Deutsche Bahn AG: data analytics privacy statement

Skip to Content

Datenschutzhinweise 1

Article: Deutsche Bahn AG: data analytics privacy statement

Legal Notice: Please note that only the German version of this privacy statement is legally binding. You can access the legally binding version here.

Deutsche Bahn AG: data analytics privacy statement 

You can consent separately to different types of statistical and analytical data processing as described in more detail below. 

Your consent, which is voluntary, applies to the storage of, and access to, information on your end user device (e.g. laptop, tablet or mobile phone) as well as to the subsequent analysis of the data collected. 

Deutsche Bahn AG is solely responsible for processing the data. Below you will find Deutsche Bahn AG's data analytics privacy statement. 

1.    Who is responsible for processing data? 

For the purposes of the General Data Protection Regulation (hereinafter referred to as the "GDPR"), the  controller responsible for processing your personal data is Deutsche Bahn AG (hereinafter referred to as "DB AG" or "we"), Potsdamer Platz 2, 10785 Berlin, Germany; e-mail: datenschutz-cdo@deutschebahn.com 

The appointed Group Data Protection Officer of Deutsche Bahn AG is Dr Marein Müller. You can contact the privacy organisation at the above e-mail address. 

2.    What data do we process for the purposes of analysis, why do we process your data and what is the legal basis for processing your data? 

If you have given us your consent to analyse your data, we process and analyse your data in order to continuously improve our digital products (websites and apps) across the Deutsche Bahn Group. We are committed to rectifying any shortcomings in our digital products at an early stage and using the information we gather to develop and improve our digital products. We also strive to continuously improve your user experience and provide the right content for you. By analysing and evaluating data, we can learn more about general user behaviour and the needs of our customers.  

We use the analytics services and technologies listed below. Your consent, which is voluntary, applies to the storage of, and access to, information on your end user device (e.g. laptop, tablet or mobile phone) as well as to the subsequent analysis of the data collected. 

We only process your data if you have given us your consent to do so. 
 
You can withdraw your consent at any time without giving a reason. Please note that if you withdraw your consent, this does not affect the lawfulness of processing based on consent before its withdrawal. 

You can withdraw your consent at any time by clicking on "Manage Analytics" to change your data analytics preferences. 
 
Below you will find detailed information on the analytics services and technologies that we use to analyse personal data.  

Pleas also note that devices and browsers may technically prevent data from being processed at all. 
 

a. Bahn X Analytics 

Analysis of general user behaviour and the needs of customers:  

When we use Bahn X Analytics to analyse and evaluate data, the following personal data is usually processed – depending on whether you use a website or an app. 

Please note that not all of the data mentioned here is processed each time one of our digital products is used. Where possible, data is collected in anonymised form only. Furthermore, personal data is pseudonymised at the earliest opportunity so that only we – and no third parties – can trace the data back to an individual. Personal data concerning you is not forwarded to third parties outside the Deutsche Bahn Group in the course of the analysis. 

The data we process includes a device and session identifier (specific period of time spent using a product on a specific device), an identifier that we assign to you, a pseudonymised/abbreviated IP address (which also allows your geographical location to be determined), confirmation that the analysis and, where applicable, general terms and conditions have been consented to, scrolling behaviour, clicks on specific content/links and web pages previously accessed (this may include third-party pages that you accessed before using our digital product), information relating to pages that you use and that are the subject of one of our campaigns, the amount of time you spend on web pages or app screens and the date and time of use. Technical information is also processed for the analysis. This includes loading times, browser, browser version, browser setting (language), mobile phone model, and operating system/operating system version as well as the mode of connection to the internet/mobile telephony and mobile communications network operator. 

Only aggregate usage data, which is considered non-personal data, is stored permanently.   

The legal basis for the storage of information on your end user device and for accessing the stored information is your consent in accordance with Section 25 (1) sentence 1 of the German Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (hereinafter referred to as the "TDDDG").   
The legal basis for the subsequent data processing is Article 6 (1) sentence 1 (a) GDPR (data processing based on consent). Your data will be analysed only after you have voluntarily given your consent. You are not obliged to give your consent in this respect and you can use the product without agreeing to the analysis.  
 
Minimal analysis with provision of a consent banner: 
 
When the consent banner (a box in which you can give consent and manage your analytics preferences) is displayed, we also record, by means of temporary data processing, whether certain technical irregularities or errors (e.g. with certain types of devices) occur so that we can rectify these as quickly as possible. This helps us to ensure that the consent banner is always displayed correctly when you start using a digital product, is operational and can also be accessed during your visit to our digital products. We also use error analysis technologies for this purpose, to identify possible errors in the code of the website/app on which the consent banner is displayed. This is a technical analysis for which the following data is processed: the operating system used, browser, type of device, information on the location of the error in the code, the website on which the error occurred and any technical steps that led to the error and now allow us to accurately track the error.  
The legal basis for this data processing is Article 6 (1) sentence 1 (c) GDPR (data processing to fulfil our legal obligation to document and verify that the data processing is lawful).   

In addition, for the purpose of carrying out anonymous evaluations, we record, by means of temporary data processing, the behaviour of our customers in the consent banner (a box in which you can give your consent and manage your analytics preferences technologies) before they make a choice. The data is anonymised at the earliest opportunity.  
The legal basis for this data processing is Article 6 (1) sentence 1 (f) GDPR (data processing based on legitimate interests). We have a legitimate interest in finding out how our customers behave in the consent banner, how often a consent banner is displayed and how we can adapt the design of consent banners – before any analysis of personal data takes place when customers use our products. 

b. Adobe Analytics 

When we use the Adobe Analytics service to analyse and evaluate data, the following personal data is usually processed. Please note that not all of the data mentioned here is processed each time one of our digital products is used. The personal data we process includes an identifier ("ID") that we assign to you, the website on which Adobe Analytics is used, the amount of time you spend on web pages and the date and time of use, pages previously accessed (which may include third-party pages you accessed before using our digital product) and a pseudonymised/abbreviated IP address (which also allows your geographical location to be determined).  

Depending on the digital product, the following may also be recorded: clicks on content (such as advertising content, links, images, files or similar) as well as images, files or other content you download when using the digital product. Where relevant for the digital product in question, products that you place in a digital shopping cart and/or purchase are also recorded. We also measure the success rates of advertising campaigns and the performance of other activities that are possible on the website depending on the digital product. These include, for example, viewing products, viewing pages, viewing specific content such as videos, logging in to digital products, making purchases, accessing self-service tools, downloading content or submitting support requests. We may also record which specific products you are interested in at which times of the day (e.g. certain prices, colours or segments).  

Technical information is also processed for the analysis. This includes the browser, type of device used (e.g. mobile, tablet or desktop), operating system, internet service provider/connection speed and display properties (e.g. pixels/width/height). 

Only aggregate usage data, which is considered non-personal data and can no longer be traced back to you, is stored permanently. 

Where possible, data is collected in anonymised form only. Furthermore, personal data is pseudonymised at the earliest opportunity so that only we – and no third parties – can trace the data back to an individual. Personal data concerning you is not forwarded to third parties outside the Deutsche Bahn Group in the course of the analysis. 

The legal basis for the required storage of information on your end user device and for accessing the stored information is your consent in accordance with Section 25 (1) sentence 1 TDDDG. 
The legal basis for the subsequent data processing is Article 6 (1) sentence 1 (a) GDPR (data processing based on consent). Your data will be analysed only after you have voluntarily given your consent. You are not obliged to give your consent in this respect and you can use the product without agreeing to the analysis.  

When we use Adobe Analytics to analyse data, we process the identifier assigned to you and some of the related data mentioned above only for the duration of your visit ("session"). In particular, this includes information as to whether an analysis is technically possible on your device, that you have been assigned an ID, the time at which you start using the product, the technical measurement of scrolling behaviour, and data processing that is required for technical purposes to display and evaluate the analyses in particular ways. 

In certain exceptional circumstances, we store the data for a maximum period of 13 months. However, we store data for this duration only in the case of digital products that want to run product-specific campaigns over longer periods of time and compare them over this period.   

This storage period is necessary for some digital products so that we can reliably record the behaviour of a specific, recognisable user based on the ID over a period of one year for the above-mentioned campaigns and their measurement. This also allows us to compare the analysis with a campaign from the same period in the previous year. 


c. DB WAS 

When we use the DB WAS service to analyse and evaluate data, the following personal data is usually processed. Please note that not all of the data mentioned here is processed each time one of our digital products is used. 
 

The personal data we process includes an identifier ("ID") that we assign to you, the digital product (website/app) on which DB WAS is used, the amount of time you spend on web pages and the number of visits you make, the date and time of use (local time zone), pages previously accessed (this may include third-party pages you accessed before using our digital product and acquisition channels), clicks on links leading to other (external) pages, click paths and a pseudonymised/abbreviated IP address (which also allows your geographical location (country/region/city) to be determined). We may also collect the app version, the installation source and the name of the installation file of the app.

Depending on the digital product, the following may also be recorded: clicks on content (such as advertising content, links, images, files, etc.) and your downloads. Your clicks and scrolling behaviour may also be recorded. Where applicable for the digital product in question, search terms are also recorded within the search function. Your use of media files, for example, playing a video, may also be recorded.  

Where applicable for the digital product in question, items that you place in a digital shopping cart and/or purchase are also recorded (product name, product category, order, order value, products purchased, revenues). We also use DB WAS to measure the success rates of advertising campaigns and the performance of other activities that are possible on the website/app depending on the digital product.  

Technical information is also processed for the analysis. This includes the browser/plugins and browser language setting, type of device used (e.g. mobile, tablet or desktop) and page load time, as well as device manufacturer and model, operating system and screen resolution. 

Different versions of a digital product such as a website/app may also be displayed in different graphic designs. In addition to the above information, it is also possible to record which version was displayed to you.  

Only aggregate usage data, which is considered non-personal data and can no longer be traced back to you, is stored permanently. 

Where possible, data is collected in anonymised form only. Furthermore, personal data is pseudonymised at the earliest opportunity so that only we – and no third parties – can trace the data back to an individual. Personal data concerning you is not forwarded to third parties outside the Deutsche Bahn Group in the course of the analysis. 

The legal basis for the required storage of information on your end user device and for accessing the stored information is your consent in accordance with Section 25 (1) sentence 1 TDDDG. 
The legal basis for the subsequent data processing is Article 6 (1) sentence 1 (a) GDPR (data processing based on consent). Your data will be analysed only after you have voluntarily given your consent. You are not obliged to give your consent in this respect and you can use the product without agreeing to the analysis.  

When performing analyses with DB WAS, we process personal data only for the duration of your visit (session) where possible.  

In certain exceptional circumstances, we store the data for a maximum period of 13 months. However, we store data for this duration only in the case of digital products that want to run product-specific campaigns over longer periods of time and compare them over this period.   
This storage period is necessary for some digital products so that we can reliably record the behaviour of a specific, recognisable user based on the ID over a period of one year for the above-mentioned campaigns and their measurement. This also allows us to compare the analysis with a campaign from the same period in the previous year. 


d. Consent management system  

When employing the analytics tools described above, we use a consent management system. This documents the selections you have made in the consent banner (a box in which you can give consent and manage your analytics preferences). Our aim is to ensure that your personal data is processed for the purposes of analysis as described above only if you have given documented consent for this after receiving the relevant information about the analysis and your options.  

To this end, we process an identifier in the form of a pseudonymous ID for the browser/device you are using in order to reliably assign your analytics preferences and any changes thereto. We use this ID to recognise the browser/app and to identify your choices regarding analytics on the basis of the information provided. We also store information about which analytics preference you configured in which product (website/app) and the time at which you configured the setting as well as information about which device type (e.g. mobile device, desktop PC or tablet) you used to configure the relevant setting. 
 
The legal basis for this data processing is Article 6 (1) sentence 1 (c) GDPR (data processing to fulfil our legal obligation to document and verify that the data processing is lawful).   

e. Tag manager  

When performing an analysis as described above, we use so-called tag managers. A tag manager is a technical application that allows us to ensure that analytics tools are loaded to our digital products in accordance with our customers' preferences. For this purposes, alignments between data used by the consent management system (see above) and the tag manager may take place. This involves checking which analytics tools you have consented to in the consent banner (a box in which you can give consent and configure your analytics preferences) in order to load the corresponding components for the relevant analytics tool(s). The information about the settings you configured in the consent banner is stored locally in the memory of the browser you are using. To ensure that it can be technically assigned to your visit, the following information is stored locally in the browser: the date and time of a session (specific period of product use on a specific device), a session identifier in the form of a session ID, the number of page views independent of a session, the number of sessions, the number of page views per session and the time when a session ends. 

For this purposes, the tag manager temporarily collects technical data (IP address, browser, operating system). The processing of this data takes place on your device. 

The legal basis for this data processing is Article 6 (1) sentence 1 (c) GDPR (data processing to fulfil our legal obligation to document and verify that the data processing is lawful).   

3.    What are the principles of processing and when is your personal data deleted? 

Your personal data is processed strictly in accordance with the principles of Article 5 GDPR, in particular necessity and data minimisation. Once the data processing is no longer necessary to achieve its objective, the personal data is deleted, unless there is a legal basis for further processing of the data. 

The personal data that we use for the various analytics services and technologies outlined above is generally stored for a maximum of 30 days and then deleted. Specific situations in which we store personal data for a longer period of time are explicitly indicated in the above explanations for the various analytics tools.  
   

Data processing takes place in accordance with Article 32 GDPR. For example, encryption, pseudonymisation and/or anonymisation procedures are used to ensure maximum data protection.  

4.    Who are the possible recipients of your personal data? 

We may employ data processors to process personal data. Data processors support us, for example, by providing a technical infrastructure. The data processors receive your personal data only to the extent required to perform their tasks in connection with the service we have commissioned. The data processors process personal data exclusively under our control and in accordance with our instructions. We conclude data protection contracts with our data processors that control how your personal data is used. Specifically, these contracts ensure that the processors handle your personal data in compliance with the requirements of the GDPR and other applicable data protection laws. 

5.    Do you have to provide personal data? 

You are not legally or contractually obliged to provide personal data for analysis and evaluation. You will not be disadvantaged if you do not consent to analysis of your data and do not provide the data.  

6.    Automated decision-making 

No automated decisions, including profiling, which have a legal impact or other significant effect on you, will be made on the basis of your personal data. 

7.    Your rights under the GDPR 

DB AG is committed to processing personal data fairly and transparently. It is therefore important to us that you, the data subject, can effectively exercise your rights in as far as the respective legal requirements of these rights are met: 

a. Right of access: Under the provisions of Article 15 GDPR, you have the right to obtain information about any of your personal data processed by DB AG. In particular, you can obtain information about the purpose of the processing, the categories of personal data concerned, the categories of recipients to whom the personal data has been or will be disclosed, the envisaged period for which the personal data will be stored, the existence of the right to request rectification, erasure or restriction of processing of personal data or to object to such processing, the right to lodge a complaint with a supervisory authority, information about the source of the personal data if it has not been collected by us, and the existence of automated decision-making, including profiling and, where applicable, meaningful information about what this entails. 

b. Right to rectification: Under the provisions of Article 16 GDPR, you have the right to obtain the rectification without undue delay of inaccurate personal data stored by DB AG. 

c. Right to erasure: Under the provisions of Article 17 GDPR, you have the right to obtain the erasure of your personal data stored by DB AG ("right to be forgotten"), unless processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims. 

d. Right to restriction of processing: Under the provisions of Article 18 GDPR, you have the right to obtain restriction of processing of your personal data be restricted where one of the following applies: 

You contest the accuracy of the personal data. 

The processing is unlawful, and you oppose the erasure of the personal data and request that we stop using the personal data. 

DB AG no longer needs the personal data, but you require it for the establishment, exercise or 
defence of legal claims. 

You have objected to the processing pursuant to Article 21 (1) GDPR. 

e. Right to data portability: Under the provisions of Article 20 GDPR, you have the right to receive the personal data concerning you that you have provided to DB AG in a structured, commonly used and machine-readable format and have the right to have the personal data transmitted to another controller. 

f. Right to object: Under the provisions of Articles 21 (1) and 21 (2) GDPR, you also have the right to object to processing of personal data at any time. 

g. Right to withdraw consent 

If you have given us consent, you have the right to withdraw your consent partly or completely, at any time and irrespective of the legal basis of the consent; the withdrawal of consent does not affect the lawfulness of the processing of your personal data based on consent before its withdrawal. 

8.    Exercising your rights 

You have several options for exercising your rights. 

a. With the data controller 

You can exercise all rights directly with DB AG. 
To do so, please contact: 

Deutsche Bahn AG

Potsdamer Platz 2

10785 Berlin

 
datenschutz-cdo@deutschebahn.com 
 

b. With the Group Data Protection Officer 

You can also exercise all rights with the Group Data Protection Officer. You can contact the privacy organisation at the above e-mail address. 

9.  Right to lodge a complaint with a supervisory authority 

According to Article 77 GDPR, you also have the right to lodge a complaint with the relevant data protection supervisory authority. You can contact the following data protection supervisory authority for this purpose: 

Berliner Beauftragte für Datenschutz und die Informationsfreiheit
Alt-Moabit 59-61
10555 Berlin
Eingang: Alt-Moabit 60

mailbox@datenschutz-berlin.de


Last modified: August 2024