Wi-Fi Privacy Policy

Privacy Policy

As required by EU Regulation 2016/679 ("GDPR") and with respect to the United Kingdom, the Data Protection Act 2018, the information below describes the processing operations and the purpose of the processing of the personal data of users ("Users") at Flix for the usage of the Wi-Fi.

All terms used in this Privacy Policy that are not explicitly defined shall have the meaning set in the GDPR.

1. Contact details of the controller

The data controller is Flix SE, Friedenheimer Brücke 16, 80639 Munich, Germany ("Flix" or "Controller").

The representative of Flix SE according to Art. 27 GDPR and the Data Protection Act 2018 for the UK is: FlixBus UK Ltd. Registered Office: First Floor, Templeback, 10 Temple Back, Bristol, United Kingdom, BS1 6FL Business Address: WeWork, 123 Buckingham Palace Road, London, SW1W 9SH.

2. Contact details of the data protection officer

The Controller has designated a Data Protection Officer (DPO). The DPO is located at the offices of Flix SE, Friedenheimer Brücke 16, 80639 Munich, Germany, and can be contacted via the following e-mail-address:

data.protection@flixbus.com

3. Purposes of processing and legal basis

The Controller shall process the categories of personal data referred to in Section 4 in order to

a) fulfil the contractual obligations entered into with the User or certain contractual obligations towards the User or special requests of the User made before conclusion of the contract.

The legal basis for processing data for this purpose is that it is necessary for the fulfilment of a contractual obligation. This is lawful under Article 6 para. 1 lit. b GDPR.

b) to make the data provided anonymous and to use it to improve the service and the travel experience and to compile statistics.

The legal basis for the processing is the need to protect our legitimate interests. Art. 6 par. 1 f DSGVO. Our legitimate interest is to improve our service to users of the Service.

4. Categories of personal data that are processed

Personal data includes all information that refers to a specific or identifiable natural person. The personal data of passengers processed in connection with the processing purposes mentioned in section 3 are the following:

a) the MAC address of the access device used

b) the assigned connection number

c) the IP address via which the access device used is connected to the Internet

d) the start and end of the respective connection (date and time) as well as the resulting duration of use

e) the volume of data transferred, including the average packet size

f) technical characteristics of connection setup/termination

g) name of the area assigned to the input access point used

h) hardware type and manufacturer of the access device

i) identification data of the operating system used Recognition data of the browser used

k) Language and time zone of the browser used

The provision of personal data by passengers is voluntary. There is no legal or contractual obligation for the passenger to provide Flix with personal data. However, Flix may only be able to provide certain services to a limited extent or not at all, if the passenger does not provide the data required for this purpose.

5. Categories of recipients

a) Internal recipients

Under certain conditions, we share personal data about you for the purpose of internal management within the companies of FlixBus, as far as this is permissible.

Further details can also be found in the privacy policy.

a) External recipients

As with any major company, we also use external domestic and foreign service providers to handle our business transactions and work with partner companies at home and abroad.

These are in particular the (IT) service providers as independent controllers:

Icomera AB, Odinsgatan 28, SE-411 03 Gothenburg, Sweden, and

GoMedia Services Ltd, Evergreen House North, Grafton Place, London, NW1 2DX, UK

https://www.icomera.com/legal/#privacy-policy

RebelRoam Oü, Erika 14, Tallinn, 10416, Estonia

https://www.rebelroam.com/privacy

Peplink Pepwave UAB, Ašigalio g. 1B, LT-49160 Kaunas, Lithuania

https://www.peplink.com/company/privacy/

UAB TELTONIKA NETWORKS, Baršausko g. 66, Kaunas 51436, Lithuania

https://teltonika-iot-group.com/about-us/policies-certificates/privacy-policy

Passengera s. r. o., The Blox, Evropska 2758/11, 160 00 Prague, Czech Republic

https://www.passengera.com/gdpr/

To the extent that the recipients work for us as processors, we enter into a contract with them and they must provide guarantees that appropriate technical and organizational measures are in place, that the processing meets legal requirements and that the rights of the data subjects are respected.

Passenger personal data is only accessible to persons acting on behalf of the controller or Processor.

We may also transmit personal data to public bodies and institutions (e.g. police, public prosecutor’s office, supervisory authorities) if there is a corresponding obligation/authorization.

6. Transfer of data abroad

In connection with the processing referred to in section 3, personal data may be transferred to a third country (in particular the USA). A third country is a country outside the European Union (EU) and outside the European Economic Area (EEA). In this case, we ensure through suitable measures that the level of data protection of the recipient/recipient country is not lower than the level of protection applicable in the EU/EEA.

Suitable measures can be, for example:

An adequacy decision of the EU Commission

Standard Data Protection Clauses (available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en)

Additional protective measures (e.g. pseudonymization)

7. Duration of data storage and deletion

Passengers' personal data will be stored only as long as necessary for the purposes according to section 4 for which the data is collected and subsequently processed.

In any case, the Controller may be obliged and/or entitled to keep the passengers' personal data, in whole or in part, for a longer period of time - for example, but not exclusively, for the establishment, exercise or defense of legal claims within the respective applicable limitation period.

8. Rights of affected persons

The passenger as an affected person according to the GDPR has the following rights:

Right to information

The passenger may request information under Art. 15 GDPR about his personal data processed by Flix. In the request for information, the passenger should clarify his concern in order to make it easier for the Controller to compile the necessary data. The Controller may require information to confirm the passenger’s identity to ensure they have the right to access the personal data.

Upon request, the Controller will provide the passenger with a copy of the data that is the subject of the processing. Passengers will not have to pay a fee to access their personal data (or to exercise any of the other rights). However, Flix may charge a reasonable fee if the request is clearly unfounded, repetitive or excessive. Flix may also refuse to comply with such a request.

Right to rectification

If the information concerning the passenger is not (or no longer) accurate, the passenger may request a correction in accordance with Art. 16 GDPR. If the passengers’ data is incomplete, the passenger may request its completion.

Right to deletion

The passenger can demand the deletion of his personal data under the conditions of Art. 17 GDPR. This right to erasure depends, among other things, on whether the data concerning the passenger is still needed by the controller to fulfill his legal duties.

Right to restriction of processing

Within the framework of the requirements of Art. 18 GDPR, the passenger has the right to request a restriction of the processing of the data concerning the passenger.

Right to data portability

Under the specifications of Art. 20 GDPR, the passenger has the right to receive data that the passenger has provided to the controller in a structured, common and machine-readable format or to demand that it is transferred to another responsible party.

Right to object

In accordance with Art. 21 para. 1 GDPR, the passenger has the right to object at any time to the processing of data relating to him, that was collected under Art. 6 para. 1 lit. f GDPR, for reasons arising from the passengers’ particular situation. Afterwards, processing of that passenger’s data can then only take place if Flix is able to prove that there are legitimate reasons for the processing, which take precedence over the interests, rights and freedoms of the passenger, or in the case that the processing serves for the establishment, exercise or defense of legal claims by Flix.

In accordance with Art. 21 para. 2 GDPR, the passenger can object to being approached by advertising at any time with effect for the future (objection to advertising in the case of direct advertising).

Right of complaint

If the passenger is of the opinion that the controller has not complied with data protection regulations when processing his data, the passenger can complain about the processing of his personal data to a data protection supervisory authority.

Right to revoke consent (where provided)

The passenger can revoke the consent to the processing of his data at any time for the future. The lawfulness of the processing based on the consent prior to its revocation remains unaffected by the revocation.

This also applies to declarations of consent given before the GDPR came into force, i.e. before 25.05.2018.

The passenger may assert his rights as an affected person against the Controller at any time, in particular by using the contact details provided in sections 1 and 2 above.

9. Amendment

This Privacy Notice may be amended from time to time due to the introduction of new purposes and methods of processing. The Controller, at his own discretion, will inform the passengers in a timely and appropriate manner of any such amendments.