WCAGGoToMainContent

Privacy Policy for Rejsekort as an app

Valid from 11th June, Version 4.

Data Controller

Rejsekort & Rejseplan A/S is the data controller for the processing of personal data in connection with the registration of information in the Rejsekort system and related systems, including personal data registered via the Rejsekort app and the website, www.rejsekort.dk. Our contact details are as follows:

Rejsekort & Rejseplan A/S
Automatikvej 1
2860 Søborg
CVR No.: 27 33 20 72

Rejsekort & Rejseplan A/S’ Data Protection Officer (DPO) can be contacted at: DPO@rejsekort.dk or by phone at +45 70 20 40 08 on weekdays between 10:00 AM and 15:00 PM.

For further contact information, see section 1 below.

Privacy policy for Rejsekort as an app

At Rejsekort & Rejseplan A/S, it is important to us that you feel comfortable being our customer. 

 

Therefore, we process your personal data responsibly, with respect for your privacy and in accordance with all relevant legislation, including the General Data Protection Regulation.

 

You can read more about our processing of your data and a description of your rights in this privacy policy.

 

You can always see at the top of our privacy policy when the policy was last updated and/or changed.

Rejsekort as an app is a mobile application (hereinafter referred to as "app" or "the app") developed by Rejsekort & Rejseplan A/S, in which you can purchase a valid ticket (travel document) for public transport from transport companies affiliated with Rejsekort & Rejseplan A/S. For information about the affiliated transport companies, see section 3 in Terms and conditions for Rejsekort as an app.

 

1. Contact details of the data controller and data protection officer

Rejsekort & Rejseplan A/S is the data controller for the processing of personal data in Rejsekort as an app. Our contact details are:

 

Rejsekort & Rejseplan A/S
Automatikvej 1
2860 Søborg, Denmark
CVR no.: 27 33 20 72

 

Rejsekort Customer Service Phone: 70 11 33 33 33

 

Via contact form at https://www.rejsekort.dk/rejsekort_app/Kontaktformular

 

By letter to:
Rejsekort Customer Service PO Box 736
2500 Valby, Denmark

 

Contact details for our Data Protection Officer (DPO) are
DPO@rejsekort.dk
Phone: 70 20 40 08

Phone hours are weekdays between 10AM-15PM.

2. What data do we collect and what is the purpose of the processing

2.1. Information about your journey, location and activity in connection with your use of Rejsekort as an app 

We process the information you provide when you register as a user of Rejsekort as an app. We also process a number of data that is created through your use of the app. 

The information that you need to provide when creating a profile is:  

• Your mobile phone number 

• Your email address

• Your first and last name 

• Your date of birth 

• Information about the associated payment method

A system-generated unique user ID is also created and linked to your profile

Information when creating a user under the age of 18

If you are under the age of 18, your profile must be created by an adult who is either a holder of parental authority or a legal guardian.

The adult holder of parental authority or guardian must, in connection with creating a profile for a user under the age of 18, provide the following information:


• The child’s first and last name
• The child’s date of birth

 

When creating a profile for a child, the adult must be age-validated using MitID to confirm that the adult is at least 18 years old. If the MitID validation is successful, this will be registered with a check mark next to age validation on the adult’s profile, while a failed validation will not result in any registration on the adult’s profile. No other information is collected from MitID than the confirmation that the adult is at least 18 years old.

 

The adult’s payment method is automatically linked to the profile of the user under the age of 18. Users under the age of 18 must provide their own mobile phone number, while an email address is optional.

 

Information about multiple travellerschecked in on your profile

Once you have created your profile, and you choose to check in multiple travellers when using the app, we register this on your journey in order to calculate the correct fare.
We only register which customer types you check in and the number of travellers per customer type on the journey.

 

Location and activity information

Once you have created your profile and use the app to purchase a ticket for public transport, we register the necessary location information (GPS) and activity information (motion sensors) from your mobile phone in order to deliver the Rejsekort service.

 

The app only has access to data that is necessary to provide you with a valid ticket for public transport with the participating transport operators, and it only has access to this data when you open the app and between check-in and check-out – even though on iPhone you must select 'Always allow' for location sharing.

Rejsekortas an app works by registering your travel activity when you use the app. Specifically, we register location information and activity data (motion sensors) from your mobile device.


We register location and activity data from the moment you open Rejsekort as an app, during your journey from check-in to check-out, and until your journey has been calculated. However, we do not register location or activity data when you are not using the app – for example, when it is running in the background on your phone or when you are not checked in. In other words, we only register and collect data on your phone or in the Rejsekort system when you have the app open, and we only register information locally on your phone if the app is closed again without check-in.

 

We start registering your location when you open the app.
Your location is registered locally on your phone in 5-minute intervals, after which the data is overwritten. This is done to find the nearest station or stop, which becomes the starting location when you check in. If you open and close the app without checking in, the registered location data prior to check-in will not be saved on your phone, nor will we collect this data. If you open the app and check in, we only collect location data for a maximum of the last 2 minutes prior to check-in (i.e. from when you open the app until you have checked in) in order to verify that the stop identified by the system is the correct one.

When you check in, we register the time and place of check-in, and the app then tracks your location and activity until you have checked out again. When you check out, we register the location that marks the end of the journey. This is done to provide you with a valid ticket for the entire journey by generating the correct ticket that corresponds to your travel route and the means of transport used, as well as to calculate the correct fare. Once you have checked out and the system has calculated your journey, we no longer register your location or activity.

 

Rejsekort as an app therefore only collects data when the app is searching for a station or stop, when you are actively travelling, and until you either check out yourself or use Smart check-out, and are thereby automatically checked out of the app.

 

Once you have checked out, we stop registering your location and activity data as soon as possible after the system has been able to accurately determine where the check-out took place.
In areas with poor mobile signal, this may take longer than in areas with good mobile signal.

 

If you do not check out immediately after ending your journey, we will continue to register your location and activity data until check-out has been performed either manually by you or automatically by the system. We do this to ensure that you have a valid travel entitlement as long as you are checked in. Once you or the system checks out, your journey will be calculated, and the most likely place where your journey actually ended will be used as the final destination of your journey.

 

In the above cases, we process the location and activity data that relate to the time between the end of your journey by public transport and the check-out, in order to ensure:

  1. that the system functions correctly, including correction of system errors and system improvement

  2. that you have not misused our solution, and

  3. that we can assist you at Rejsekort Customer Centre

  4.  

For point 1, we store and process the personal data in pseudonymised form, i.e. where the personal data is masked and cannot immediately be linked to you without additional information.

For points 2 and 3, we need to process and store the personal data in directly identifiable form, as we need to know the identity of the individual customer – for example, to correct travel information where a final destination has been incorrectly calculated.

 

We store the location and activity data (motion sensors) collected from 5 minutes after exiting the last means of public transport until check-out has been completed in pseudonymised form for 2 months for the purpose of system improvements and correction of system errors, after which the data is deleted.
This information is also stored in directly identifiable form for 2 months for the purposes of:

  1. preventing misuse of the application, and

  2. supporting the work of Rejsekort Customer Centre, including the correction of any errors in journeys.

If more than 30 minutes pass between two modes of transport (e.g. bus and train), the location and activity data (motion sensors) is deleted according to the following rules:
• The transit time from five minutes after the first mode of transport until five minutes before the next mode of transport is deleted after 2 months
• The first five minutes after the first mode of transport and the five minutes just before the next mode of transport are retained as part of your journey data and are deleted only after 36 months

Thus, it is only your actual location and activity data related to your journey by public transport (including the 5 minutes before and 5 minutes after your registered journey with a public transport vehicle) that is stored for 36 months.

 

We also process your location and activity data (motion sensors) for the purpose of detecting and preventing misuse.
Read more about our processing to detect and prevent misuse under point 3.

 

At the same time, we use the data in pseudonymised form to train the system’s algorithms so that journey calculation can become more accurate, to identify and correct system errors, and to develop new features that can improve the app’s user-friendliness.

 

Information about your mobile device, settings, and use of the app

To ensure the app functions correctly and to be able to assist you if you experience problems with the app, we also process certain technical information. This includes:
· Your IP address and your device ID
· Your ticket settings, including customer type and any applicable discount level
· Information about the mobile device used:
o Brand and model
o Operating system
o Wi-Fi and Bluetooth signals
o Battery status

 

We also collect data on how you use the app, such as the date and time of access, app features or pages accessed, app crashes and other system activity, as well as browser type. However, this data is onlyprocessed in anonymised form.

 

Information about travel history and purchase history

As you are entitled to access your purchase history for 36 months, we store your travel history and purchase history in the app for this period. This is done so you can continuously ensure that the app has calculated your journeys correctly. If you have checked in multiple travellers on your journey in Rejsekort as an app, you will also be able to see this in your travel and purchase history. It is also done to allow Rejsekort Customer Centre to assist you if, for example, you have identified an error in your journey.

 

Your travel history contains information about your completed journeys, including location data up to 5 minutes after the final destination, and your purchase history contains information about your completed payments. If you pay for a user under the age of 18 in Rejsekort as an app, you will also be able to see the payment and general travel history in your purchase history.

Since users under the age of 18 cannot add a payment method in Rejsekort as an app themselves, they also do not have access to a purchase history, but they can access their travel history in the app.

 

Information when contacting Rejsekort Customer Centre

If you contact Rejsekort Customer Centre by phone, via the contact form in the app, or through the website, we will also store the personal data you provide in that connection that is relevant to your customer relationship.

When contacting Rejsekort Customer Centre by phone, your call will be recorded if you give explicit consent. The recordings are used for documentation and training purposes and are continuously deleted after 30 days.

 

3. Profiling for the purpose of detecting and preventing misuse of the app

 

In the app, we use profiling to detect and prevent misuse of Rejsekort as an app.

 

Profiling is conducted by the app identifying misuse-like behavior during completed journeys. This occurs within the system, where each journey is automatically checked for signs of misuse-like behavior. The system assigns a score to all completed journeys based on whether the travel pattern indicates potential misuse. Previous behavior and scores are not considered in this calculation. Based on this, an overall point tally (a "fraud score") is generated for all customers, depending on their travel behavior. If a customer's overall fraud score becomes sufficiently high, it will be flagged in the system, after which a specific manual case review will take place. During the review of the overall point tally, previous behavior and scores will be taken into consideration.

 

Misuse-like behavior may result in sanctions, such as being blocked from using the app, based on a manual case review. Generally, sanctions will require that you have received one or more warnings related to the observed behavior beforehand. In Rejsekort as an app, profiling thus serves as decision support for caseworkers, and no automated decisions are made.

 

3.1. Information about any profile blocking

 

Under certain circumstances, we may block your profile in the event of abusive behavior. Read more about the rules for blocking in the Terms and Conditions for Rejsekort as an app, which you can find directly in the app and at www.rejsekort.dk under "Terms and Conditions".

 

4. Who has access to personal data?

 

Only employees with a work-related need at Rejsekort & Rejseplan A/S and at our data processors have access to the personal data collected.

 

This includes employees in:

  -Public Transport Operator

   Relevant employees in the affiliated Public Transport Operators have access to the information necessary to serve and manage your customer relationship. This includes your travel and payment history, as well as personal information about you, such as your name, date of birth, and contact details.

 

  • The Public Transport Operators are:

  • GoCollective

  • DSB

  • Metroselskabet

  • Fynbus

  • Movia

  • Nordjyllands Trafikselskab 

  • Midttrafik

  • Sydtrafik-

 

- IT supplier

Our IT supplier, Fairtiq, acts as a data processor and has signed a data processing agreement and a confidentiality declaration, which legally binds them to comply with data protection regulations. This means they are only allowed to process your personal information in accordance with our instructions. Fairtiqis responsible for delivering and operating Rejsekort as an app and its associated systems.

Additionally, we use the following IT suppliers to support various functions within the system: MailJet, Amazon Simple Email Service, and LINK Mobility are used for sending emails and SMS notifications to Rejsekort users. VIPPS MobilePay, Billwerk+, and Lector handle payment processing and other administrative case management.

 

 

4.1 Disclosure of personal data

If applicable, we will disclose your personal data, including journey history, journey price and number (not GPS points), in pseudonymous form to the affiliated Public Transport Operators in connection with revenue sharing and settlement with them and for their independent processing of financial matters, cf. the Act on Transport Companies.

 

If relevant, we will disclose your personal data in directly personally identifiable form to the affiliated transport operators in connection with their independent processing of control fee cases, collection cases, customer complaints, journey duration guarantee cases and financial cases. It is assessed that we can lawfully disclose the necessary personal data to the affiliated Public Transport Operators on the basis of Article 6(1)(f) of the General Data Protection Regulation, as RKRP and Public Transport Operators in question thereby pursue a legitimate interest in protecting and collecting their claims under the agreements with the customers, and as the customers' interests do not override this.

 

Similarly, and only if relevant, we will disclose your personal data to public authorities, e.g. to the Danish Transport Authority, which, among other things, performs revenue sharing for certain revenues in public transport.

 

We disclose relevant information about you, such as your name, address, phone number, email address, and case number, to the research institutes Wilke, Epinion, and Axcessnordic for the purpose of conducting customer satisfaction surveys on our behalf. Participation in a satisfaction survey is voluntary. The research institutes are required todelete the received personal data once the task has been completed. We assess that we are legally permitted to share the necessary personal data with these research institutes, as the customer satisfaction surveys are conducted for a compatible purpose that ensures the continuous optimization of customer relations, including our solutions and processes. 

 

Additionally, we disclose personal data in certain situations for use in research projects. We only disclose personal data if we specifically determine that it is lawful to do so, that the disclosure serves a legitimate and justifiable purpose, and that it is ethically responsible. Furthermore, we ensure that the disclosed information is secured to the greatest extent possible, including through pseudonymization, if full anonymization of the data is not feasible.

5. How and for how long do we store information about you?

We store your personal data in IT systems with controlled and restricted access and on servers locatedat AWS Amazon in Ireland. We also secure your personal data with appropriate technical and organisational security measures from the time of registration until deletion. We delete your personal data as soon as we no longer need it to fulfil the purpose for which it was collected. 

We store information about you as a customer for as long as it is necessary for the purposes mentioned in section 2, cf. the table below:

Type ofpersonaldata

Storage time

Legal basis

Master data (name, age, etc.)

For as long as you are our customer and until 5 years after the end of the year in which the customer relationship has ended (or customer relationship without activity)

As long asyou are our customer, GDPR art. 6(1)(b). Then section 12 of the Danish Bookkeeping Act.

Contact details (email and phone number)

For as long as you are our customer and until 3 years after your last trip

As long asyou are our customer, GDPR art. 6(1)(b).After the end of the customer relationshipin accordance withGDPR article 6(1)(f), as we assess that we have a legitimate interest in beingable to document this information in connection with any claim you may make against us up to the limitation period of 3 years, cf.§ 3 of the Limitation Act.

Information that you as an adult have been age-validated (confirmed to be at least 18 years old) in connection with linking a child to your profile

As long asyou are a customerwithus,the information solely enables theoptionto create a profile for a child under the age of 18.

 

As long asyou are a customerwithus, GDPR Article 6(1)(b).

 

Informationselectedcustomer type,numberand types of customers on multipletravellersand price.

5 years from the end of the year to which the transaction relates.

GDPRArt.6(1)(b) andSection 12 of the Bookkeeping Act

Information about your mobile device, brand and model, operating system, etc.

 

3 yearsfromthe registration of the information.

 

GDPR Article 6(1)(f), as we assess that we have a legitimate interest in being able to document this information in connection with any claim you may make against us up until the limitation period of 3 years, cf. Section 3 of the Danish Limitation Act.

 

Information about your travel data, including location data (GPS) and activity data from the start to the end of the journey (the part of the journey involving public transport)

For example: location data collected from the moment you board the S-train line A until you get off the S-train again.

 

We store travel data for 3 years from the time the data is registered. After that, travel data is stored inanonymisedform for analysis purposes.

GDPR Art. 6(1)(f), as we consider that we have a legitimate interest in being able to document this information and the calculated route and price in connection with any claim you may make against us up to the limitation period of 3 years, cf. section 3 of the Danish Limitation Act

Location data collected from check-in until the start of the journey (not part of the journey in public transport)

For example: location data collected from the moment you check in until you boardthe S-train line A.

 

Location and activity data aredeletedafter 2 months –with regard todata beyond 5 minutes before the start of the journey with the first public transport vehicle.

The data isretainedfor anadditional2 months in backup for technical reasons.

 

GDPR Art. 6(1)(f), as we consider that we have a legitimate and objective interest in detecting and preventing fraud with the app as well as making system improvements and fixing system errors for the benefit of all public transporttravellers.

 

Location data collected between two “connected” journeys by public transport, where no check-out has occurred before the final part of the journey – and where the time between the two journeys exceeds 30 minutes

For example: location data collected from the moment you get off the S-train line A until you board the Metro line M2.

 

Location and activity data aredeletedafter 2 months –with regard todata beyond 5 minutes after thefinal destinationof the first public transport vehicle and until 5minutes before the start of the next public transport journey.

The data isretainedfor anadditional2 months in backup for technical reasons.

 

GDPR Article 6(1)(f), as we assess that we have a legitimate and lawful interest in detecting and preventing misuse of the app, as well as in making system improvements and correcting system errors forthe benefit of all public transport users.

 

Location and activity data related to the period from thefinal destination/end of the journey by public transport and until check-out (i.e.the period not related to the public transport journey)

For example: location data collected after you get off Metro line M2 until your check-out.

 

Location and activity data aredeletedafter 2 months –with regard todata beyond 5 minutes after the end of the journey

After this period, the data isdeletedfrom the system andretainedfor anadditional2 months in backup for technical reasons.

 

GDPR Article 6(1)(f), as we assess that we have a legitimate and lawful interest in detecting and preventing misuse of the app, as well as in making system improvements and correcting system errors for the benefit of all public transport users.

 

We store this information for 30 days from the journey for customer service purposes.

 

GDPR Article 6(1)(f), as we assess that we have a legitimate and lawful interest in being able to correct any incorrectly calculated journey, so that you are chargedin accordance withthe journeyactually made.

 

Case information registered in connection with inquiries toRejsekortCustomer Centre
via phone, contact form in the app, or on the website.

 

3 yearsfromthe registration of the data.

GDPR Article 6(1)(f), as we assess that we have a legitimate interest in being able to document this information in connection with any claim you may make against us up until the limitation period of 3 years, cf. Section 3 of the Danish Limitation Act.

 

Recordings of telephone calls atRejsekortCustomer Centre

 

30 days from the time of the recording.

 

Your consent, cf. GDPR Article 6(1)(a).

 

These deletion deadlines may, after a specific assessment, be deviated from so that the personal data is deleted at an earlier or later date if there are specific, objective reasons for this. This may be the case, for example, if you request deletion without ever having used the app to buy a ticket/ticket dokument. In such a case, deletion of your data may take place earlier than the time specified in the form. If, on the other hand, a case is pending before the courts, the specified retention periods may be extended after a specific assessment. 

Transfer of data to 3rd countries

We only store data on servers located within the EU. However, we have suppliers based outside the EU, in Switzerland and the United States, respectively. The supplier in the US is affiliated with the EU-U.S. Data Privacy Framework, and is thus subject to the EU Commission's adequacy decision from July 2023. Switzerland is also on the EU Commission's list of secure third countries. 

6. Legal basis for processing operations

We process your personal data based on the following processing bases:

  • When necessary to fulfil an agreement with you (Article 6(1)(b) of the GDPR). This processing basis applies in the ongoing customer relationship where you are registered as a customer in the app. 

 

  • When it is necessary for us to fulfil a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). This basis for processing applies as we are obliged to retain information about, among other things, financial transactions pursuant to section 12 of the Bookkeeping Act. 

 

  • When you have given your consent to the processing (Article 6(1)(a) of the General Data Protection Regulation). This processing basis applies to telephone recordings in connection with customer enquiries to Rejsekort Customer Service.

 

  • When it is necessary for us to fulfil a legitimate interest (Article 6(1)(f) of the General Data Protection Regulation). This basis for processing applies to our processing of data for the purposes of:

  • Identification and prevention of misuse, cf. section 3. The legitimate interest in this processing is the identification, prevention, and handling of misuse in the app. We assess that the purpose is legitimate and that the processing is proportionate in relation to achieving this purpose.

  • Processing of location data collected by the app that is not related to your journey using public transport. This includes location data collected if you fail to check out after completing your journey. This processing is carried out to ensure that customer service has the ability to correct data, to analyze whether the route calculation in the system functions correctly, and to prevent and manage fraud. We assess that these purposes are legitimate and that the processing is proportionate in relation to achieving these purposes.

  • Disclosure of information, cf. section 4.1. The legitimate interest in disclosure is to support the legitimate and lawful purposes for which the recipients of the information process the data.

 

 

7. Your rights

You have a number of rights under the General Data Protection Regulation in relation to our processing of your personal data. If you want to exercise your rights, please contact us. See our contact details above under point 1.

 

Your rights are:

Right to see information (right of access)
You have the right to access the personal data we process about you.

 

Right to rectification (correction)
You have the right to have inaccurate information about yourself corrected. You also have the right to have your data supplemented with additional information if it will make your personal data more complete and/or up-to-date. You have the option to correct your profile information yourself directly in the app.

 

Right to erasure
In special cases, you have the right to have data about you erased before the time of our regular general erasure occurs.

Right to restriction of processing
In certain cases, you have the right to have the processing of your personal data restricted. If you have the right to have the processing restricted, we may in future only process the data - except for storage - with your consent, or for the establishment, exercise or defence of legal claims, or to protect a person or important public interests.

Right to object
In certain cases, you have the right to object to our otherwise lawful processing of your personal data. This only applies if our processing is based on Article 6(1)(f) (legitimate interest) of the General Data Protection Regulation.  As stated in this Privacy Policy, this relates to the data we process for the purposes of identification and prevention of misuse. We may then no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing also is necessary for the establishment, exercise or defence of legal claims.You can also object to the processing of your information for direct marketing purposes.

 

Withdrawal of consent
You have the right to withdraw your consent at any time if you have given it. You can do this by contacting the Rejsekort Customer Service at the contact details stated above in section 1. If you choose to withdraw your consent, this will not affect the legality of the processing carried out before you withdrew your consent.

 

If you withdraw your consent, this means that we generally restrict the future processing of your personal data by deleting or anonymising the personal data processed in accordance with the consent. As stated above in section 2.1, this concerns recordings of telephone conversations when contacting the Rejsekort Customer Service by telephone.

 

Right to transmit data (data portability)
In certain cases, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to have this personal data transferred to another data controller without hindrance.

 

Right to complain to the Danish Data Protection Agency

 

You can complain about our processing of your personal data to the Danish Data Protection Agency.

 

The Danish Data Protection Agency has the following contact details:

Danish Data Protection Agency
Carl Jacobsens Vej 35.
2500 Valby, Denmark
Phone: +45 33 19 32 32 00
Mail: dt@datatilsynet.dk
www.datatilsynet.dk

8. changes to this privacy policy

We regularly review this privacy policy to keep it updated and in line with the way Rejsekort as an app works as well as applicable principles and legislation. The privacy policy is subject to change without notice.

You can always see at the top of this Privacy Policy when the policy was last updated or changed. Significant changes to the Privacy Policy will be published on our website www.rejsekort.dk together with an updated version of the Privacy Policy.