| rejsekort.dk

Valid from20 January2026

Version 2

1 Data Controller

Rejsekort & Rejseplan A/S is the data controller for the processing of personal data in connection with the registration of data in the Rejsekort system and associated systems, including Basiskort and the Self-Service solution.

See contact information under section 3 below.

2 Privacy Policy for Basiskort

Rejsekort & Rejseplan A/S places great importance on ensuring that you feel secure as a customer and when using Rejsekort & Rejseplan A/S systems, including Basiskort, the Rejsekort app, the website, and the Self-Service solution at www.mit.rejsekort.dk.

Therefore, Rejsekort & Rejseplan A/S processes the information you provide to us, and the data we collect about you in connection with your use of Basiskort and our other systems, responsibly, with respect for your privacy, and of course in accordance with applicable data protection regulations.

You can read more about how we process your information in this privacy policy, which applies specifically to the Basiskort system. If you use both Basiskort and the Rejsekort app, you should read both privacy policies, as there are differences in what information is collected and how long it is retained.

Basiskort is a physical chip card developed by Rejsekort & Rejseplan A/S, which you can use to obtain travel authorization for public transport with transport companies affiliated with Rejsekort & Rejseplan A/S.

For information about the affiliated transport companies, please refer to section 1 of the Basiskort Terms and Conditions.

3 Contact information for Data Controller and Data Protection Officer

Rejsekort & Rejseplan A/S are data controllers for the processing of personal data in Basiskort. Rejsekort & Rejseplan A/S's contact information is:

Rejsekort & Rejseplan A/S
Automatikvej 1
2860 Søborg
CVR-nr.: 27 33 20 72

Rejsekort Customer Centre Phone: 70 11 33 33

Via contact form at rejsekort.dk

By post to:
Rejsekort Customer Centre PO Box 736
2500 Valby

Contact information for Rejsekort & Rejseplan A/S's Data Protection Officer (DPO): DPO@rejsekort.dk
Phone: 70 20 40 08
Phone hours: Weekdays from 10am–3pm

4 What information do we collect and what is the purpose of the processing

Rejsekort & Rejseplan A/S processes the information you provide when creating your account in the Self-Service Solution, at the transport companies’ sales points, or via the Rejsekort Customer Center, as well as the information you provide when purchasing a Basic Card. When you start using your Basic Card as valid travel documentation, Rejsekort & Rejseplan A/S records information about your journeys and/or purchases.

General information about creating a customer account in Basiskort and the Rejsekort app:
You create a unique account that will be used across Rejsekort & Rejseplan A/S’s two products, Basiskort and the Rejsekort app, if you use both products.

This means that if you use both Basiskort and the Rejsekort app, you only need to create one account. If you update your information, the changes will apply to your account and both products.

4.1 Information when creating your profile

The information you provide in connection with creating your account is:

Your emailaddress

Your first and last name

Your address

Your birthdate

Information about the payment method linked to your account

Additionally, a system-generated unique user ID is created and linked to your account, and a customer type is assigned based on your date of birth.

4.2 Information required when creating anaccount for a user under 18 years of age

The adult legal guardian or custodian must, when creating anaccount for a user under 18 years of age (the child), provide the following information:

The child’s first and last name

The child’sbirthdate

When creating anaccount for a child, the adult must confirm via MitID lookup or by submitting documentation that the adult is at least 18 years old. No other information is collected from MitID or during age verification, apart from the confirmation that the adult is at least 18 years old.

Information about the adult’s payment method is automatically linked to the child’s account.

4.3 Information required when applying for and creating the customer type “Pensioner under 67 years of age

When applying to be registered with the customer type “Pensioner under 67 years of age,” Rejsekort & Rejseplan A/S needs to process additional personal data about you.

Your identity must be verified either through a MitID lookup or by submitting other documentation. Through the MitID lookup, Rejsekort & Rejseplan A/S receives your first name, last name, and date of birth from MitID, which are recorded on your account. If identity verification is successful, your account will be marked as identity-verified, while a failed verification will not result in any registration on your account.

As part of the application for the “Pensioner” customer type, you must consent to Rejsekort & Rejseplan A/S collecting and processing your CPR number. Rejsekort & Rejseplan A/S processes your CPR number to check whether you are already registered with the “Pensioner” customer type in the system linked to the physical Rejsekort, so that the customer type can be transferred to your Basiskortaccount. If you do not have a physical Rejsekort with the “Pensioner” customer type, your CPR number will be processed to determine whether you are registered as a recipient of early, senior, or partial pension from Udbetaling Danmark. If Rejsekort & Rejseplan A/S can identify you as a recipient of these benefits, the “Pensioner” customer type will be registered on your account. Rejsekort & Rejseplan A/S does not receive information about which specific pension benefit you receive, only general confirmation from Udbetaling Danmark.

You can withdraw your consent from the processing of your CPR number at any time. Once the application process is completed, Rejsekort & Rejseplan A/S deletes your CPR number. Therefore, in practice, withdrawing your consent after the process is completed will have no effect.

4.4 Information required when applying for and creating the customer type Disabled

When applying to be registered with the customer type “Disability,” Rejsekort & Rejseplan A/S needs to process additional personal data about you beyond what is processed for an age-based customer type.

As part of the application for the “Disability” customer type, you must consent to Rejsekort & Rejseplan A/S collecting and processing your CPR number and the information that you have the “Disability” customer type, as this is considered health-related information.

You can withdraw your consent to the processing of the “Disability” customer type information at any time. However, this will mean that you cannot travel with the “Disability” customer type for future journeys.

Rejsekort & Rejseplan A/S will temporarily process your CPR number to identify you in the system linked to the physical Rejsekort to check whether you are already registered with the “Disability” customer type and can therefore have this customer type transferred to your Basiskortaccount.

4.5 Information when purchasing a Basiskort

The information you provide when purchasing a Basiskort includes:

Delivery address (including C/O name on mailbox)

Acceptance of card terms

Information about linked payment method

When purchasing a Basiskort via the Self-Service solution or the Rejsekort Customer Center, the system generates an order number to process your request. The system also creates a card number, which is printed on your Basiskort and linked to your account.

4.6 Information when using the Basiskort as valid travel entitlement

Rejsekort & Rejseplan A/S register the following in connection with your travels:

Time and place of check-in and check-out

Start and end station/stop, as well as intermediate stations/stops on your calculated route

For journeys where route calculation is not possible, only check-in and/or check-out time and location are registered

Selected customer type and price, including any number and type of accompanying travelers

The travel information is registered to provide you with valid travel entitlement while checked in and to serve you as a customer and document the travel cost. Additionally, the travel data is used to detect and prevent misuse of the Basiskort and to comply with applicable laws such as accounting and payment legislation.

4.7 Travel and purchase history

You can view your travel history and complete payments by logging into the Self-Service solution once you have started using your Basiskort. If you have checked in multiple travelers, you will also be able to see them here.

Since you have the right to review and, if necessary, dispute the calculation of your journeys, Rejsekort & Rejseplan A/S stores your travel history and completed payments for 36 months.

If you pay for a user under 18 years of age in Basiskort and/or the Rejsekort app, you will also be able to see the payment and an overview of their travel history (start and end station/stop). As users under 18 cannot add a payment method in Basiskort, they do not have access to completed payments but can view their travel history in the Self-Service solution.

4.8 Information when contacting the Rejsekort Customer Center

If you contact Rejsekort Customer Center by phone, via the contact form in the Self-Service solution, or through the website www.rejsekort.dk, Rejsekort & Rejseplan A/S will also store the personal data you provide in connection with this contact, insofar as it is relevant to your customer relationship.

When contacting Rejsekort Customer Center by phone, your calls will be recorded if you give consent. The recordings are used for documentation and training purposes and are deleted after 30 days. You can withdraw your consent at any time by contacting Rejsekort Customer Center.

Profiling for the purpose of detecting and preventing misuse.

5 Rejsekort & Rejseplan A/S uses profiling to find and prevent fraud

Profiling takes place when the system identifies behavior resembling misuse in completed journeys. Each journey is automatically checked for signs of misuse. The system assigns a point value to each individual journey as an indicator of whether the travel pattern for that journey shows signs of misuse. The system calculates the point value separately for each journey. The system stores all the generated point values per customer, and these values are used as part of any specific manual case handling in the event of suspected misuse.

A more detailed description of the handling of misuse can be found in the Terms and Conditions for the Basiskort, which you can access directly in the Self-Service solution and on www.rejsekort.dk under Legal documents.

In the Basic Card system and the Rejsekort app, profiling serves as decision support for caseworkers, and therefore no automated decisions are made.

5.1 Information on possible account blocking

Rejsekort & Rejseplan A/S may, under certain circumstances, block your account in cases of misuse-like behavior, preventing you from using both Basiskort and the Rejsekort app. In such cases, Rejsekort & Rejseplan A/S will store information about this.

A detailed description of how misuse is handled can be found in the Terms and Conditions for Basiskort, which you can access directly in the self-service solution and onwww.rejsekort.dk under Legal documents.

6 Who has access to personal data?

Only employees with a work-related need at Rejsekort & Rejseplan A/S and the following data processors have access to the collected personal data:

This includesemployees at:

Transport companies:
Relevant staff at the affiliated transport companies have access to information necessary for managing and servicing your customer relationship. This includes travel and payment history as well as information about you, such as name, date of birth, contact information,information about your Basiskort, etc.

Affiliated transport companiesinclude:

GoCollective

Metroselskabet

Fynbud

Movia
Nordjyllands Trafikselskab

Midttrafik

Sydtrafik

Hovedstadens Letbane

IT suppliers:
Rejsekort & Rejseplan A/S’ IT suppliers act as data processors and have therefore signed a data processing agreement, which obliges them to comply with data protection regulations and only process your information in accordance with Rejsekort & Rejseplan A/S’ instructions. Rejsekort & Rejseplan A/S’ IT supplier, Fairtiq, provides and operates, among other things, the Basic Card and associated systems, while the supplier Idemia produces the physical cards including linking relevant customer data, and the supplier Prodata is responsible for the Check Points.

In addition, Rejsekort & Rejseplan A/S also uses the IT suppliers MailJet and Amazon Simple Email Service for sending emails, as well as VIPPS MobilePay and Frisbii for payment processing, and Lector for other case management.

6.1 Disclosure of personal data

When you order a Basic Card, Rejsekort & Rejseplan A/S discloses an order number to the card manufacturer along with information for the production and delivery of the card, including your name and delivery address (including postal code). Once the card manufacturer has produced the card, the order number, order status, and card number are disclosed to the Basic Card system provider.

If relevant, Rejsekort & Rejseplan A/S discloses necessary personal data, including travel history, journey price, and number in pseudonymized form to the affiliated transport companies for revenue sharing and settlement, as well as for their independent processing of financial matters, traffic analyses, and planning pursuant to the Act on Public Transport Companies.

If relevant, Rejsekort & Rejseplan A/S discloses necessary personal data in immediately identifiable form to the affiliated transport companies for their independent processing of penalty fare cases, debt collection cases, customer complaints, travel time guarantee cases, and financial matters. Rejsekort & Rejseplan A/S discloses the necessary personal data to the affiliated transport companies under GDPR Article 6(1)(f), as Rejsekort & Rejseplan A/S pursues a legitimate interest in safeguarding the transport companies’ ability to enforce their claims under agreements with customers, and as customers’ interests do not override this.

Similarly, and only if relevant, Rejsekort & Rejseplan A/S discloses your personal data to public authorities, primarily the Danish Transport Authority, which, among other things, handles revenue sharing for certain public transport income.

Furthermore, Rejsekort & Rejseplan A/S discloses relevant information about you, such as name, address, email address, and case number to the research institutes Wilke, Epinion, and Axcessnordic for the purpose of conducting voluntary customer satisfaction surveys for Rejsekort & Rejseplan A/S. The research institutes delete the received personal data once the task is completed. Rejsekort & Rejseplan A/S considers that it is lawful to disclose the necessary personal data to the research institutes mentioned, as the customer satisfaction surveys are carried out for a compatible purpose, ensuring continuous optimization of customer relations, including Rejsekort & Rejseplan A/S’ solutions and processes.

In addition, Rejsekort & Rejseplan A/S discloses personal data in certain situations for research projects. Rejsekort & Rejseplan A/S only discloses personal data if it specifically assesses that the disclosure is lawful, serves a legitimate purpose, and is ethically defensible. Rejsekort & Rejseplan A/S also ensures that the disclosed data is protected to the greatest possible extent, including through pseudonymization if full anonymization is not possible.

7 How and for how long is information about you stored, including the legal basis?

Rejsekort & Rejseplan A/S stores your personal data in IT systems with controlled and restricted access and on servers hosted by AWS Amazon within the EU. Rejsekort & Rejseplan A/S also protects your personal data with appropriate technical and organizational security measures.

Rejsekort & Rejseplan A/S retains data about you as a customer as long as necessary for the purposes mentioned under section 4, as per the table below:

Typeof Personal Data	RetentionPeriod	Legal Basis
Master data (name, age, etc.).	As long as you are a customer and up to 5 years after the end of the year in which the customer relationship ended (or inactive).	GDPR Art. 6(1)(b) while a customer; thereafter Danish Bookkeeping Act §12
Contact details (email and optional phone number).	As long as you are a customer and up to 3 years after your last journey.	For as long as you are a customer with us, GDPR Article 6(1)(b). After the customer relationship ends, GDPR Article 6(1)(f), as we consider that we have a legitimate interest in being able to document this information in connection with any claim you may make against us until the limitation period of 3 years, cf. Section 3 of the Danish Limitation Act.
Information that, as an adult, you have been age-validated (confirmed to be at least 18 years old) in connection with linking a child to youraccount.	For as long as you are a customer withusthis information solely enables the option to register a child under 18 years.	For as long as you are a customer with us, GDPR Article 6(1)(b).
CPR number, if you apply for the customer type Disability or Pensioner (under 67 years).	For as long as Rejsekort & Rejseplan A/S processes your application, after which your CPR number will be deleted.	Your consent, cf. GDPR Article 6(1)(a).
Information that, as a customer, you have been identity-validated in connection with being registered with the customer type Disability or Pensioner (under 67 years).	For as long as you are a customer with us and up to 3 years after you have made your last journey using public transport and the final transaction has been completed.	For as long as you are a customer with us, GDPR Article 6(1)(b).
Information linked to your purchase and delivery ofBasiskort.	1 month after the order is received.	For as long as it is necessary to handle your Basic Card order, GDPR Article 6(1)(b).
Information about your customer type, the number and types of additional travelers, the price of journeys, as well as your card number.	5 years from the end of the year the transaction relates to.	GDPR Article 6(1)(b), for as long as you are a customer with us, and after the end of the customer relationship GDPR Article 6(1)(c), cf. Section 12 of the Danish Bookkeeping Act. Customer type ‘Disability’ is based on obtained consent (GDPR Article 9(2)(a) and Article 6(1)(a).
Data on your journeys, including time and place of check-in and check-out and calculated route (start, end, and intermediate stops).	We store travel data (your journeybypublic transport) for 3 years from the date the information is recorded. After this period, the travel data is stored inanonymisedform for analytical purposes.	GDPR Art. 6(1)(f), as we consider that we have a legitimate interest in being able to document this information and the calculated route and price in connection with any potential claim you may raise against us until the limitation period of 3 years has expired, cf. the Danish Limitation Act §3.
Case datarecordedwhen contacting Rejsekort Customer Centre via phone, contact form from Self-Servicesolution, or website.	3yearsfromregistration.	GDPR Art. 6(1)(f), as we consider that we have a legitimate interest in being able to document this information in connection with any potential claim you may raise against us until the limitation period of 3 years has expired, cf. the Danish Limitation Act §3.
Recordings of phone calls to Rejsekort Customer Center.	30 days from the time of recording.	Your consent, GDPR Art. 6(1)(a).

These deletion periods may, following a specific assessment, be deviated from so that personal data is deleted earlier or later if there are specific, legitimate reasons for doing so. For example, this may be the case if you request deletion and it has been a long time since you used your Basiskort to purchase a ticket/travel document. In such a case, your data may be deleted earlier than stated in the table. Conversely, if, for example, a court case is pending, the retention periods stated may, following a specific assessment, be extended beyond what is indicated in the table.

If you also use the Rejsekort app, you can find the specific retention periods in the Privacy Policy for the Rejsekort app, which is available at on www.rejsekort.dk under Legal documents.

Transfer of data to third countries
Rejsekort & Rejseplan A/S only stores data on servers located within the EU. However, some suppliers are located outside the EU, specifically in Switzerland and the USA. The US supplier is part of the EU-U.S. Data Privacy Framework and thereby subject to the European Commission’s adequacy decision from July 2023. Switzerland is also on the European Commission’s list of safe third countries.

8 Your rights

Under the General Data Protection Regulation (GDPR), you have several rights regarding Rejsekort & Rejseplan A/S’s processing of your personal data. To exercise your rights, please contact us using the details provided above in section 3.

Your rights are:

Right of access (right to view your data)
You have the right to access the personal data that Rejsekort & Rejseplan A/S processes about you.

Right to rectification (correction)
You have the right to have incorrect information about yourself corrected. You also have the right to have your information supplemented with additional details if this will make your personal data more complete and/or up to date. You have the option to correct your account information yourself directly in the Self-service solution.

Right to erasure
In exceptional cases, you have the right to have your personal data erased before the time of Rejsekort & Rejseplan A/S’ standard general deletion. Whether your data can be erased earlier will depend on a specific assessment.

Right to restriction of processing
In certain cases, you have the right to have the processing of your personal data restricted. If you exercise this right, Rejsekort & Rejseplan A/S may thereafter only process the data – apart from storage – with your consent, or for the establishment, exercise or defence of legal claims, or to protect an individual or important public interests.

Right to object

You have the right in certain cases to object to Rejsekort & Rejseplan A/S’s otherwise lawful processing of your personal data. This only applies if the processing is based on Article 6(1)(f) of the GDPR (legitimate interest). Rejsekort & Rejseplan A/S may thereafter only process your personal data if Rejsekort & Rejseplan A/S can demonstrate compelling, legitimate grounds for the processing that override your interests, rights and freedoms, or if the processing is necessary for the establishment, exercise or defence of legal claims.

Withdrawal of consent

If you have given consent, you have the right to withdraw it at any time. You can do so by contacting Rejsekort Customer Centre using the contact information provided in section 3. Withdrawing your consent does not affect the legality of processing based on your consent before withdrawal.

Upon withdrawal, Rejsekort & Rejseplan A/S will as a rule limit future processing of your personal data by deleting or anonymising data that was processed based on your consent.

Right to data portability
In certain situations, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit this data to another controller without hindrance.

9 Right to complain to the Danish Data Protection Agency

If you are not satisfied with Rejsekort & Rejseplan A/S’ processing of your personal data, or if you have any questions, you are welcome to contact us.

You can file a complaint about Rejsekort & Rejseplan A/S’s processing of your personal data with the Danish Data Protection Agency.

The Agency’s contact details are:

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby
Phone: +45 33 19 32 00
Email: dt@datatilsynet.dk
www.datatilsynet.dk

10 Cookies

Rejsekort & Rejseplan A/S uses cookies on the self-service solution www.rejsekort.dkif you give consent, unless they are necessary cookies.

The consent collection solution complies with applicable regulations, including the Danish Data Protection Agency’s guidelines on processing personal data about website visitors.

A cookie is a small text file stored on your device through your browser. The cookies used by Rejsekort & Rejseplan A/S cannot contain viruses.

Necessary cookies help make a website usable by enabling basic functions. Preference cookies make it possible to remember information such as your preferred language. Statistical cookies provide insights into how visitors use www.rejsekort.dk

Access to information from cookies:
Relevant employees at Rejsekort & Rejseplan A/S have access to the collected information. In addition, information is shared in the form of statistics and similar data, without specifying individual IP addresses, with affiliated transport companies to gain better knowledge about website usage.

11 Changes to this Privacy Policy

Rejsekort & Rejseplan A/S regularly reviews this Privacy Policy to keep it up to date and in accordance with how the Basiskort and the Self-Service solution operate, as well as applicable principles and legislation.

Significant changes to the Privacy Policy will be announced on Rejsekort & Rejseplan A/S’s website www.rejsekort.dk or alongside an updated version of the Privacy Policy. You can also always find the latest version of the Privacy Policy by logging into the Self-Service solution.