1.1 For better readability, the generic masculine is used in this data protection information. Unless otherwise indicated, the personal designations used in this data protection information refer to all genders (m/f/d).
1.2 With this data protection information, we, OÖ Verkehrsverbund-Organisations GmbH Nfg. & Co (hereinafter referred to as "we"/"us"), inform our customers and visitors to our website (hereinafter referred to as "you"/"you") about the processing of their personal data, including the rights to which they are entitled. Please read this data protection information carefully.
1.3 This data protection information relates exclusively to the following areas
1.4 For the purposes of this data protection information, the definitions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("General Data Protection Regulation"; "GDPR") apply. The most important terms are explained under point 2.
2.1 "General Data Protection Regulation" or "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, as amended.
2.2 "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1) GDPR).
2.3 "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) GDPR).
2.4 "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (Article 4(7) GDPR).
2.5 "Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) GDPR).
2.6 "Recipient" means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular enquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing (Article 4(9) GDPR).
2.7 "Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Article 4(11) GDPR).
2.8 "Data Protection Information" means this Data Protection Notice in accordance with Articles 12 to 14 GDPR.
2.9 "Website" means the website https://www.ooevv.at/ offered and operated by us, including all subpages, including the digital services, widgets and web tools contained therein
2.10 "Webshop" or "Webshops" means the web application(s) provided on the Website for the online sale of tickets.
2.11 "OÖVV apps" means individually or collectively the apps offered and operated by us, "OÖVV route planner app" and "OÖVV ticket app", which are made available for download via the Apple App Store and the Google Play Store.
3.1 The controller within the meaning of Article 4(7) GDPR for the processing of your personal data is ("we" / "us"):
OÖ Verkehrsverbund-Organisations GmbH Nfg. & Co KG (in short: "OÖVG")
Volksgartenstraße 23
A-4020 Linz
Company register number: FN 268646v of the Linz Regional Court
Tel: +43 732 66 10 10
https:// www.ooevv.at
3.2 You are also welcome to contact our data protection officer if you have any questions about data protection. Their contact details are as follows
SAXINGER Rechtsanwalts GmbH, datenschutz@ooevg.at
4.1 Provision, proper display of the website, hosting
When you access and use our website, we process certain personal data that you transmit to us via your web browser in order to ensure a smooth connection to our website and its proper display. For this purpose, we collect from you, for example, the IP address and the name and URL of the file accessed, the operating system used, the browser type and version, the host name of the accessing computer and the date and time of the server enquiry.
When processing this data, we rely on the legal basis of our overriding legitimate interest (Article 6(1)(f) GDPR), which is to be able to fulfil the aforementioned purpose, in particular to be able to display our website to you without errors. The collection of this data is necessary for technical reasons.
We process the aforementioned personal data only for the duration of establishing and maintaining the connection between your device and our website. When you close your browser, no further processing takes place.
In order to provide you with this website, we use an external hosting service provider, namely Microsoft Ireland Operations Limited, 70 Sir John Rogersons's Quay, Dublin 2, Ireland as a processor. We have concluded a separate agreement with this hosting service provider on commissioned data processing in accordance with Art. 28 GDPR.
4.2 Ensuring the security of the website and preventing misuse
When you access and use our website, we also process certain personal data that you transmit to us via your web browser in order to be able to recognise and, if necessary, prosecute any misuse of our website, including possible attacks on it. We collect the following data from you for this purpose
This data is stored in a log file on our server. When processing this data, we rely on the legal basis of our overriding legitimate interest (Article 6(1)(f) GDPR), which lies in being able to recognise and, if necessary, track such attacks.
We store the data collected in this way in a log file for a period of 72 hours from the time it is collected. The data is then deleted.
We may transmit this data to law firms, authorities, public prosecutors and courts commissioned by us only in justified cases, in particular in cases of identified attacks on our website. Such a transfer is then based on our overriding legitimate interest (Art. 6 para. 1 lit. f GDPR), which lies in being able to assert legal claims against the perpetrator of such an attack or to prosecute possible criminal offences. In such a case, the personal data will only be deleted once the underlying proceedings have been legally discontinued or concluded.
4.3 Analysing the use of our website
We use Matomo on our website. Matomo is an open source web analysis application that records online visits to our website and displays reports on these visits for analysis. We use this service to statistically analyse the composition of our visitors, which areas are particularly relevant for visitors to our website, or whether there are errors on our website. We may collect the following of your personal data:
The legal basis for the processing of your personal data is our legitimate interest pursuant to Article 6(1)(f) GDPR, which lies in being able to analyse the user structure, identify errors and improve our website; it is also in our legitimate interest to be able to better understand how visitors use our website.
If cookies are set, the legal basis for the processing is also the consent given by a visitor in accordance with Article 6(1)(a) GDPR. Consent given in this way can be withdrawn at any time without giving reasons. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. For the technical description of cookies, please see point 14.1.
4.4 Zoho
We use the software "Zoho" in our company, which is offered and operated by Zoho Corporation B.V., Beneluxlaan 4B, 3527 HT Utrecht, Netherlands. Zoho is a CRM system. A CRM system (Customer Relationship Management) is a platform used in a company whose purpose is to systematically manage customer relationships. With the help of a CRM system, customer data, interactions, sales opportunities and service requests can be recorded and organised in order to create efficient communication with customers, thereby increasing customer satisfaction and making sales easier and more efficient overall. Zoho can also be used to integrate web forms (such as a contact form) on our website. The purpose of our use of Zoho is to carry out certain customer processes efficiently and in an organised manner.
Depending on the specific purpose of use, we rely on our overriding legitimate interest (Art 6 para 1 lit f GDPR), which lies in achieving the aforementioned purpose, as well as on the fulfilment or initiation of a contract on your initiative (Art 6 para 1 lit b GDPR); in the case of previously obtained voluntary consent that can be revoked at any time, we rely on the legal basis of consent (Art 6 para 1 lit a GDPR).
If cookies are set, the legal basis for the processing is also the consent given by a visitor in accordance with Article 6(1)(a) GDPR. Consent given in this way can be revoked at any time and without giving reasons. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. For a technical description of cookies, please see section 14.1.
Zoho Corporation B.V. processes your personal data as our processor within the meaning of Art 28 GDPR. We have concluded a processor agreement with Zoho Corporation B.V. The storage of your personal data takes place in a data centre within the European Union (Netherlands). Zoho Corporation Pvt. Ltd, India, only has access to this data in limited cases, namely for service provision, maintenance and technical support. To ensure the permissibility of such data export, Zoho uses Standard Contractual Clauses of the European Commission. More information on Standard Contractual Clauses can be found here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?prefLang=de.
Zoho Corporation B.V. also uses sub-processors. A current list of these sub-processors can be found at https://www.zoho.com/privacy/sub-processors.html.
4.5 Melibo
We use the chatbot service "melibo" from ThinkingTech GmbH & Co KG (Darmstädter Str. 5, 64625 Bensheim, Germany) on our website. When you use this service, the following personal data about you is processed
The service only processes personal data about you as soon as you activate the widget via the "Accept" field. With this activation, you give your express consent to the processing of your personal data via the chatbot. You can revoke this consent at any time with effect for the future by closing the chatbot and deleting the cache. The processing is based on your consent to the processing in accordance with Art. 6 para. 1 lit a GDPR. Consent given in this way can be revoked at any time and without giving reasons. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Once your communication with the chatbot has ended, the dialogues are stored in anonymised log files and used to improve the chatbot.
Questions and analysis data are transmitted securely using SSL encryption. Access is also protected by several firewalls that prevent unauthorised access from outside.
Information on the content of the conversation conducted via the chatbot, such as name/email address, can be retrieved and stored if necessary.
The background information includes a UserId and SessionId. The first time you use the chatbot, you will be assigned a randomly generated UserId. The UserId remains stored in your browser until you delete your browser history. If you want to use the bot again after deleting your browser history, a new randomly generated UserId will be generated. If you use the bot again, the UserId will be transmitted to it by your browser. This allows you to continue a previously interrupted conversation with the chatbot at any time. A randomly generated SessionId is also stored in your browser to identify the exact conversation with the chatbot. This remains in place during a conversation and is generated again when a conversation is restarted.
4.6 YouTube
We integrate YouTube videos into our website and maintain a YouTube channel. YouTube is offered and operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("YouTube"); this is a subsidiary of YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA.
As soon as you access certain subpages of our website that are equipped with a YouTube plugin, a connection to the YouTube servers is established. However, the videos integrated by our YouTube channel are all integrated in "extended data protection mode", i.e. no data about you as a user that goes beyond mere connection data is transmitted to YouTube if you do not play the videos.
Only when you play the videos will additional data, such as the subpage of our website that you visit or data in connection with the video being played, be transmitted. If you are logged into your YouTube account, you would also enable YouTube to assign your surfing behaviour directly to your personal profile, in particular to evaluate what content you are interested in and to provide you with personalised offers. We have no influence on the type and scope of the data that YouTube processes, nor on the purposes of the processing or the transfer of this data to third parties.
The legal basis for the processing of personal data in the context of the mere integration of the plugin is our overriding legitimate interest (Art. 6 para. 1 lit. f GDPR), which lies in being able to achieve a user-oriented integration of videos and an optimised company presentation on our website. If you have previously consented to the processing of your personal data by clicking on the play button, the legal basis for the processing is your consent (Art. 6 para. 1 lit. a GDPR).
YouTube may also store your personal data in the USA. We would like to point out that the USA does not have the same level of data protection as the European Union, so that American authorities may be able to access your data collected by YouTube, in particular due to the US Cloud Act. You may not be entitled to any legal remedies against such access that would be comparable to those within the European Union. Consent in accordance with Art. 6 (1) (a) GDPR is therefore also deemed to be express consent within the meaning of Art. 49 (1) (a) GDPR.
You can find further notes and information on data protection at YouTube in Google's privacy policy: https://policies.google.com/privacy?hl=de&gl=de. Automated decision-making, including profiling, does not take place.
5.1 Provision of the service
We provide you with the "Journey planner" service on our website, which you can use to plan routes and obtain information on timetables and fares. The Journey planner can be accessed either by directly calling up the URL(https://verkehrsauskunft.ooevv.at/) or by integrating it on another website.
When you use the Journey planner, we collect personal data from you that is generated in the course of accessing and using the Journey planner. This includes connection data (IP address, browser version, operating system, date and time of access, etc.) as well as usage data (entry of locations, information on loaded maps, etc.). We also process information about your current location, but only after obtaining your express consent to share your location in the browser.
Among other things, map material from "basemap.at" is used for the Journey planner. This is a co-operation between the GIS offices of the federal states and the partners Österreichischer Städtebund, ÖVDAT and BEV. The map material is loaded from servers of the City of Vienna. Further information can be found at https://basemap.at/ and https://www.geoland.at/.
The purpose of the processing is to provide the Journey planner, to ensure proper functioning, to detect and rectify errors and to detect and prevent misuse, including attacks.
The legal basis for the processing is, on the one hand, your and our legitimate interest (Art. 6 para. 1 lit. f GDPR), which lies in being able to provide you with the Journey planner properly and error-free for use, as well as contract fulfilment or pre-contractual measures that take place on your initiative (Art. 6 para. 1 lit. b GDPR).
5.2 Use of our widget generator
We enable you to create a customised Journey planner widget at https://www.ooevv.at/de/fahrplaene/einbindung-der-fahrplanauskunft, which you can integrate into your own websites.
When you create this widget, we collect the following data from you Organisation, first name, surname, e-mail, URL in which the widget is integrated. We process this data for the purpose of informing you of any widget updates.
The purpose of the processing is to enable such integration and to provide you with information about any updates.
The legal basis for the processing is your or our legitimate interest (Art 6 para 1 lit f GDPR), which lies in enabling website operators to integrate a functional widget and to inform them about updates.
6.1 This section concerns the processing of your personal data via the ticket shops listed below:
6.2 OÖVG processes your master and payment data (e.g. first and last name, street, postcode, city, date of birth, e-mail address, bank details, credit card details) or, if necessary, master and payment data of your legal representative (carer, legal guardian, customer, family allowance recipient) and, if required, also login data (e.g. e-mail address, password). Other data required for proper processing may also be collected on a case-by-case basis and requested in the relevant forms (e.g. photograph, route, customer and card number, matriculation number, university, confirmation of enrolment, citizenship, asylum status, school address, type of education, presence of a disability). This data is processed for the following purposes:
The legal basis for the processing is the fulfilment or initiation of the contract (Art 6 para 1 lit b GDPR), our overriding legitimate interest in the provision of a functioning distribution system (Art 6 para 1 lit f GDPR) and - if we have previously obtained your consent in individual cases - the consent given by you, which can be revoked at any time (Art 6 para 1 lit a GDPR).
7.1 What is the background to joint product sales and customer service?
The One Mobility Act, Federal Law Gazette I No. 75/2021 as amended, provides for standardised and customer-friendly access to public transport products. A shared sales system (ticket shop) and centralised payment processing are intended to provide a cross-company customer account, product portfolio, customer service and payment system for the customers of the participating transport companies and transport associations. In this way, low-threshold access to public transport and the switch to climate-friendly mobility will be promoted and taxpayers' money will be utilised even more efficiently through synergy effects.
7.2 Who is a partner in the context of shared responsibility?
The Federal Ministry for Innovation, Mobility and Infrastructure (BMIMI), One Mobility GmbH, ÖBB-Personenverkehr AG and OÖ Verkehrsverbund-Organisations GmbH Nfg. & Co KG jointly determine the purposes and means of processing personal data in the jointly used ticket shop sales system and for centralised payment processing. In this respect, the processing is carried out within the framework of joint responsibility in accordance with Article 26 GDPR and the jointly responsible parties have concluded a special agreement that specifies which partner fulfils which obligation in order to fulfil the provisions of the GDPR.
ÖBB-Personenverkehr AG makes its sales system (ÖBB Ticketshop) available to the other joint controllers for this purpose. One Mobility GmbH provides a centralised billing system for the joint controllers.
The following entities are joint controllers within the meaning of Article 4(7) GDPR:
| Controller | Address details | Contact details | |
| 1. | One Mobility GmbH | Schwindgasse 4/3, 1040 Vienna | datenschutz@one-mobility.at |
| 2. | Federal Ministry for Innovation, Mobility and Infrastructure (BMIMI) | Radetzkystraße 2, 1030 Vienna | datenschutz@bmimi.gv.at |
| 3. | ÖBB-Personenverkehr AG | Am Hauptbahnhof 1, 1100 Vienna | datenschutz@pv.oebb.at |
| 4. | OÖ Verkehrsverbund-Organisations GmbH Nfg. & Co KG | Volksgartenstraße 23, 4020 Linz | datenschutz@ooevg.at |
7.3 What data is shared between the partners?
Within the scope of joint controllership, your customer data is processed by all controllers in the sense of a common customer base. Joint controllership applies to all processing activities that are carried out as part of the joint distribution of products, customer services and centralised payment processing. The subject of joint processing is
The rights to access and view your data have been designed in such a way that a right of inspection or access is only granted to the extent absolutely necessary in order to protect your privacy in the best possible way.
7.4 What is the purpose of joint controllership?
The purpose of this joint data processing is to
7.5 Which legal bases are used for processing?
The legal basis for this joint data processing is, in particular, Article 6(1)(e) GDPR in conjunction with Section 2(1) One Mobility Act. The performance of tasks in the public interest lies in the creation of a shared distribution system for public transport in order to facilitate access to the public transport network and thus contribute to climate protection and relieve the taxpayer through the associated cost advantages.
On the other hand, Article 6(1)(f) GDPR also applies, as the controllers have a legitimate interest in ensuring that the overarching sales and customer service supports the switch to public transport and enables customers to receive comprehensive support and a wider range of products from the individual controllers.
Individual data processing is also carried out on the basis of consent and contract fulfilment or contract initiation at the initiative of the data subject (Article 6 (1) (a) and (b) GDPR).
7.6 Who are the data subjects?
This joint data processing affects all persons who purchase a product or make use of customer service to change customer master data or for a product from the start of joint controllership in the web, app or counter sales channels of a joint controller in accordance with point 7.2. The data in accordance with point 7.3 is shared between the partners from the time the joint controllership exists and can be viewed and processed by them for the purpose of cross-company product sales and customer service.
7.7 Essential content of the Article 26 Agreement
The Federal Ministry for Innovation, Mobility and Infrastructure (BMIMI), One Mobility GmbH, ÖBB-Personenverkehr AG and OÖ Verkehrsverbund-Organisations GmbH Nfg. & Co KG have concluded a special agreement as joint controllers for this data processing, which specifies which of them fulfils which obligation under the GDPR. The essence of this agreement is made available here:
Data subject rights: To assert your data subject rights in accordance with Articles 15 to 22 GDPR, please use the contact details below for the respective joint controllers:
One Mobility GmbH processes and responds to requests for information (Article 15 GDPR) with regard to data processing under joint responsibility with effect for all controllers. Insofar as it concerns the assertion of a data subject's right for data processing under the respective responsibility of the controllers, the responsibility for responding lies with each controller itself. In order to obtain a full request for information, which concerns both the data processing under joint responsibility and the independent responsibility of the individual controllers, a request for information must be addressed both to One Mobility GmbH for the data processing under joint responsibility and to the respective partner for data processing under their independent responsibility, or a response will be provided separately. A response will be sent separately.
To assert further data subject rights (Articles 16 - 22) GDPR, please contact the controller with whom you have a direct contractual relationship (e.g. because you have purchased their product). Irrespective of this, you can also submit your rights in connection with the joint processing of your personal data to any of the other controllers mentioned above. In this case, the respective controller will immediately forward the request to the controller responsible for the processing, provided that it is a case of joint responsibility.
7.8 Differentiation from independent responsibility:
In addition to data processing under joint responsibility, there are also data processing activities that the respective controllers carry out exclusively under their own responsibility. This applies in particular to
The processing of this data is not subject to the above-mentioned agreement. The rights to access and view your data are designed in such a way that they are only granted to the extent absolutely necessary in order to protect your privacy in the best possible way.
7.9 Storage period
In accordance with the statutory provisions, personal data is generally not stored for longer than is necessary to fulfil the purpose of storage. The specific storage period may result from an applicable legal provision or applies for the duration of your consent. If the purpose for which the personal data was stored no longer applies or if a statutory retention period expires, the personal data is routinely blocked or erased in accordance with the statutory provisions.
The following retention periods apply in particular:
In addition, we will store your personal data beyond the above-mentioned periods if necessary, as long as legal claims arising from the relationship between you and us can be asserted or until final clarification of a specific incident or legal dispute. This longer retention period is in order to safeguard our legitimate interests in the assertion, clarification and defence of legal claims. In connection with the documentation of business cases, legal requirements may also provide for a longer storage period.
7.10 Data transfers (including data export to third countries)
The controller may have personal data processed by processors. Processors are contractual partners who process personal data on behalf of the controller. The controllers only use processors for data processing that is lawfully carried out by us. The controllers always ensure in advance that the individual processor is suitable for the provision of services, in particular that it offers sufficient guarantees for the lawful and secure use of data.
The processors selected by the controllers will only receive personal data to the extent absolutely necessary; processing will only take place for the purposes specified by you.
We transfer your personal data to the following processors within the scope of joint responsibility:
Microsoft Cloud Services and other Microsoft products are used to provide the sales system. ÖV Ticketshop GmbH, 1020 Vienna, Lassallestrasse 5, ÖBB-Business Competence Center GmbH, 1020 Vienna, Lassallestrasse 5, Microsoft Ireland Operations Limited, 70 Sir John Rogersons's Quay, Dublin 2, Ireland ("Microsoft"), among others, are used as processors for the provision of technical services.
We would like to point out that in individual cases Microsoft uses subcontractors to provide its cloud services or provide Microsoft products, some of which are based in third countries. A current list of these sub-processors is provided by Microsoft at the following link: https://servicetrust.microsoft.com/DocumentPage/badc200c-02ab-43d9-b092-ed9b93b9b4a8.
Insofar as data is transferred from Microsoft to Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, in the USA, Microsoft relies on Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequacy of the level of protection of personal data under the EU-US Data Privacy Framework ("EU-US Data Privacy Framework"). Microsoft Corporation has been certified in accordance with the EU-US Data Privacy Framework.
In addition, Microsoft relies on the standard data protection clauses for the transfer of personal data from processors in the EEA to processors located in third countries that do not ensure an adequate level of data protection, as described in Article 46 of the GDPR and approved by the European Commission in Decision 2021/914/EC of 4 June 2021.
We also transfer your personal data to the extent necessary to the following recipients (controllers)
7.11 Use of Friendly Captcha
We use the ‘Friendly Captcha’ service of Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany (www.friendlycaptcha.com) as part of our joint product sales and customer service (‘online customer area’ for short). Friendly Captcha GmbH acts as our processor. Friendly Captcha is an innovative, data protection-friendly protection solution to make it more difficult for automated programmes and scripts (so-called ‘bots’) to use our online customer area. Friendly Captcha thus protects our online customer area from misuse.
We have integrated a programme code from Friendly Captcha (‘protection software’) in certain areas of our online customer area (e.g. in a contact form). This causes the visitor's end device to establish a connection to the Friendly Captcha servers in connection with the protected area (e.g. sending a contact form).
The visitor's browser receives a calculation task from Friendly Captcha. The complexity of the calculation task depends on various risk factors. The visitor's end device solves the calculation task, which requires certain system resources, and sends the calculation result to our web server. This contacts the Friendly Captcha server via an interface and receives a response as to whether the puzzle has been solved correctly by the end device. In addition, the visitor's browser transmits the connection data, environment data, interaction data and functional data specified below to Friendly Captcha (for details of the data, see below). Friendly Captcha analyses this data and determines how likely it is that it is a human user or bot and sends us the result. Depending on this, we can treat access to our online customer area or individual functions as human or potentially machine-based. All of the aforementioned data is used exclusively to recognise and treat potential bots and risks as described above. The purpose of the processing is therefore to ensure the security and functionality of our online customer area. We do not use the data to identify a natural person or for marketing purposes.
If personal data is stored, this data will be deleted within 30 days.
The following data is processed exclusively for the above-mentioned security purposes:
The following data is only stored in the browser's session storage for the duration of the browser session and is absolutely necessary to ensure the security of the online customer area:
We do not set any HTTP cookies and we do not store any data in the browser's persistent memory.
Insofar as personal data is processed, the legal basis for the processing is our legitimate interest in protecting our online customer area from abusive access by bots, i.e. spam protection and protection against attacks (e.g. mass queries), Article 6(1)(f) GDPR.
Friendly Captcha acts as our processor in accordance with instructions and for a specific purpose. With the exception of the results for risk categorisation as a bot or human, the above-mentioned data is only processed by Friendly Captcha and is not transmitted to us.
Friendly Captcha uses the hosting services of Hetzner Online GmbH (Germany) and SCALEWAY S.A.S (France) to host and deliver the content.
This section describes the processing of your personal data in connection with the provision of services by OÖVG on the basis of a ticket purchased by you, including the measures taken by OÖVG to prevent misuse or the fraudulent use of services. OÖVG processes your personal data for the following purposes, in particular master data and payment data, login data if applicable and - depending on the circumstances - other data requested in the relevant forms (e.g. the existence of a disability):
8.1 In order to effectively fulfil the above-mentioned purposes, we may forward your personal data to the following parties:
8.2 Depending on the specific case, we may also receive your personal data from third parties. These third parties are
9.1 For our newsletter, which you can subscribe to via our website, we use the "Mailworx" system, which is offered and operated by mailworx - EWORX NETWORK & INTERNET GMBH, Hafenstraße 2a, 4020 Linz, Austria ("Mailworx GmbH" for short). Mailworx is a service with which we organise and analyse the sending of newsletters. If you enter data for the purpose of subscribing to the newsletter (e.g. e-mail address), this data is stored on the servers of Mailworx GmbH in Austria. Mailworx GmbH acts as our processor within the meaning of Art. 28 GDPR. We have concluded a processor agreement with Mailworx GmbH for this purpose.
9.2 We can analyse our newsletter campaigns with the help of Mailworx. When you open an email sent with Mailworx, a file contained in the email (so-called web beacon, see point 14.2 for details) connects to the servers of Mailworx GmbH in Austria. This allows us to determine whether a newsletter message has been opened and which links, if any, have been clicked on. Technical information is also collected (e.g. time of access, IP address, browser type and operating system). This information cannot be assigned to the respective newsletter recipient. It is used exclusively for the statistical analysis of newsletter campaigns. The results of these analyses can be used to better adapt future newsletters to the interests of the recipients. Detailed information on the functions of Mailworx can be found at the following link: https://www.eworx.at/marketing-suite/mailworx
9.3 We use the so-called "double opt-in" procedure to check whether you are the owner of the e-mail address provided. For this purpose, after you have entered your e-mail address and, if applicable, your name, we will send you an e-mail in which we ask you to confirm your e-mail address. You will not be registered for the newsletter until you click on the confirmation link in the email.
9.4 The legal basis for processing for the aforementioned purposes is your voluntary consent (Art. 6 para. 1 lit. a GDPR). You have the right to withdraw this consent at any time without giving reasons. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. You can withdraw your consent by clicking on the "Unsubscribe" button in every newsletter you receive.
10.1 We provide you with the OÖVV route planner app (formerly: "OÖVV app") and the OÖVV ticket app (hereinafter referred to collectively as "apps") for download via the Apple App Store (iOS devices) and the Google Play Store (Android devices). The processing of your personal data for the purpose of downloading and installing the apps on your mobile device is not our responsibility, but that of the respective store provider. You can find more detailed information in the data protection declarations of the respective provider.
10.2 We generally collect the data that you make available to us when using our apps and depending on the authorisations set. If, for example, you want to search for connections including footpath routing from your current location and see stops in your vicinity and your location on the map, it is necessary for our apps to access the address book of your end device. After installing our apps, you can decide whether you want to allow access to your device's address book or not. You can grant or withdraw access to certain resources on your mobile device at any time via the "Settings" menu item in the apps:
10.3 We process your personal data for the purpose of providing you with the apps and the functionalities contained therein, in particular to carry out a timetable enquiry and to show you possible tariff options. Depending on the specific use, the legal basis for the processing is our legitimate interest (Art. 6 para. 1 lit. f GDPR), which lies in achieving the aforementioned purposes, as well as the initiation of a contract on your initiative or the fulfilment of the user contract (Art. 6 para. 1 lit. b GDPR).
10.4 If you grant us authorisation to access certain resources (e.g. address book, GPS signal) in the apps, the legal basis for the processing is the consent you have given us (Art. 6 para. 1 lit. a GDPR). You have the right to withdraw this consent at any time without giving reasons. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Consent is revoked by withdrawing the respective authorisation in the apps.
10.5 With regard to the purchase of tickets via the OÖVV ticket app, please see point 6.
11.1 We provide contact options and forms on our website that you can use to assert passenger rights. The legal basis for asserting these rights can be found in the following legislation
11.2 We are obliged to set up a system for processing complaints on the basis of the aforementioned legal matters (Art 6 para 1 lit c GDPR). In principle, we collect the personal data that you provide to us in connection with the assertion of a passenger right. The data is processed for the purpose of checking your passenger rights and communicating with you, in particular with regard to whether a complaint is upheld. We are also legally obliged to do this.
11.3 If you give us your consent to do so, we will forward your data to the transport company or companies involved in the OÖVV for the purpose of processing the delay compensation procedure. You have the right to revoke this consent at any time without giving reasons. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
11.4 We store your personal data for the duration of the proper handling of the passenger rights procedure and beyond that for as long as we are subject to a statutory retention obligation.
12.1 We are pleased when you contact us via our contact form on our website, by e-mail or telephone. When you contact us, we collect the following data from you:
We process the personal data collected from you in order to answer your enquiry or deal with your request. If a contractual relationship is concluded, you will be informed separately about the processing of your personal data as part of the contract.
12.2 Depending on the occasion, the processing of your personal data when you contact us is based on the implementation of pre-contractual measures in accordance with Art. 6 para. 1 lit. b GDPR and/or on your and our legitimate interest (Art. 6 para. 1 lit. f GDPR), which lies in the service-oriented response to your enquiry.
If a contract is concluded as part of the response to your enquiry, we will store your personal data for the duration of the contractual relationship and for the duration of any subsequent statutory retention obligation. If no contract is concluded or if your enquiry does not result in the conclusion of a contract (e.g. in the case of customer service or complaint management), we will store your personal data for a period of three years. Your data will then be deleted.
Please note: For the processing of your personal data in connection with passenger rights, please refer to point 10.
13.1 If you apply to us, we will use the personal data contained in your application to contact you and carry out the application process. The legal basis for this data processing is the initiation of a contractual relationship on your initiative (Art. 6 para. 1 lit. b GDPR). We will retain your personal data for the duration of the application process.
13.2 If your application is rejected, we will store your data for a period of seven months from the date of notification of rejection. This serves the purpose of being able to counter any claims on your part in accordance with §§ 12, 26 of the Equal Treatment Act or § 7e, 7k para. 2 no. 1 of the Disability Employment Act. In doing so, we rely on our legitimate interest in defending against possible claims such as those mentioned above. If special categories of personal data within the meaning of Art. 9 para. 1 GDPR are processed, we also rely on the basis of the exercise of legal claims (Art. 9 para. 2 lit f GDPR). After this period has expired, your personal data will be deleted.
13.3 Only if you voluntarily give us your consent (Art 6 para 1 lit a GDPR), we may keep your application documents for one year after a rejection in order to keep you on record if necessary. You have the right to withdraw this consent at any time without giving reasons. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
13.4 If an employment relationship is established with you, we will inform you about the processing of your personal data, including your application documents, in a separate privacy policy.
14.1 What are cookies?
To grant or revoke consent for cookies, click here: [Link]
Cookies can be used to collect information that is created by a website and stored via the user's browser. Cookies are small files or pieces of text information (usually less than one kilobyte) that a website stores on the hard drive of the user's computer or mobile device. These cookies allow the website to "remember" the user's activities and preferences for a short time or permanently. Most browsers support cookies, but users can configure their browsers to reject cookies or delete them at any time. Many users configure their browsers so that cookies are automatically removed as soon as the browser window is closed. Websites use cookies to identify users, remember their preferences and allow them to complete tasks without repeatedly entering information when they change pages or return to the website.
Cookies can also be used to collect information for personalised advertising and marketing based on online behaviour. Companies use cookies to analyse user behaviour and create personal profiles. This allows them to display targeted adverts to users based on their previous searches. Cookies can be categorised into different types, whereby they can be classified according to their storage duration:
A further classification can be made based on the area to which they belong:
If the web server from which the website is loaded stores cookies on the user's computer or mobile device, these are referred to as "HTTP header cookies". Cookies can also be stored using JavaScript code that is located or referenced on the page. Example: A website is offered in five different language versions. When you access the website for the first time, you select the language version "German". A text file (a "persistent cookie") is now stored on your device with the information that you wish to use the website in German. If you do not delete the cookies and call up the website again with the same browser, the website will know from the stored cookie that the website should be displayed in German. You can find more information about cookies here: https://allaboutcookies.org/.
We use the following cookies on our website
| Domain | domain name | Type of cookie | Category | Purpose | Type | Storage duration |
| ooevv.at | x_cookiepolicy_option_categories | First-party cookie | Necessary | Saves the consents given via the cookie banner | Permanent | 1 year |
| ooevv.at | infobox_<ID> | First-party cookie | Necessary | Infobox for a traffic message (setting a timestamp to prevent the popup from appearing again) | Permanent | 14 days |
| ooevv.at | ooeverkehrsverbund-_zldp | First-party cookie | Third-party services | This cookie identifies individual visitors to the website | Permanent | 2 years |
| ooevv.at | ooeverkehrsverbund-zldt | First-party cookie | Third party services | This cookie identifies a visitor's unique visits to the website. | Persistent | 1 day |
| ooevv.at | smartbanner_exited | First-party cookie | Necessary | Smart app banner is no longer displayed after clicking away. | Permanent | 15 days |
| ooevv.at | smartbanner_installed | First-party cookie | Necessary | Smart app banner is no longer displayed if the app is already installed or the user has clicked on the view link in the banner. | Permanent | 90 days |
| ooevv.at | _pk_id | First-party cookie | Analysis | Stores a unique visitor ID. | Persistent | 13 months |
| ooevv.at | _pk_ses | First-party cookie | Analysis cookie | Session cookie stores temporary data for the visit. | session | 30 minutes |
| ooevv.at | _pk_ref | First-party cookie | Analysis | Stores data about the origin of the user. | Permanent | 6 months |
14.2 What are web beacons?
"Web beacons" (also known as "trackingpixels") are small, usually invisible graphics - usually 1x1 pixel, transparent image files - that are integrated into a website or email via HTML code from an external server. As soon as a user visits the website or opens the email, this graphic is loaded from the external server, whereby the user's IP address in particular is transmitted to the web server. The information transmitted is then stored in a log file on the service provider's server.
Web beacons are primarily used for statistical analyses and in online marketing. They make it possible to track the movement behaviour of a user during a session, to identify which browser and operating system is being used, or to track when and how often a page or email has been accessed.
You can find more information about web beacons here: https://allaboutcookies.org/what-is-a-web-beacon.
Unless individual legal bases are addressed separately in this data protection information, we also rely in particular on the following legal bases when processing your personal data:
15.1 Consent (Art 6 para 1 lit a GDPR): If we refer to your consent in each case when presenting the purposes, we will only process your personal data if you have previously given us your voluntary consent, which can be revoked at any time. You can revoke any consent you have given at any time without giving reasons, even separately. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Consent can be withdrawn at any time by contacting us by email or post at our contact address (see point 19).
15.2 Contract fulfilment, contract initiation (Art 6 para 1 lit b GDPR): If the processing of your personal data is necessary for the purpose of fulfilling a contract between you and us, we rely on the legal basis of contract fulfilment. The same applies if the processing is necessary to take steps at your request prior to entering into a contract.
15.3 Compliance with legal obligations to which we are subject (Art 6 para 1 lit c GDPR): We are subject to provisions of Union, federal and state law that make it necessary to process your personal data.
15.4 Overriding legitimate interest (Art 6 para 1 lit f GDPR): We also process your personal data on the basis of our overriding legitimate interest, which lies in particular in being able to offer you our respective services.
16.1 Unless otherwise stated in this data protection information, we store your personal data for as long as is necessary for the fulfilment of the respective purpose, and beyond that until the expiry of a statutory retention obligation that applies to us or, in the case of possible legal claims, until the expiry of a statutory limitation period. The data will then be deleted.
16.2 If your personal data is processed by us exclusively on the basis of your previously granted consent, your data will be deleted as soon as we receive your cancellation.
18.1 You have the following rights as a data subject under the conditions and restrictions of applicable law. You are entitled to
18.2 If you wish to assert one or more of these rights against us, you are welcome to contact us; our contact details can be found in point 19. If you are of the opinion that we have violated data protection regulations, you have the right to lodge a complaint with the competent supervisory authority (for us this is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, dsb@dsb.gv.at).
If you have any questions regarding the processing of your personal data or wish to exercise your rights as a data subject, please do not hesitate to contact us at any time by post, telephone or e-mail at the following address:
OÖ Verkehrsverbund-Organisations GmbH Nfg. & Co KG
Volksgartenstraße 23
A-4020 Linz
We reserve the right to amend this data protection information from time to time. The current version can be accessed via the data protection information.
Valid from: 11.02.2025
