measures relating to our IT infrastructure. The security measures correspond to the state of the art and are evaluated on an ongoing basis.

The tasks of Schienen-Control GmbH include, in particular, the provision of information on our website.

Cookies

Cookies are short pieces of text information that web servers send to the website visitor's browser. The content of a cookie basically consists of a simple text file with which the web server provides the browser with additional information that enables certain functionalities of a website (user comfort or statistical purposes).

Every cookie has a lifespan. A basic distinction can be made between two types of cookies according to the duration of their data processing: Session cookies, which are deleted when the browser is closed, and persistent cookies, whose lifespan extends beyond the current use of the browser (session) and which are displayed individually in the browser.

We use the following technically necessary cookies on our website:

- PHP SESSION ID (PHPSESSID): Stores the current PHP session (storage duration: session)

- Contao HTTPS CSRF Token (csrf_https-contao_csrf_token): Protects against cross-site request forgery attacks (storage duration: session)

These cookies are necessary for the basic functions of the website and cannot be deactivated. You can view the cookies set under the following link:

Cookie settings

Our apf website(www.apf.gv.at) also uses the open source tool Matomo for statistical purposes (web analysis) if consent has been given.

We store the following data: IP address (anonymized), date, time, destination URL, referrer, client data. The data is deleted after 150 days. In addition, a Matomo session cookie is used, which automatically expires after 14 days. These cookies are deactivated by default. These cookies can be activated at any time via the cookie settings link above.

On the basis of Regulation (EU) 2018/1724 of the European Parliament and of the Council (SDG Regulation), anonymized data on the number of users, the origin of the visitors and the type of device used for the visit (desktop, mobile) are transmitted to the European Commission via an interface if consent is given for web analysis. The aim of the SDG Regulation is to expand existing European portals, websites, networks, services and systems and link them with national solutions. This is intended to create a single digital point of contact for the European administration.

In accordance with the provisions of the EU GDPR, data subjects have the following rights when their data is processed:

  • the right to request information about which data is processed by Schienen-Control GmbH (Article 15 GDPR);
  • the right to have the data rectified (Article 16 GDPR);

According to the provisions of the GDPR, the right to data portability (Article 20 GDPR) does not apply to the performance of tasks in the public interest on a legal basis by controllers.

If the data are no longer necessary for the purpose and/or fulfillment of the legal obligations for which they were collected, there is no longer any need for them.

  • the right to have the data erased (Article 17 GDPR);
  • the right to restrict the processing of the data (Article 18 GDPR).

At this point, Schienen-Control GmbH would like to emphasize once again that, as a rule, no personal data is collected due to the anonymization of the IP addresses of visitors to this website by Matomo. In addition, the cookies are deleted immediately after leaving the website to support the functionality of the website. The above-mentioned rights may therefore only apply to a limited extent or not at all if personal data is not available.

Furthermore, in accordance with Article 21 GDPR, data subjects have the right to object at any time to the processing of personal data concerning them, which can be exercised independently of the above statements. However, a prerequisite for the successful assertion of the right to object is a special situation that justifies the objection to processing that is in principle permissible.

Data subjects who believe that the processing of their personal data violates the GDPR can also lodge a complaint with the supervisory authority at any time.

Requests and questions regarding the privacy policy and personal data can be sent by e-mail or post to the data protection officer:

Data protection officer

Ass. iur. Dipl.-Jur. Caroline Trefil
Schienen-Control GmbH
Linke Wienzeile 4/1/6
1060 Vienna
c.trefil@schienencontrol.gv.at

Responsible for the processing of personal data

Schienen-Control GmbH
Linke Wienzeile 4/1/6
1060 Vienna
office@schienencontrol.gv.at

T: +43 1 5050707 120

Competent supervisory authority

For Austria, the competent supervisory authority is the Data Protection Authority,
Barichgasse 40-42, 1030 Vienna,
T: +43 1 52152 0, dsb@dsb.gv.at, www.dsb.gv.at.

It is also possible to deactivate the setting of cookies via the web browser settings.

In accordance with the provisions of the GDPR, data subjects have the following rights when their data is processed

  • the right to request information about which data is processed by Schienen-Control GmbH (Article 15 GDPR);
  • the right to have the data rectified (Article 16 GDPR);

According to the provisions of the GDPR, the right to data portability (Article 20 GDPR) does not apply to the performance of tasks in the public interest on a legal basis by controllers.

If the data are no longer necessary for the purpose and/or fulfillment of the legal obligations for which they were collected, there is no longer any need for them.

  • the right to have the data erased (Article 17 GDPR);
  • the right to restrict the processing of the data (Article 18 GDPR).

At this point, Schienen-Control GmbH would like to emphasize once again that, as a rule, no personal data is collected due to the anonymization of the IP addresses of visitors to this website by Google Analytics. In addition, cookies to support the functionality of the website are deleted immediately after leaving the website. The above-mentioned rights may therefore only apply to a limited extent or not at all if personal data is not available.

Should the exercise of data subject rights nevertheless concern the use of cookies that are used in the context of Google Analytics, the corresponding Google applications are available for exercising these rights here are available.

Furthermore, in accordance with Article 21 GDPR, data subjects have the right to object at any time to the processing of personal data concerning them, which can be exercised independently of the above statements. However, a prerequisite for the successful assertion of the right to object is a special situation that justifies the objection to processing that is in principle permissible.

Data subjects who believe that the processing of their personal data violates the GDPR can also lodge a complaint with the supervisory authority at any time.

Requests and questions regarding the privacy policy and personal data can be sent by e-mail or post to the data protection officer:

Data Protection Officer
Ass. iur. Dipl.-Jur. Caroline Trefil
Schienen-Control GmbH
Linke Wienzeile 4/1/6
1060 Vienna
c.trefil@schienencontrol.gv.at

Responsible for the processing of personal data
Schienen-Control GmbH
Linke Wienzeile 4/1/6
1060 Vienna
office@schienencontrol.gv.at
T: +43 1 5050707 120

Competent supervisory authority
The competent supervisory authority for Austria is the
data protection authority
Barichgasse 40-42
1030 Vienna
T: +43 1 52152 0
dsb@dsb.gv.at
www.dsb.gv.at

Privacy policy

19_10_08_Data_protection_declaration_SCG.pdf (564,9 KiB)

Press the enter key to search

You are using an outdated browser. The website may not be displayed correctly. Close