Data protection declaration

B2B digital customer platfom CONNY

Version of August 7, 2024

1. General 

For us - ÖBB-Infrastruktur AG, Praterstern 3, 1020 Vienna, FN (commercial register number) 71396w, DVR (data processing) number: 0063533 and our subsidiaries (“ÖBB-INFRA” or “we”) - the protection of your personal data and the processing of this data in compliance with data protection regulations is important. With this privacy policy, we, as the controller, would like to inform all persons who use our product or service or visit our website about the type, scope and purpose of the processing of personal data and about rights in relation to this data processing. 

In the course of the new development of our CONNY application and the implementation of new technologies, changes to this privacy policy may become necessary. Although we ensure that the latest version is always available to you, we recommend that you read the privacy policy again at regular intervals. 

Definitions of the terms used (e.g. “personal data” or “processing”) can be found in Art. 4 GDPR. 

If you have any questions regarding the use of your personal data by us, please contact our data protection officer at: datenschutz.infra@oebb.at  or by post to “ÖBB-Infrastruktur AG, Legal and Investment Management Department, Attn: Data Protection Officer, Praterstern 3, 1020 Vienna”. 

The terms used are to be understood as gender-neutral.

2. Legal basis for the processing of personal data

The legal basis for the collection and processing of personal data depends on the specific context in which we collect it. The specific explanation is provided under point 3. 

3. What personal data is processed and for what purpose?

The following data is stored in the CONNY application:  

  • Contact data such as first name, last name, e-mail address, telephone number of the user,
  • customer data such as name and address of the associated company and
  • the content of your message to us.

This data is used on the legal basis of Art. 6 para. 1 lit. b GDPR and Art. 6 para. 1 lit. f GDPR to initiate and process a business relationship, invoice our services and invite you to customer events, as well as to respond to and process messages, complaints and service requests that you send us. 

When you visit our website https://conny.oebb.cloud, the following data in particular is processed via Microsoft Power-Platform (server logs):

  • IP address of the end device 
  • Request details and destination address 
  • Browser and operating system used 
  • Language selection 
  • Date and time of the request 
  • the URL you accessed, including all parameters 
  • if applicable, the page from which you clicked on the page link 
  • the protocol version used by your browser 
  • the access method used in each case 
  • the name and size of the data you have retrieved 
  • Notification of whether the retrieval was successful 

This data is used on the legal basis of Art. 6 para. 1 lit. f GDPR in conjunction with § 96 para. 3 TKG (telecommunications act) to ensure smooth operation of the website, convenient use of the website and to check the security of the website. In any case, the data will not be used to draw conclusions about your person.

4. Storage period

In accordance with the statutory provisions, personal data will generally not be stored for longer than is necessary to achieve the purpose of storage. 

The specific storage period may result from an applicable legal provision or applies for the duration of your consent. If the purpose for which the personal data was stored no longer applies or if a statutory retention period expires, the personal data is routinely blocked or deleted in accordance with the statutory provisions. 

In general, data is stored for the duration of the initiation and ongoing business relationship and for up to three years after its expiry and then deleted. 

5. Cookies

Cookies are small text files or codes that contain units of information. These text files are stored on your hard disk or in the memory of your browser when you visit one of our websites. Thanks to cookies, the content of our websites can be built up more easily and devices that have previously visited our websites can be recognized. We use cookies to gain a better understanding of how applications and websites work and to analyze and optimize the user experience when using our websites online and mobile. 

The cookies we use also enable us to display travel suggestions on the homepage based on the customer's queries and bookings. 

Cookie categories 
We primarily use cookies from the following categories on our websites: 

Essential cookies 
These cookies are necessary so that you can use our websites as intended and all functions are available to you. Without these cookies, the requested services cannot be provided. These cookies do not collect any information about you and do not store any internet locations. Strictly necessary cookies cannot be deactivated via our website. However, they can be deactivated at any time via the browser you are using. 

Functional cookies 
These cookies are necessary for certain applications or functions of the website to work properly. These can be, for example, cookies that save settings made by a visitor, such as the language setting, or - subject to your prior consent - pre-filled forms. 

Storage duration: In the case of a session cookie, for the duration of the session or, in the case of your prior consent, for the duration of your consent. 

First party cookies 
First party cookies originate from the website operator whose website the user is visiting. They are stored locally on the user's computer. With a first party cookie, the user can only be recognized by the site from which the cookie originates, but not across multiple domains.

Third party cookies 
Third-party cookies, also known as tracking cookies, are a common means of marking visitors to a website so that they can be recognized later. In particular, cookies are used for the operation of 

  • Microsoft cloud platform Azure (this includes MS Dynamics CRM and Power Platform) and
  • OpenStreetMap Foundation.

How long do cookies remain stored on my device? 
The length of time a cookie remains on your device depends on whether it is a persistent cookie or a session cookie. Session cookies only remain on your device until your browser session ends. Persistent cookies remain stored on your end device, even after you have ended a browser session, until the preset retention period of the cookie has expired or it is deleted. 

In the case of consent-based cookies, we keep a consent and revocation history for a period of three years.

Revocation of consent 
A revocation option is provided on the website, which you can use in the event of a revocation. If you have any questions, please contact customer service.

6. Measures for the protection of personal data

We have taken technical and organizational measures to ensure that the legal provisions on data protection are complied with. Your personal data is stored on secure networks that can only be accessed by a limited number of persons who undertake to maintain the confidentiality of this data. Despite these measures, however, every time personal data is made available on the Internet, there is a risk that it will be intercepted and used by third parties. 

7. Rights

In principle, you have the following rights, which you can assert against ÖBB INFRA: 

  • Right to information: You have the right to request information about your stored personal data from the controller at any time.  
  • Right to rectification: You have the right to have any inaccurate personal data concerning you (e.g. typing errors) rectified. 
  • Right to erasure: You have the right to obtain the erasure of personal data without undue delay, provided that the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed and provided that there is no legal ground for the erasure.  
  • Right to restriction: You have the right to obtain from the controller restriction of processing of personal data concerning you. 
  • Right to data portability: You have the right to receive the data you have provided in a commonly used and machine-readable format and to transmit the data to another controller. 
  • Right to object: You have the right to object to data processing if the data processing is carried out on the basis of a public interest or in the exercise of official authority or on the basis of a legitimate interest. If the data processing is carried out for the purpose of direct marketing, you have the right to object to this data processing.  

  • Right to withdraw consent: You have the right to withdraw your consent to data processing at any time without giving reasons. This will make the further processing of your data inadmissible, but the legality of the processing carried out on the basis of your consent until revocation remains unaffected. 

To exercise these rights, please write to us at datenschutz.infra@oebb.at or by post to ÖBB-Infrastruktur AG, Legal and Investment Management Department, Attn: Data Protection Officer, Praterstern 3, 1020 Vienna. We will review your request and respond accordingly. 

If you believe that the processing of your data violates data protection law or your data protection rights have been violated in any other way, you can contact the e-mail address below or complain to the supervisory authority. In Austria, this is the data protection authority. 

Contact details: 
Austrian Data Protection Authority 
Barichgasse 40-12, 1030 Vienna 
Telephone: +43 (0)1 52 152-0 
E-mail: dsb@dsb.gv.at 
www.dsb.gv.at