Data protection declaration

Last amended on 28th January 2022.

1. General

1.1 ÖBB-Infrastruktur AG, Praterstern 3, 1020 Vienna, FN 71396w, (“ÖBB-Infra” or “we”) places great importance on protecting your personal data and processing this data in compliance with data protection law. In this data protection declaration, we explain how we, in our capacity as controller of the data processing, collect, disclose and use your personal data and how you can exercise your rights as data subject.

1.2 If you have any questions about the way we use your personal data, please feel free to contact us using our contact form or contact our data protection officer at: datenschutz.infra@oebb.at or send a letter to “ÖBB-Infrastruktur AG, staff unit Legal and Investment Management, for the attention of the Data Protection Officer, Praterstern 3, 1020 Vienna”.

2. Types of personal data and purposes of processing

2.1 Data which you provide voluntarily

2.1.1 “Contact data” such as form of address, title, name, address, telephone number, email address, position, company/authority, department

We collect this data for the following purposes:

  • To respond to and process notices, complaints and service queries (such as notifications of loss) which you send to us
  • To send you important information for example on rail planning- or construction projects
  • To invite you to events, such as the “Building Site Open Day”, ground-breaking ceremonies and similar
  • To organise these events
  • To inform you, as a project partner or other stakeholders in a project (e.g. as a civil engineer, representative of an authority etc.) about the execution of rail projects and involve you in the organisation of such projects
  • For participation in competitions
  • To carry out voluntary surveys
  • To subscribe to newsletters, customer magazines, etc.
  • For the implementation of events

2.1.2 “Customer data”,  which you disclose to us (e.g. as a rail transport company as part of ordering of train paths) or which we need to render and bill our services, e.g. form of address, title, name, address, telephone number, email address, company of the contact partner at the customer, customer number, order and consumption data, payment data of the customer

We collect this data for the following purposes:

  • For establishing and maintaining a business relationship
  • For billing our services
  • To send invitations to customer events
  • To communicate important information about our services (e.g. construction work on rail facilities or other restrictions on operations which could affect you, as well as extensions of our infrastructure)

2.1.3 „Supplier data“, which you disclose to us as contract partner in the course of the procurement procedure and performance of the contract, e.g. form of address, title, name, address, telephone number, email address, company of the contact person for the supplier, payment information of the supplier

We collect this data for the following purpose:

  • For establishing and maintaining a business relationship

2.1.4 „Customer data in the real estate sector“, which you disclose to us (e.g. as an interested party in one of our properties, as a lessee, buyer or other contractual partner) or which we need for the provision and billing of our services, such as salutation, title, name, address, telephone number, email address, if applicable, company affiliation of the customer’s contact person, customer number, contract data (rental property, contract terms and conditions, charges, etc.), land register data, customer’s payment data

We process this data for the following purposes:

  • For the formation of contracts (e.g. existing contracts, purchase contracts, easement contracts, etc.) including their implementation in the land register
  • For the justification of construction rights or buildings built on non-owned land
  • For the justification of legal land register rights and obligations (e.g. rights of first refusal, usufructuary rights, granting of priority status, etc.)
  • For the cancellation or release of easements, real charges, liens or other rights in rem
  • For the conducting of legal proceedings and settlements
  • For the processing of instalment agreements
  • For the billing for our services
  • For the implementation of maintenance and repair measures

2.1.5 If we ask you for other personal data than that specified above, we will inform you at the point of collection of which data we need and the relevant purposes.

2.2 Data which we collect automatically, cookies and similar technologies

2.2.1 Information on personal data which we may collect automatically when you visit our website, and on cookies and similar technologies can be found in the Terms of Use for our website.

2.2.2 The systems provided by ÖBB-Infra for your customers and business partners (e.g. our tool for applying for train paths) keep system and application logs to the usual extent for the sole purpose of analysing errors. This includes the IP addresses and - depending on the system used - the browser used by the user. The legal basis for processing this data is ÖBB-Infra’s legitimate interest in guaranteeing network and data security and the functionality of the systems, which does not override your interests in having your personal data protected or your fundamental rights and freedoms (Art 6 para 1 letter f GDPR).

2.3 Data which we obtain from external sources

2.3.1 Occasionally, we obtain personal data concerning you from external sources (such as data from public registers, the companies or land register, information published on the website of your company/organisation or if you have submitted a query or lodged a complaint affecting ÖBB-Infra with another company within the ÖBB Group and this is forwarded to ÖBB-Infra for processing). In such cases, we verify whether these third parties have obtained your consent or are otherwise legally authorised or under an obligation to disclose your personal data to us.

2.3.2 The types of data which we collect from third parties include personal data entered into public registers or your contact data from other publicly accessible sources such as company websites. We use the data which we obtain from these third parties for the following purposes:

  • In order to maintain and improve the accuracy of the records we keep about you
  • In order to contact you in your professional capacity or (for example) as a neighbour in the vicinity of the building site and inform you on important rail projects which could affect you and also involve you in the execution of the project as the case may be
  • To process a query/complaint which affects us.

3. Recipients of the data

3.1 We are authorised to pass on your personal data to the following categories of recipient:

3.1.1 Other companies belonging to our group, processors and partners who provide data processing services to us or which process personal data in another way for the purposes specified in this data protection declaration or which are communicated to you when we record your personal data. You can find a list of the most important companies belonging to the ÖBB Group in the area ÖBB-Konzern/Organisation.

  • Our central processor for services in the information technology sector (e.g. operation of IT systems, technical maintenance and remedying errors) is ÖBB-Business Competence Center GmbH, Erdberger Lände 40-48, 1030 Vienna, FN 248730 f, a company belonging to the ÖBB Group.
  • Our processor for the administration and exploitation of the real estate of ÖBB-Infra is ÖBB-Immobilienmanagement GmbH, Nordbahnstraße 50, 1020 Vienna, company register no. FN 249152a, a company of the ÖBB Group. According to § 24 of the Federal Act on the Restructuring of the Legal Status of the Austrian Federal Railways (Federal Railways Act), ÖBB-Immobilienmanagement GmbH is in particular responsible for the administration and exploitation of the properties of ÖBB-Infra. For this purpose, ÖBB-Immobilienmanagement GmbH collects and processes the “customer data in the real estate sector” listed in section 2.1 on behalf of ÖBB-Infra.
  • Our processor for processing your lost item reports (“Lost & Found”) and provider of video surveillance security services in the areas of our transit stations which are accessible to the public is ÖBB-Operative Services GmbH & Co KG, Felberstraße 1, 1150 Vienna, FN 271797b, a company belonging to the ÖBB Group.
  • The service provider for station management is ÖBB-Immobilienmanagement GmbH, Nordbahnstraße 50, 1020 Vienna, FN 249152a, a company belonging to the ÖBB Group, which acts as processor for video surveillance in the areas of our stations which are accessible to the public. With regard to the issue of video surveillance, please see point 5.

3.1.2 To a competent law enforcement authority, a supervisory authority or state body, a court or other third party, if the disclosure is necessary (i) because of applicable laws or rules, (ii) to exercise, preserve or defend our statutory rights or (iii) to protect your vital interests or those of another person.

3.1.3 To a potential purchaser (and its representatives and advisors) in connection with a planned purchase, merger or takeover of our company (or a part thereof), provided that we inform the purchaser that it may only use your personal data for the purposes specified in this data protection declaration.

3.1.4 If you are involved in one of our rail projects in a professional capacity, possibly to other project partners if this is necessary for executing the project.

3.1.5 To any other person, provided that you consent to the disclosure.

4. Legal basis for processing personal data

4.1 The legal basis for collecting and processing personal data depends on the specific context in which we record it.

4.2 In general, we only process your personal data if we have your consent to do so (Art 6 para 1 letter a EU General Data Protection Regulation, “GDPR”), if we need your personal data to fulfil a contract with you (Art 6 para 1 letter b GDPR) or if we have a legitimate interest in processing which is not overridden by your interests in the protection of your data or your fundamental rights and freedoms (Art 6 para 1 letter f GDPR). ÖBB-Infra, for example, has legitimate interests in responding to queries or complaints in a timely, complete and consistent fashion, informing neighbours, authorities and business partners about important rail projects which affect them and also in executing the project efficiently, involving all project partners. In some cases, it may be necessary to process your personal data to comply with a legal obligation (Art 6 para 1 letter c GDPR) such as retention obligations or to protect your vital interests or those of another person (Art 6 para 1 letter d GDPR). See point 5 for more detailed information on the issue of video surveillance.

4.3 If we process your personal data pursuant to other legitimate interests (or those of a third party) which are not specified above, we will inform you of these legitimate interests at the relevant time.

5. Video surveillance

5.1 Video surveillance of train stations

Parts of the areas in ÖBB-Infras' transit stations which are accessible to the public are monitored using video surveillance. Video surveillance aims at guaranteeing the secure operation of the railway as well as protecting people and property, including the prevention of damage to ÖBB-Infra's property. It thus serves the purpose of complying with the legal obligations which apply to us as well as our legitimate interests. These measures include the use of stationary video cameras on the one hand and the use (in certain cases) of body cameras (“bodycams”) by security employees within the transit stations on the other hand. If the image data is not needed as evidence, it is automatically deleted again after 120 hours.

5.1.1 Automatic activation of cameras during closing hours
During closing hours for our transport depots we use a system that automatically activates a live camera feed when the monitored area is entered. Trespassing on our transport depots during closing hours (e.g. by graffiti sprayers) will therefore be detected as soon as possible and any danger from railway operations (e.g. crossing of the tracks) and damage to our property can be prevented as far as possible. The camera feed will subsequently be activated at our security provider, ÖBB-Operative Services GmbH & Co KG (see details of processors under section 3.1.1). This company can immediately dispatch security personnel to the location of the incident. Data processing is thereby carried out in the legitimate interest of property protection and in order to guarantee secure railway operation according to the Railway Act.

5.2 Video surveillance of energy systems

The technical parts of our energy generation facilities (e.g. dams, power and inverter plants) are under video surveillance for the purpose of checking the condition of the equipment, partially via a central control station and solely in real time (no recording). This serves the sole purpose of preserving our legitimate interests in guaranteeing the availability of the facilities and the rapid remedy of errors. Because the upstream water facilities in the plant group Klostertal and Stubachtal are located in areas popular with hikers and some of the hiking paths cross or go past the parts of the facilities under surveillance, it cannot be ruled out that third parties (e.g. hikers) spend time in the area under surveillance.

5.3 Video surveillance in office and administrative buildings

In some of ÖBB-Infra's office and administrative buildings, the entrances to the building (especially the entrances and exits and garage entrances) and to some of the floors are under real-time video surveillance (no recording) for the purpose of, and in the legitimate interest of, monitoring access, preventing theft, protecting trade and business secrets and therefore preserving legitimate interests.

5.4 The areas under surveillance are clearly marked with a notice.

5.5 Obligations under the Security Police Act (SPG)

Due to the amendment of the Security Police Act by means of BGBl [Federal Law Gazette] I No. 29/2018, ÖBB-Infra is subject to the following obligations in particular:

  • § 53(5) SPG: We are obliged to immediately forward image data from the video surveillance of public locations on request, or to grant access to such visual recordings to security agencies on request in individual cases for the purpose of preventing probable attacks or offering protection from attacks or criminal connections and for the purpose of searching.
  • § 93a SPG: We have informed security agencies on request about the use of visual recording equipment at public locations (in particular about video surveillance of transport depots). Where required under a location-based risk analysis, for reasons of maintaining public peace, order and safety, or for criminal prosecution, the security agency shall issue notification, setting out a retention obligation for the relevant image data, not to exceed four weeks. No procedure has yet been initiated in this regard, and no relevant notification has been issued. In the event of an extension of the storage period being prescribed for image data, we will inform you thereof by means of a modification to this Data Privacy Statement.

6. Retention of data

6.1 We retain your personal data for as long as this is required to fulfil the relevant purpose or to comply with contractual or statutory obligations or legitimate interests (e.g. to render a service you have requested, to comply with statutory retention obligations or to enforce legal claims).

6.2 As soon as there are no longer any legitimate purposes for retaining the personal data, it will either be erased or anonymised. If this is not possible (i.e. because your personal data is stored in backup archives), we will store your personal data securely and prevent it from being accessed for further processing until it is possible to erase it.

7. Rights of the data subject

7.1 According to the statutory provisions, you have the right to access the personal data concerning you, have it rectified, erased, have its processing restricted or object to its processing. You also have the right to data portability and to submit a complaint to the supervisory authority. The competent supervisory authority for ÖBB-Infra is the Austrian Data Protection Authority.

7.2 If we process your personal data based on your consent, you may revoke your consent at any time. Revoking your consent does not have any effect on the legality of processing done before such revocation.

7.3 If personal data is processed for the purposes of direct marketing, and processing is not based on your consent, you have the right to object to the processing of your personal data for the purposes of such marketing at any time; this also applies to profiling, provided that it is connected to such direct marketing.

7.4 If you wish to exercise these rights, please write to us at: datenschutz.infra@oebb.at or send a letter to “ÖBB-Infrastruktur AG, staff unit Legal and Investment Management, for the attention of the Data Protection Officer, Praterstern 3, 1020 Vienna. We will examine your request and respond accordingly.

7.5 Furthermore, you can unsubscribe from marketing communications which we may send you. To do this, please click on the unsubscribe link in the marketing emails we send you. Alternatively, you can deregister from the distribution list by logging into the email address given in the relevant marketing email by email. To unsubscribe from other types of marketing communications (i.e. postal or telephone communications), please contact us using our contact form or by sending a letter to „ÖBB-Infrastruktur AG, staff unit Legal and Investment Management, for the attention of the Data Protection Officer, Praterstern 3, 1020 Vienna”.

8. Updates to this data protection declaration

8.1 We may update this data protection declaration from time to time to take account of legal, technical or business developments. If we update our data protection declaration, we will take appropriate measures to inform you of the amendments made, according to the importance of those measures. We will obtain your consent for each material amendment we make to the data protection declaration, if (and as far as) this is required pursuant to the applicable data protection laws. You can find the date of the “last amendment” at the top of this data protection declaration.