"Vienna Airport Lines" is a division of Österreichische Postbus Aktiengesellschaft . Vienna Airport Lines offers bus connections between Vienna and Vienna Airport along 3 lines. Österreichische Postbus Aktiengesellschaft is an ÖBB subsidiary managed by the ÖBB Customer Service Centre.
Customer satisfaction is of utmost priority for us. This means that protecting your data is particularly important. We would like to thank you for the trust you place in us by submitting your data to us for processing. As a sign that we respect your rights as well as your privacy, we have formulated our policy, which applies when processing your data:
- We place great value on transparency when it comes to processing your data. This is why we have paid special attention to our data protection declaration in order to provide you with the necessary information on how we handle your data.
- It is important to us that you know the purposes for which we use your data and when we save these data. In our data protection declaration, we inform you how and to what extent we process your data.
- We only process your data to the extent necessary, and use these data exclusively for lawful and justified purposes.
- In certain cases, we ask you whether you consent to the use of your data. In these cases, you yourself decide how and when we use your data. For example, we will never send you electronic advertising if you do not desire it.
- Our goal is to be continuously improving. Please get in touch with us if you have concerns.
- We live our principles to the full, particularly in the area of data protection. In the following sections of this data protection declaration, find out how we process your data in the course of our various data applications.
Overview: contents of the data protection declaration
- When does this data protection declaration apply?
- Who is responsible for the data processing?
- What do we mean by "personal data"?
- Occasions, purposes and sources from which personal data originate
- Information on data subjects according to Articles 12ff of the General Data Protection Regulation (GDPR)
- Processed data scope
- Benefits of the auto-fill function for travellers
- Purchasing tickets with just a few clicks
- WiFi on the bus
- Ticket sales by third parties via external booking platforms
- Use of payment information
- How we protect your data
- Direct marketing
- Market and opinion research, customer surveys
- PIWIK (Matomo) web analysis Use of data processors by us
- How we protect your data
- Information on the scope and consequences of incomplete data provision
When does this data protection declaration apply?
The data protection declaration applies to all passengers travelling on the buses of Vienna Airport Lines
We constantly develop our offers and services further. This is also why we will constantly adapt our data protection declaration. We will, however, make sure that the latest version will always be available to you.
Who is responsible for the data processing?
Österreichische Postbus Aktiengesellschaft, company number 195030 i, Am Hauptbahnhof 2, 1100 Vienna, telephone +43 5 1717 is the controller in terms of data protection law according to Article 4 Clause 7 GDPR.
The GDPR deems a controller to be a natural or legal person, public authority, agency or any other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
What do we mean by "personal data"?
By personal data, we mean all information relating to an identified or identifiable natural person (hereinafter "data subject").
A natural person is regarded as identifiable if said person can be identified as precisely this natural person, in particular through allocation of an identifier such as a name, identification number, location data, online identification data or one or more other special features in the particular individual case (e.g. voice). Thus this includes, at the least, the data that can be associated with you as a customer. For example, your name, email address, telephone number, booking code, ticket code or your customer number are personal data.
Occasions, purposes and sources from which personal data originate
The legal basis of data processing according to Article 6 GDPR consists either in the fulfilment of the contract, the fulfilment of a legal obligation, your prior consent or our overriding legitimate interests, which may also include processing for a further purpose.
Data that can be associated with your person can stem from the following occasions, purposes and sources:
- When you buy a product offered by Österreichische Postbus Aktiengesellschaft for Vienna Airport Lines (for example purchasing a ticket)
- When you use our website viennaairportlines.at or viennaairportlines.com or our Vienna Airport Lines App for timetable information or to purchase a ticket and use our new services (list of stops, info area, etc.) in doing so
- In the case of outstanding claims that have not been paid by a customer
- In the event that we have to contact you (for example, a large-scale cancellation of bus connections)
- If you wish to receive advertising (e.g. newsletters, product & offer information etc.) or other information from us or if you wish to participate in our other activities and campaigns (e.g. sweepstakes, customer surveys, promotions or discounts, etc.)
- If you get in contact with the customer service with questions, desires, suggestions, complaints, criticism or other comments (e.g. disturbances).
- If you assert your rights as a passenger, in the case of a fare recovery claim or if you have made an application for reimbursement / compensation.
- If you contact ÖBB Customer Service because of questions, requests, suggestions or criticism.
- For statistical surveys to improve our services or systems, whereby the results of these surveys never allow us to deduce information concerning your person
- In the course of internal company risk analyses.
Information on data subjects according to Articles 12ff of the General Data Protection Regulation (GDPR)
Pursuant to the provisions of Article 12ff GDPR, we would like to inform you of the following topics:
Österreichische Postbus Aktiengesellschaft, company number 250198p, Am Hauptbahnhof 2, 1100 Vienna, telephone +43 5 1717 is the controller in terms of data protection law according to Article 4 Clause 7 GDPR.
If you have any questions regarding data protection or the use of your personal data, feel free to get in touch with our data protection officer.
Contact details of the data protection officer:
Am Hauptbahnhof 2
In accordance with Article 13 GDPR, personal data are collected by us in the following cases and for the following purposes:
- You assert your legal passenger rights pursuant to Regulation No. 181/2011 of the European Parliament and of the Council of 16 February 2011 on the rights of passengers in bus and coach transport and amending Regulation (EC) No. 2006/2004.
- A fare recovery claim is collected;
- You make a request for reimbursement and compensation;
- You make use of the ÖBB customer service for other services or inquiries;
- You use the ticket shop to make online bookings or the timetable information;
- You buy a yearly ticket;
- if they take part in competitions, other campaigns or a customer survey or subscribe to a newsletter
- When required, and depending on the intended use, the data processed for these purposes are disclosed to the following categories of recipients:
- the responsible bank / payment service provider for the purpose of payment processing (for the purposes of executing the contract, Article 6 Para. 1 lit. b GDPR).
- the regulatory authorities in the case of arbitration (for the purposes of complying with the provisions and rights under railway law, Article 6 Para. 1 lit. c GDPR).
- the commissioned legal representative in the case of civil law disputes (based on our legitimate interests that exist in defence of legal entitlements, Article 6 Para. 1 lit. f GDPR).
- the local, competent administrative authority responsible in the individual case (in particular also financial authorities, driving licence authorities, the Austrian Regulatory Authority for Broadcasting and Telecommunications or trade authorities) for the purposes of complying with legal provisions and entitlements, Article 6 Para. 1 lit. c GDPR.
- the local, competent court responsible in the individual case or other authorities responsible in the individual case (based on our legitimate interests that exist in defence of legal entitlements, Article 6 Para. 1 lit. f GDPR).
- the debt collection agency commissioned by the data controller for the collection of outstanding debts (based on our legitimate interests that exist in defence of legal entitlements, Article 6 Para. 1 lit. f GDPR).
- the chartered public accountant for the purpose of auditing (for the purpose of complying with legal provisions, in particular the applicable corporate law regulations, Article 6 Para. 1 lit. c GDPR).
- our commissioned data processors, if these process personal data on our behalf. (Based on our legitimate interests, in particular for the improvement, simplification and maintenance of our database systems, Article 6 Para. 1 lit. f GDPR).
Our data processing thus occurs in particular on the basis of the legal framework conditions that have been summarised once more below (as amended):
- Regulation EU 2016/679 for the protection of natural persons during the processing of personal data, for the free movement of data (General Data Protection Regulation (GDPR)), in particular Article 6 Para. 1 lit. a (consent), lit. b (execution of contract), lit. c GDPR (legal entitlement or obligation), lit. f (legitimate interests) and Para. 4 (processing for further purposes);
- Federal Act on the regular carriage of persons by motor vehicle (Kraftfahrliniengesetz - KflG), Federal Law Gazette I No. 203/1999 as amended;
- Order of the Federal Minister of Public Economy and Transport on the access to the trade of transporting persons by motor vehicle (job access ordinance on scheduled and non-scheduled motor vehicle services - BZP-VO), Federal Law Gazette No. 889/1994 as amended;
- Concessions of the contracting authority that entitle him to provide motor vehicle services on the respective licensed route;
- Directive on the General Conditions of Carriage for Motor Vehicle Services (Federal Law Gazette II No. 47/2001 as amended;
- Regulation No. 181/2011 of the European Parliament and of the Council of 16 February 2011 on the rights of passengers in bus and coach transport and amending Regulation (EC) No. 2006/2004;
- Trade Act 1994;
- Where necessary, Criminal Procedure Code 1975;
- Introductory Act to the Administrative Procedures Act 2008;
- Administrative Penal Act 1991;
- General Administrative Procedures Act 1991;
- General Austrian Civil Code of Law for the entire German-speaking hereditary lands of the Austrian monarchy;
- Telecommunication Act 2003;
- Federal Act on general provisions and the procedure for fees administered by the tax authorities of the federal state, the provinces and the municipalities (Federal Fiscal Code, BAO);
- Federal Act on special civil law provisions for companies (Austrian Commercial Code, UGB);
- Federal Act on distance contracts and contracts negotiated away from business premises (FAGG) Federal Law Gazette I No. 33/2014 in this version Federal Law Gazette I No. 83/2015 as amended;
- General Terms and Conditions and special conditions of carriage of the controller and of his cooperation partners.
- EU Directive on Payment Services in the Internal Market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No. 1093/2010 and repealing Directive 2007/64/EC (PSD2)
We shall not transmit personal data to a third country or an international organization.
In general, personal data are only stored by us to the extent that is absolutely necessary, and in principle, they are deleted after expiry of the legal civil limitation period of three years (e.g. customer correspondence) or in the case of invoice-relevant data, after a maximum of ten years (e.g. booked tickets, yearly tickets) in accordance with § 212 UGB or §§ 132f BAO. A longer storage period only occurs in justified individual cases, for example for the reason of an ongoing civil or official dispute.
Specifically, we would like to emphasise the following various subject areas:
- For invoice-relevant data based on other ticket purchases, the acquisition of yearly VAL-tickets, applications for reimbursement, or fare recovery claims, these data are stored for the duration of seven years.
- Otherwise, we record the data assignable to you for a period of three years, such as, for example, customer correspondence, the use of other services, mere participation in sweepstakes, campaigns or customer surveys.
- Revocation of a declaration of consent or assertion of an objection to direct marketing pursuant to Article 21f GDPR (blacklist): deletion of this information may not occur, since we keep this as a negative list and thereby ensure precisely that you do not receive any advertising offers from us.
(1) You, as an individual data subject, are entitled to assert the following data subject rights against us in the case that we are the controller of the data processing:
- Right to information (Article 15 GDPR)
You have the right to request information on which personal data is collected and stored on you by us.
- Right to rectification and deletion (Article 16 GDPR)
You have the right to rectification of any incorrect data regarding your person (e.g. typos).
- Right to deletion (Article 17 GDPR)
You have the right for personal data to be deleted if this deletion is covered by the application scenarios stipulated in Article 17 GDPR, for example if we were to wrongly process data.
- Right to restriction (Article 18 GDPR)
You have the right of the data subject to request that the controller restrict the processing of the personal data regarding you insofar as the requirements of Article 18 GDPR are fulfilled.
- Right to data portability (Article 20 GDPR)
You have the right of the data subject to receive the data you have provided in an interoperable format.
- Right to objection (Article 21 GDPR)
You have the right of the data subject to object to the data processing insofar as the requirements of Article 21 GDPR are fulfilled.
If you wish to assert a data subject right, please contact us. To do so, the following contact options are available to you:
Österreichische Postbus Aktiengesellschaft
Am Hauptbahnhof 2
Please enclose with your application a copy/scan of an official photo ID with your date of birth (e.g. identity card, driving licence or passport).
As soon as we have received your request and you have proved your identity to us, we will answer your request within four weeks. In the event that we have certain questions in the course of our answer, we will get in touch with you and ask you for your cooperation and help.
(2) In addition to this, you have the right to lodge a complaint with the data protection authority in accordance with §§ 24ff Data Protection Act and Article 77ff GDPR if you believe that we are violating obligations of the General Data Protection Regulation.
Austrian Data Protection Authority,
1080 Vienna, Wickenburggasse 8
Telephone: +43 1 52 152-0
(3) Revocation of granted consent
If you have granted us your consent to the processing of your data for a specific purpose, you have the right to revoke your consent at any time without providing reasons.
Processed data scope
In designing our service, we have paid attention to the fact that data is only collected and processed to the extent that is absolutely necessary.
The following are essential in this context
- First name, surname, gender and user name incl. password
- Customers and User ID,
- Indication of age
- Contact details (e-mail address, telephone number),
- Role of the person concerned
- Consents given to the GTCs,
- Ticket and voucher information incl. type of purchase as well as information on the booked trip incl. information on the travellers,
- Device information and IP address (when logging on and logging off as well as changing the data provided),
- Details of consents given
- Payment-relevant data including booking status and billing information
- Real-time information before, during and after the journey (in particular change of departure and arrival times, total loss, exit information),
- Location information for the purpose of ticket booking or connection enquiry, if the functionality has been approved,
- logging data
- Information on a communicated concern of the person concerned, assessment by the person responsible and outcome of the proceedings, including any compensation amount / voucher.
- validation data
WiFi on the bus
In the course of the use of the Vienna Airport Lines onboard portal, no personal data of the customer is collected or used by us.
Ticket sales by third parties via external booking platforms
We have extended our distribution channels for you. This means that you can now also find our connections on partner platforms and can, in part, also book your ticket directly on the platform of our partner. If the booking is made through a partner, we exchange only the schedule and ticket information with the partner that is required for the creation of the ticket. The respective partner is responsible for the protection of the data processed on the partner platform of the partner.
Use of payment information
By payment information we mean information that we require for processing the payment. We will never store any payment information, such as credit or debit card numbers, expiry date, the card validation code (CVC) or user account and password data. We will only store payment information to a limited extent, i.e.
- if we cannot implement cancellation automatically but have to transfer the cancellation amount retrospectively (in this case we will store the name of the applicant, IBAN, BIC, name of the bank and the address (postcode, city, country, street and house number);
- in case of a specific booking, we will store the payment method (PayPal) or card type (VISA, MasterCard, etc.) and the last 4 numbers.
In all other cases, payment information (e.g. expiry date or the card validation code (CVC)) will be processed and used by a tested and certified payment service provider (Terminal Service Provider and Payment Service Provider).
In order to clearly authorise a payment, the payment service provider will require various pieces of information from us, such as e.g. identification data for browser and operating system type, which are saved by us and forwarded to the payment service provider for processing the payment.
The European Banking Authority (EBA), Regulatory Technical Standards (RTS) and the revised Payment Services Directive (PSD2) prescribe strict authentication methods for combating online fraud. PSD2 aims at preventing online fraud with strict customer authentication rules applied to an increased number of transactions.
So-called Strong Customer Authentication (SCA) is an obligatory part of PSD2 and ensures a high level of customer protection and increased payment security. SCA is there-fore required whenever you, the customer, start an electronic payment process or per-form a transaction that poses a risk of fraud or other misconduct. In this case, you will be required to complete an identification process by providing a password and another identification factor as determined by the payment service provider. In certain exceptional cases, this authentication can be dispensed with. The decision to apply SCA or dispense with authentication rests with the payment service provider.
We are required to provide the payment service provider with the relevant data requested in order to secure your payment transaction (see in particular https://doc.wirecard.com/CreditCard.html#CreditCard_PSD2).
More information on this can also be found on the payment service provider’s own web-site (see, for example, https://www.wirecardbank.de/DSGVO or https://www.wirecardbank.de/datenschutzbestimmungen/).
For the purposes of payment risk management, as required in the specific case and as part of the purchase transaction, personal data may be transmitted in the absolutely necessary extent to the payment service provider, which then uses these data to conduct a risk assessment. Payment-related data will also be consulted for anonymised analyses.
We use personal data to send you information, offers and recommendations from us or our cooperation partners. This, however, only if you give us your consent in advance that we may contact you by e-mail, telephone, SMS or other channels (e.g. by post) in order to inform you about interesting offers, new developments and services in a timely manner. Depending on the content of your consent, you will receive offers and other information about the Vienna Airport Lines, our Postbus Shuttle, information about other services, competitions and customer surveys as well as information about the ÖBB Group, i.e. other affiliated companies (e.g. information about travel offers from Rail Tours Touristik GmbH or about car sharing offers from Rail Equipment GmbH or ÖBB-Personenverkehr AG) and our other cooperation partners. You can revoke your consent at any time without giving reasons. In this case, we will not send you any offers or information by e-mail or SMS, or contact you by telephone for this purpose. To do this, please click on the unsubscribe link in a newsletter, and we will then no longer send you electronic mail. It can take up to 24 hours for the activation of a revocation in the systems to be completed.
In all other cases, please contact our ÖBB customer service using the following e-mail address: email@example.com
Market and opinion research, customer surveys
In order to improve our products and services and adapt them to customer requirements, we conduct surveys with different target groups. We thereby commission market research companies or conduct the surveys ourselves. Persons to be surveyed can be selected either completely randomly or based on social statistics or usage-specific factors. Contact with participants can be implemented via the pools of respondents for market research companies ‒ carried out without our input at the sole responsibility of partner operators. Or we invite interested persons in general, without individually addressing participation in the survey. In case of specific survey topics we also address customers of ÖBB PV AG.
Establishing personal reference is not intended for any surveys. All surveys are conducted completely anonymously. This is true even if we write to you directly as customer or you have declared your consent in advance to participate in a survey.
We only receive or compile an overall evaluation of data, which do not show individual interviews or persons.
If we address our customers directly, we will then exclusively contact people who have given consent thereto.
Should we conduct the survey in cooperation with a market research company in specific cases, we shall conclude a separate confidentiality agreement with said company in advance of a customer survey, laying down the secure handling of your data specifically for the individual case. In particular this Agreement shall ensure that the company will not transfer your data to other market research institutions and other third parties for surveys for their own purposes.
In any case you are not obliged to take part in any of our customer surveys.
- Operationally necessary cookies
These cookies are necessary to allow you to use our websites as intended and make all functions available to you. Without such cookies the requested services cannot be provided. These cookies do not record information about you and do not store Internet locations. Absolutely necessary cookies cannot be deactivated on our site. However, they can be deactivated at any time on the browser that you use.
- Functional cookies
These cookies are necessary for certain applications or functions of the website, allowing them to be duly executed. This may for example include cookies, which store implemented settings such as a visitor’s language setting or even - assuming your prior consent - pre-completed forms.
Storage period: in the event of a session cookie for the period of the session, or in the event of your prior consent for the period of your consent.
- Analytical cookies
These cookies collect information on user behaviour for visitors to our websites. For ex-ample, a record is kept of which websites are most frequently visited and which links are clicked on. All recorded data are stored anonymously with information for other visitors. Using data obtained by these cookies, we can compile analytical evaluations on our website using Piwik and thereby continually improve the user experience.
Storage period: in the event of a session cookie for the period of the session, in all other cases (for example for our web analysis service PIWIK) for a maximum three years.
How long are cookies stored on my device?
The time that a cookie stays on your device depends on whether it is a persistent cookie or a session cookie. Session cookies only remain on your device until your browser session is finished. Persistent cookies remain stored on your device, even after you have completed a browser session, until such time as the present time for the cookie has expired or it has been deleted.
PIWIK (Matomo) web analysis
For this purpose, usage information generated by the cookie (including your abbreviated IP address) will be transferred to our server and stored for usage analysis purposes, which on our part serves for website optimization. Your IP address is immediately anonymized in this operation, meaning that you remain anonymous to us.
Information generated by cookies on the use of our websites shall not be transferred to third parties.
For technical reasons, specific data and information must be collected and stored for visits to our websites, e.g. websites used, time and duration of visit and data made available by the used browser (e.g. on the operating system and used system settings). We use such data and information anonymously in order to design our offer in a user-friendly way and technically optimize our offer.
Should you provide personal data or information on our websites, we can continue to use them within the framework of the legal requirements of TKG [Telecommunications Act] without your further consent. Use for advertising or marketing purposes, or transfer to third parties, which requires your separate prior consent, shall be exempt from this. We will separately inform you about any communications to other ÖBB affiliated companies (e.g. in the event of a concern, complaint, etc.).
Should you access the abovementioned offers on our websites or switch to these web-sites, we will share data provided by the browser with such operators. We are generally not responsible for contents offered on these external sites, both with regard to data protection and to the technical security of the data and information provided. Please note in this context that external providers use technologies for personalization of advertising.
If we provide a contact option through an input screen on our website, this communication is encrypted on the https protocol. Please note that the confidentiality of other communications on the Internet, in particular via email is not guaranteed, and we therefore recommend not transmitting confidential data and information by email.
Technical support to maintain functions on our website and in our App (just moved)
When using our website viennaairportlines.at, viennaairportlines.com or www.tickets.postbus.at your ticket purchase data is stored in your web browser by means of HTML storage or in the local memory of your mobile phone, respectively. This ensures that all functions can also be used if you choose to use our software without registering. We will only store personal data for quicker processing of future purchases if you wish us to do so.
How we protect your data
For us, information security means:
- Confidentiality of data,
- Data integrity and
- Data portability
To guarantee information security, we have established organisational framework conditions and protective measures that are up to date with the latest state of technology.
- Load distribution,
- Security tests,
- System inspection and
- Constant monitoring.
Our employees are only granted access rights in accordance with their roles and to an extent that is absolutely necessary. The use of these access rights is recorded.
Your data are protected by a secure online connection (TLS) between your personal computer and our servers, depending on the browser configuration with at least 128 Bit.
Use of service providers by us
Service providers in the sense of the Data Protection Act are natural and legal entities that are commissioned by us with a certain service, for example with maintaining our data bases.
We furthermore currently use service providers for the following tasks:
- For on-line ordering and payment (payment service providers)
- For the maintenance of our data bases
- For conducting on-line surveys as well as
- For the assessment of the quality of our services
We only use service providers for data processing done in a legal manner by us. Before commissioning a service provider, we always make sure the individual provider is suitable for performing the service in question and, in particular, that they provide adequate guarantees for legal and secure data use.
Service providers only receive data from us to the absolutely necessary extent. Our service provider have contractually committed themselves to only use personal data
- For contract purposes,
- To delete them in case the respective contract purpose is lost,
- Not to forward data to third parties and
- Not to use data for their own purposes.
Prior to using a service provider, we enter into a written agreement with them in which the service provider and its employees commit to special obligations and in which they are once more explicitly bound to confidentiality. We impose certain data security measures on the service provider to assure that customer data and data processing processes are adequately protected.
Information on the scope and consequences of incomplete data provision
We have informed you comprehensively about the purposes of our data processing, categories of recipients of data, the legal basis and legal framework, the duration of storage as well as the rights to which you are entitled and the scope of data processing. In all data processing, we have taken care to ensure that data collection and the scope of data are limited to the absolutely necessary extent. If we therefore request you to disclose data, this is necessary in order for us to
- you purchase the product of Vienna Airport Lines (online),
- we can contact you in the event of a default or any outstanding claim,
- we can include you in our direct advertising measures - provided you have given your consent in advance - or involve you in our quality assurance or customer surveys,
- we can respond to your complaint / inquiry or
- you can assert your rights as a passenger or under the GDPR
If you do not comply or do not completely comply with our request for data disclosure, it is not ensured that we can comply with or process your aforementioned purchase request or other request(s).