Data protection

privacy statement

NAME AND CONTACT DETAILS OF THE CONTROLLER

Salzburger Verkehrsverbund GmbH (hereafter referred to as SVG)
Schallmooser Hauptstraße 10, 5020 Salzburg, Austria
Tel.: +43 (0)662 875787
E-mail: datenschutz@salzburg-verkehr.at / www.salzburg-verkehr.at
Company number: FN 135832 d | Registered office: Salzburg / VAT ID no: ATU 41038603 / Tax ID no.: DE: 182/124/20219

SVG is a transport association organisation company in line with § 17 of the Austrian federal law on the regulation of local and regional public passenger transport (ÖPNRV-G 1999). SVG is responsible for the supply and organisational implementation of a public and regional passenger transport provision in line with demand in the federal state of Salzburg. As part of Salzburger Verkehrsverbund (SVV) SVG also operates an online ticket shop.


NAME AND CONTACT DETAILS OF THE DATA PROTECTION OFFICER

JANDL Datenschutz GmbH
Dr Franz Jandl
Au bei Brandstatt 25, 4070 Eferding, Austria
E-mail: datenschutz@franz-jandl.at


DATA PROCESSED

I. CUSTOMER DATA
1. Forename, surname, title, addresses (main residence, domicile, delivery address), telephone numbers, e-mail addresses
2. Date of birth, gender, nationality
3. Language of communication
4. Bank details, account details, credit rating data, credit card data, payment method
5. Route, location data, validity period, transferability, passenger rights
6. Customer number, card numbers, QR code, AZTEC code
7. School code, name and address of the school / apprenticeship business, teaching profession, school attendance / apprenticeship duration, order number
8. College/university, student number, enrolment confirmation
9. Passport photograph, portrait photograph
10. Image data (passenger checks, quality checks, video surveillance data, competitions)
11. Purchaser parent/guardian, payer, invoice recipient, forename, surname, date of birth, address, telephone numbers, e-mail addresses, account data, credit rating data, credit card data, payment method
12. Complainant and complaint content
13. Applicant in connection with rights of data subjects (art. 15 to art. 21 GDPR)

II. BUSINESS PARTNER DATA
1. Company data
2. Contact: forename, surname, address, telephone numbers, e-mail addresses
3. Bank details, account details, credit rating data
4. Invoices and invoice numbers
5. Video conferencing data

III. DATA FROM STAKEHOLDERS / COMPETITION PARTICIPANT
1. Forename, surname, title, addresses (main residence, domicile, delivery address), telephone numbers, e-mail addresses
2. Date of birth, gender
3. Image data (video surveillance data, competitions)
4. Bank details, account details


PURPOSES OF THE DATA PROCESSING

1. Issue of the respective physical ticket and facilitating generation of a digital ticket
2. Processing of the payment transaction by credit card or bank transfer with the involvement of financial service providers
3. Provision of transport services as well as the associated ancillary services
4. Ticket control
5. Prevention, detection and investigation of services potentially used without authorisation
6. Complaint system and complaint processing
7. Processing of requests in connection with rights of data subjects (art. 15 to art. 21 GDPR)
8. Adaptation, measurement and improvement of services as well as contents and promotional materials
9. Promotion and marketing: Information about services and new products (e-mail newsletters and postal mailings)
10. Implementation of competitions
11. Implementation of video conferences
12. Video surveillance

WEBSITE, ONLINE MEDIA, SALZBURG VERKEHR APP, COMPETITION:

1. Server log files
We collect data on every access to our provision (server log files). The access data include: name of the accessed website, file, date and time of access, data volume transmitted, notification of successful access, browser type and version, operating system of the user, referrer URL (the linking page visited previously), IP address of the user; anonymised device identification.
We use the log data only for statistical analyses for the purpose of operating, ensuring and optimising our provision. However, we reserve the right to check the log data subsequently in order to analyse potential errors that occur and in the case of specific evidence that gives rise to legitimate suspicion of unlawful use.

2. AWStats
For continuous improvement of our information provision, the following information is collected, stored and analysed: web browser,
operating system, country, date, time, access duration, IP address, access status, content and pages accessed. The free analysis software AWStats is used for the purpose of analysis. This is used to analyse log files created by web servers on the basis of visitor requests. AWStats does not use cookie files for the analysis. The statistical analysis is performed using the log files, which also contain IP addresses. With AWStats, unlike other statistics programmes, no data are transmitted to external servers. The programme is installed on internal servers. Transmission of data to third parties or abroad is therefore also avoided.

3. Salzburg Verkehr App
If you are looking for connections, including footpath routes from your current location and stops near you, and if you want to see your location on the map, our app needs access to the address book of your device. After installing our app, you can decide whether or not to allow access to the address book of your device. You can allow or remove access at any time with settings in the app. The following processes are possible in the app with your consent:
• Location / tracking: identification of the network-based location or tracking via GPS allows routing from or to the current location.
• Network communication: this is required for internet access by the app.
• Access to contacts (phone book): within the app, this allows use of contacts/addresses from the phone book for searches (e.g. entry of start and destination address or search using the map).
• Access to storage: this is required in order to save downloaded files in the device storage.
• Deactivation of standby mode (system tools): allows the app to send you push notifications.
• Installation of links (system tools): allows the creation of shortcuts on the home screen.
• Your accounts: required in order to be able to use the web-based interfaces of third-party providers.
• Access to hardware control elements: allows use of the device vibration function for push notifications.
• Access to camera: allows photos for personal favourites and contacts.

4. External services
Above and beyond our website and apps, we provide various content operated by third parties on social networks and in app stores
operated by third parties. These external services are linked from our website and our app in such a way that no data are transmitted
to the external services when using our website or our app. A connection to the respective external service is established only when the link is actually clicked. Please note that these external services are operated by third parties and not by SVG.

5. Competition
The personal data (name, address, e-mail address) used in the course of the competition are stored in the database only for the duration of the competition. Otherwise, please refer to the conditions for participation in competitions.


LEGAL BASES

1. Performance of a contract (art. 6 par. 1 letter b GDPR)
2. Consent (art. 6 par. 1 letter a GDPR and art. 9 par. 2 letter a GDPR)
3. Legal obligation (art. 6 par. 1 letter c GDPR)
4. Legitimate interest (art. 6 par. 1 letter f GDPR) Justification: for complaint management, for protection from theft and burglary


RECIPIENTS

1. Transport companies
2. IT service providers
3. Online service providers
4. Print media
5. Video conferencing providers
6. Printing and delivery service providers
7. Financial service providers, banks
8. Payment service providers
9. Debt collection companies
10. Cooperation partners
11. Funding agencies
12. Inspection service providers
13. Regulatory bodies
14. Call centres
15. Akzente Jugendinfo Salzburg (youth information centre)
16. Authorities and public bodies
17. Office of Salzburg state government
18. Courts
19. Solicitors
20. Tax consultants
21. Insurance companies


SOURCES

1. Customers
2. Stakeholders, competition participants
3. Creditor protection associations
4. Inspection service providers
5. Transport companies
6. Complainants
7. Applicants (art. 15 to art. 21 GDPR)

RETENTION AND STORAGE

1. Data are retained in accordance with the statutory retention obligation.
2. Data are retained and stored for as long as required for order fulfilment.
3. Data are retained and stored in order to be able to guarantee proper complaint management.
4. Data are retained and stored in order to be able to guarantee proper processing of requests in connection with the rights of data subjects (art. 15 to art. 21 GDPR).
5. Data are retained and stored in order to be able to handle court and official proceedings properly.
6. Data are retained and stored in order to be able to handle passenger legal proceedings properly.
7. Data are retained and stored in order to be able to implement competitions properly.
8. Data collected from video surveillance are retained/stored in order to be able to implement the surveillance properly.


RIGHTS OF DATA SUBJECTS

The GDPR grants the following rights to data subjects:
1. Right of access (art. 15 GDPR)
2. Right to rectification (art. 16 GDPR)
3. Right to erasure (art. 17 GDPR)
4. Right to restriction (art. 18 GDPR)
5. Right to data portability (art. 20 GDPR)
6. Right to object (art. 21 GDPR)

RIGHT TO REVOCATION AT ANY TIME

If the processing is based on consent in accordance with art. 6 par. 1 letter a) or art. 9 par. 2 letter a) GDPR, the issued consent can be
revoked at any time.

ASSERTION

Rights of data subjects and the right to revoke an issued consent can be asserted at the following address:
Salzburger Verkehrsverbund GmbH
Schallmooser Hauptstraße 10, 5020 Salzburg, Austria
Tel.: +43 (0)662 875787-0 / E-mail: datenschutz@salzburg-verkehr.at


RIGHT TO LODGE A COMPLAINT

Every data subject also has the right to lodge a complaint with the competent supervisory authority or another supervisory authority
within the EU if the data subject considers that his or her personal data are being processed unlawfully.
The competent supervisory authority in Austria is the data protection authority:

Austrian Data Protection Authority
Barichgasse 40 – 42, 1030 Vienna, Austria
E-mail: dsb@dsb.gv.at
Tel.: +43 (0)1 52152-0 / www.dsb.gv.at