WCAGGoToMainContent
ClickToExpandMenuIcon

Privacy Policy for Rejsekort as an app

Valid from 20 June 2024. Version 2

At Rejsekort & Rejseplan A/S, we attach great importance to ensuring that you feel secure as a customer with us. Therefore, we process your personal data responsibly, with respect for your privacy and in accordance with all relevant legislation, including the General Data Protection Regulation (GDPR).

You can read more about our processing of your data and a description of your rights in this Privacy Policy.

Rejsekort as an app is a mobile application (in the following called ‘app’ or ‘the app’) developed by Rejsekort & Rejseplan A/S, in which you can purchase valid tickets (travel documents) for travel by bus, train, light rail and metro.

1. Contact details for data controller and Data Protection Officer

Rejsekort & Rejseplan A/S is the data controller for the processing of all personal data in Rejsekort as an app. Our contact details are as follows:

Rejsekort & Rejseplan A/S
Automatikvej 1
DK-2860 Søborg
CVR no.: 27 33 20 72

Rejsekort Customer Service Tel.: (+45) 70 11 33 33

Via contact form at https://www.rejsekort.dk/rejsekort_app/Kontaktformular

By letter to Rejsekort Customer Service at the address:
Rejsekort Kundecenter Postboks 736
DK-2500 Valby

Contact details for our Data Protection Officer (DPO) are:
DPO@rejsekort.dk
Tel.: (+45) 70 20 40 08

Telephone hours are weekdays between 10:00 and 15:00.

 

2. Types of data we collect and purpose of the processing

2.1. Data related to your use of Rejsekort as an app

We process the data you provide yourself when you create a Rejsekort as an app user profile. We also process several data created through your use of the app.

The data that you must provide when creating your profile are: 

  • Your mobile phone number
  • Your email address
  • Your first name and surname
  • Your date of birth
  • Data about registered means of payment
  • In addition, a system-generated unique user ID is created, which is linked to your profile.

Once you have created your profile and use the app to purchase a ticket for public transport, we will register the necessary location (GPS) and activity information from your mobile phone to provide the Rejsekort service. We register your location already from when you open the app. This is done to find the nearest station or stop, which will be the start location when you check in. However, if you open and close the app without checking in, the registered location data will not be saved.

When you check in, the time and place of your check in are registered, and the app then tracks your location until you have checked out again. This is done to provide you with a valid ticket for the whole journey and is necessary to create the correct ticket that corresponds to the journey you are making. This ensures that the itinerary is calculated correctly and that it will be correctly stated which means of transport you have used. When you check out, we will register the location at which your journey ends. Once you have checked out and the system has calculated your trip, we will no longer register your location.

For the app to function correctly and to ensure that we can service you if you experience problems with the app, we also process certain technical data. This concerns:

  • Your IP address and your device ID 
  • Your ticket settings, including customer type and any discount level  
  • Data about the mobile device used: 
    • Brand and model 
    • Operating system 
    • Wi-Fi and Bluetooth signals
    • Battery status 

As you are entitled to access your purchase history for 36 months, we will store your travel history and purchase history in the app during this period. This enables you to verify continuously that the app has calculated your journeys correctly. Your travel history contains data on your completed journeys, including location data, and your purchase history contains data on your completed payments.

If you contact Rejsekort Customer Service, we will also store the personal data you provide in this connection that are of relevance to your customer relationship.

If you contact Rejsekort Customer Service by telephone, your calls may be recorded if you grant specific consent to this. The recordings are used for documentation and training purposes and are erased after 30 days on an ongoing basis. 

We also collect data on how you interact with the app, such as date and time of access, app features or pages accessed, app crashes and other system activity as well as browser type. However, we only process these data in anonymised form.

 

2.2. Data about your journeys and your location

Rejsekort as an app works by your travel activity being registered (travel data) when you use the app. In specific terms, we register location and activity data from your mobile device.

We will only register the data about you, including your location, from when you open Rejsekort as an app, during your journey and until you have checked out and your journey has been calculated. However, we do not register data about you when you are not using the app. After you have checked in, we will stop our registration of your location data again as soon as possible after you have checked out, when the system is able to determine accurately where the check out has been made. This may take longer than in areas with poor mobile signal than in areas with good mobile signal reception.

We use your location data to determine your journey and thus provide you with the correct ticket at the right price. When your journey is finished and the ticket price has been calculated, the data will also form the basis for your subsequent payment. The data we process about your journeys and your location are consequently necessary for you to be able to use the app.

If you do not check out immediately after finishing your journey, we will continue to register your location data until check out has been made. We do this as you have a valid travel document for as long as you remain checked in. When you check out at some point, your journey will be calculated and the most likely place for your journey to be finished will constitute the end destination on your ticket.

We process your location data relating to the time after you actually finished your journey by public transport to ensure:

  1. that the system is functioning correctly;
  2. that you have not misused our solution; and
  3. to enable us to service you in Rejsekort Customer Service.

For nos. 1 and 2, we do not need directly personally identifiable data, and we will therefore only process these data without the personally identifiable elements such as name, telephone number, email etc.

This means that we only store the data that it is relevant for us to process and that are relevant to your journey by public transport.

We store your travel history for the necessary period to comply with the requirements of the Danish Bookkeeping Act (Bogføringsloven).

We also process your location and activity data for the purpose of detecting and preventing misuse. Read more about our data processing aimed at detecting and preventing misuse under section 3.

The transport companies also use the data about your journeys for traffic planning purposes. Data for this purpose are only disclosed to the transport companies in aggregated, and either anonymised or pseudonymised, form.

In addition, we use data about your journeys to ensure correct distribution of revenue between the transport companies. 

 

2.3. Information about any profile blocking                                      

In certain circumstances, we may block your profile in case of misuse-like behaviour. Read more about the rules for blocking in the Terms and conditions for Rejsekort as an app, which you can find directly in the app and at www.rejsekort.dk under ‘Legal documents’.

 

3. Profiling

In the app, we use profiling to detect and prevent misuse of Rejsekort as an app.

The profiling is done by the app identifying when there is misuse-like behaviour on the finished journeys. The system attaches a point value to all journeys made to detect whether the travel pattern shows signs of misuse. On this basis, a total points score (fraud score) is generated for all customers, depending on their travel behaviour. If a customer’s total fraud score becomes sufficiently high, this will be shown in the system, and each specific case will then be handled manually.

Misuse behaviour may be sanctioned based on manual specific case processing. As a general rule, sanctioning will require that you have received one or more advance warnings related to the behaviour you have shown. In Rejsekort as an app, the profiling thus constitutes decision-making support for the administrative officers, which means that automated decisions are not used. 

 

4. Who has access to personal data?

Only trusted employees with a work-related need at Rejsekort & Rejseplan A/S and at our data processors have access to the collected personal data.

This includes employees in:

  • Transport companies. Employees of the affiliated transport companies have access to the data necessary to be able to service and administrate you as a customer. This includes your travel and payment history as well as data about you, including your name, date of birth, contact details etc.

  • IT suppliers. Our IT suppliers act as data processors and have therefore signed a data processing agreement obliging them to comply with the data protection rules, and to only process your data in accordance with our instructions on this. Our IT suppliers provide Rejsekort as an app and associated systems, among other services, and are responsible for the operation thereof. In addition, we use IT suppliers for sending emails, text messages and regular letters.

  • Analysis institutes. We provide relevant data about you, such as your name, address, telephone number, email address and case number to analysis institutes for the purpose of conducting customer satisfaction surveys for us. It is voluntary whether you wish to participate in a satisfaction survey. The analysis institutes are obliged to erase any personal data they have received once the assignment has been completed. 

4.1. Disclosure of personal data

If relevant, we disclose your personal data to the affiliated transport companies for their independent processing of cases concerning inspection fees, collection cases, customer complaints, travel time guarantee cases, financial cases, preparation of traffic analyses and service notifications. 

Correspondingly, and only if relevant, we also disclose your personal data to public authorities, for example to the Danish Civil Aviation and Railway Authority, which, among other tasks, performs a revenue distribution for certain types of revenue in public transport.

In certain situations, we also disclose personal data for use in research projects. We will only disclose personal data if we specifically assess that such disclosure is lawful, that the disclosure serves a reasoned and legitimate purpose and that it is ethically justifiable. We also ensure that the disclosed data are secured to the greatest possible extent, including through pseudonymisation, if full anonymisation of the data is not possible.

 

5. How and for how long do we store data about you?

We store your personal data in IT systems that are subject to controlled and restricted access, and on servers located in specially secured premises. We also secure your personal data with appropriate technical and organisational safeguards from registration and until erasure. We erase your personal data as soon as we no longer need them to meet the purpose for which the data were collected.

We store data about you as a customer for as long as necessary for the purposes mentioned under section 2, see the table below:

Type of personal data

Storage period

Lawfulness of processing

Master data (name, age etc.)

For as long as you are a customer with us and for five years after the end of the year in which the customer relationship has terminated (or customer relationship without activity)

For as long as you are a customer with us, Article 6(1)(b) of the GDPR Subsequently section 12 of the Danish Bookkeeping Act

Contact details (email and phone number)

For as long as you are a customer with us and until three years after your last journey

For as long as you are a customer with us, Article 6(1)(b) of the GDPR After terminated customer relationship, section 3 of the Danish Limitations Act (Forældelsesloven)

Data about selected customer type, price and balance

Five years from the end of the year which the transaction concerns

Section 12 of the Danish Bookkeeping Act

Information about your travel data, including GPS and activity data, for example check in in Ballerup on 21 October 2024 at 12:03, check out at Østerport on 21 October 2024 at 12:30)

We store travel data for three years from the date of their registration. The travel data are then stored in anonymised form for analysis purposes.

Section 3 of the Danish Limitations Act

Case data registered in connection with enquiries to Rejsekort Customer Service

Three years from the registration of the data

Section 3 of the Danish Limitations Act

Recordings of telephone calls in Rejsekort Customer Service

30 days from the recording date

Your consent, see Article 6(1)(b) of the GDPR

Data about your mobile device, brand and model, operating system etc.

Three years from registration of the data

Section 3 of the Danish Limitations Act

On specific objective grounds, deviation from these erasure deadlines will be possible, based on a specific assessment, so that the personal data are erased at an earlier or later time. This may, for example, be the case if you request erasure without ever having used the app to buy a ticket. In such case, your data may be erased earlier than stated in the form. If, on the other hand, a case is pending before the courts, the specified storage deadlines may be extended following a specific assessment.

 

Transfer of data to third countries

We only store data on servers located within the EU. However, we have suppliers based outside the EU, in Switzerland and the USA, respectively. The supplier in the USA is affiliated to the EU-U.S. Data Privacy Framework and consequently falls under the EU Commission’s adequacy decision of July 2023. Switzerland is also on the European Commission’s list of secure third countries.

 

6. Lawfulness of processing

We process your personal data based on the following lawfulness of processing:

  • When necessary for the performance of a contract with you (Article 6(1)(b) of the GDPR). This lawfulness of processing applies to the ongoing customer relationship under which you have been created as a customer in the app.
  • Where processing is necessary for our compliance with a legal obligation (Article 6(1)(c) of the GDPR). This lawfulness of processing applies as we are obliged to store data about, for example, financial transactions pursuant to section 12 of the Danish Bookkeeping Act.
  • When you have granted your consent to the processing (Article 6(1)(a) of the GDPR). This lawfulness of processing applies to telephone recordings in connection with customer enquiries to Rejsekort Customer Service.
  • When necessary for us to be able to pursue a legitimate interest (Article 6(1)(f) of the GDPR). This lawfulness of processing applies to our processing of data for use for:
    • identification and prevention of misuse, see section 3. The lawfulness of processing is identification, prevention and handling of misuse in the app. Our assessment that the purpose is legitimate and that the processing is proportional to achievement of the purpose.
    • Processing of the location data that the app collects and that are not related to your journey by public transport. This applies to the location data that are collected if, for a period of time, you fail to check out after your journey is finished. This processing is done to ensure customer service, data verification, analysis of whether the itinerary calculation in the solution works correctly, and it is our assessment that these purposes are legitimate and that the processing is proportionate to achieving the purposes.
    • When we send you push notifications that you probably forgot to check out after finishing your journey. We send these notifications to ensure data minimisation, and it is our assessment that the purpose is legitimate and that the processing is proportional to achieving the purpose.
    • Disclosure of data, see section 4.1. The legitimate interest in disclosure of the data is to support the legitimate and lawful purposes secured by the data recipients’ processing.

 

7. Your rights

Under the General Data Protection Regulation, you have a number of rights concerning our processing of your personal data: If you wish to exercise your rights, you must contact us. Please see our contact details above under section 1.

You have the following rights:

Right to see data (right of access)
You have the right to access the data that we process about you as well as various additional data.

Right to rectification (correction)
You have the right to have inaccurate data about you rectified. You also have the right to have your data supplemented with additional data if it will make your personal data more complete and/or up to date. You may do this yourself directly in the app.

Right to erasure
In special cases, you have the right to have data about you erased before the date of our ordinary general erasure of data.

Right to restriction of processing
In certain cases, you have the right to obtain restriction of the processing of your personal data. If you have the right to obtain restriction of processing, this means that, in future, we may only process data – apart from storage – with your consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person or for reasons of important public interest.

Right to object
In certain cases, you have the right to object to our otherwise lawful processing of your personal data. This only applies, however, if our processing is based on Article 6(1)(f) (legitimate interest) of the GDPR.  As stated in this Privacy Policy, this concerns the data that we process for the purpose of identification and prevention of misuse. This means that we may then no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or if the processing is necessary for the establishment, exercise or defence of legal claims.

Withdrawal of consent
You have the right to withdraw your consent at any time after you have granted it. You can do this by contacting Rejsekort Customer Service using the contact details stated above in section 1. If you choose to withdraw your consent, this will not affect the lawfulness of the processing performed before you withdrew your consent.

If you withdraw your consent, this means that we will in principle restrict the processing of your personal data by erasing or anonymising the personal data processed in accordance with your consent. As stated above in section 2.1, this concerns recordings of telephone calls if you contact Rejsekort Customer Service by telephone.

Right to transmit data (right to data portability)
In certain cases, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to have those personal data transmitted to another data controller without hindrance.


Right to complaint to the Danish Data Protection Agency

You can complain to the Danish Data Protection Agency about our processing of your personal data.

The contact details for the Danish Data Protection Agency are as follows:

Datatilsynet
Carl Jacobsens Vej 35.
DK-2500 Valby
Tel.: +45 33 19 32 00
Email:dt@datatilsynet.dk
www.datatilsynet.dk

 

8. Amendments to this Privacy Policy

We regularly review this Privacy Policy to keep it up to date and in accordance with the way Rejsekort as an app function as well as with applicable principles and legislation. The Privacy Policy may be amended without notice.

At the top of this Privacy Policy, you can always see when the policy was last updated and/or amended. Significant amendments to the Privacy Policy will be posted on our website www.rejsekort.dk together with an updated version of the Privacy Policy.