Data Protection Declaration

Schienen-Control GmbH has been established as a company and legal entity according to § 77 of the Austrian Railway Act 1957, BGBl 1957/60 as amended by BGBl I 2015/137, and is assigned the tasks and competences provided by the respective legal terms of the Austrian Railway Act. These include the role as an administrative office for Schienen-Control Kommission, the Austrian Railway Regulatory Authority, and the competences further determined by the Austrian Railway Act. Furthermore, the Agency for Passenger Rights is part of the organisational structure of Schienen-Control GmbH.

Responsible handling of personal data is a high priority of Schienen-Control GmbH. As long as not otherwise indicated, Schienen-Control GmbH processes only personal data within its legaly assigned duties and competences. As long as Schienen-Control GmbH is acting according to its legally assigned duties and competences, the processing of personal data requires no further consent according to the provisions of the General Data Protection Regulation of the European Union.

Schienen-Control GmbH has implemented technical and organisational measures to ensure safety while processing personal data. Especially measures to ensure saftey from unauthorised and illegal access to personal date. The technical and organisational measures include regular audits, concepts regarding data-security and access as well as physical and digital security-measures regarding our IT-infrastructure. The security-measures are state oft he art and are evaluated constantly.

Among the competences of Schienen-Control GmbH is the publication of information on our website.


Cookies are short blocks of text sent by webservers tot he browser oft he website-visitors. The content of a cookie consists of a text-file about functionalities of a website to enhance usability. Every cookie has a defined lifespan. There are two variations of cookies: session-cookies with a lifespan of the current session of the browser, and persistent cookies, with a lifespan longer than the current browser-session.

We are currently using the following cookies for our website:

-             PHP SESSION ID (PHPSESSID): saves the current PHP-Session (Lifespan: Session)

-             Contao HTTPS CSRF Token (csrf_https-contao_csrf_token): Protection against Cross-Site-Request-Forgery Attacks (Lifespan: Session)

These cookies are necessary for the basic functions of the website and can’t be disabled. Under the following link, you can change your cookie-settings.


The Website of apf ( uses Cookies upon agreement and the open-Source took Matomo for statistical purposes.

The follwing dataset is used in this operation: IP-Address (anonymous), date, time, target-URL, referrer, client-data. The data will be automatically deleted after 150 days. Additionally, Matomo uses a Session-Cookie which will be deactivated automatically after 14 days. The cookies are disabled by default. Cookie-Settings may be changed via the following link above.

Due to the Directive 2018/1724 (SDG-Dir) of the European Parliament and the Council, upon agreeing to cookies, anonymous data will be provided to the European Commission for statistical purposes.  Number of Users, origin, used devices will be transmitted via API. It is the purpose of the SDG-Directive to connect national service-pages to provide  a uniform digital center of Administration ans Serivice.

Users have the following rights regarding the EU-DSGVO concerning the processing of their personal data:

  • The right to ask for information about the data which is processed ar Schienen-Control GmbH (Article 15 DSGVO);
  • The right to have the data corrected (Article 16 DSGVO);


The right of data-transfer (article 20 DSGVO) according the the DSGVO does not apply to institutions of public interest as long as the data in question is related to the purpose oft he organisation.


  • The right to have data deleted (Article 17, DSGVO);
  • The right to limit the processing of date (Article 18, DSGVO).


Schienen-Control GmbH wants to emphasise, that no personal data will be acquired due to the anonymisation of personal data and IP-Adresses in Matomo. Functional Session-Cookies will be deleted after the session ends. The above-mentioned rights can therefore only be applied in cases where personal data is collected.

It is furthermore possible that concerned parties use their right of withdrawal for the use of their personal data according to article 21 DSGVO. This right can be exercised independently of the aforementioned remarks. Precondition for the successful claim of the right of withdrawal is a special situation which justifies the withdrawal to this agreement.

Concerned parties who claim that the use of personal data is againt the regulations set in DSGVO can file a complaint with the supervising body:

Applications and questions regarding the Data-protection notice and regarding personal data can be submitted to our Data-Protection officer:

Data-Protection Officer:

Ass. iur. Dipl.-Jur. Caroline Trefil

Schienen-Control GmbH

Linke Wienzeile 4/1/6

1060 Wien


Responsible party for the use of personal data:


Schienen-Control GmbH

Linke Wienzeile 4/1/6

1060 Wien

T: +43 1 5050707 120


Relevant Supervision-Body:


Barichgasse 40–42, 1030 Wien, T: +43 1 52152 0,,

You can change your cookie settings here:

Furthermore, it is possible to deactivate the overall use of cookies via the settings of your webbrowser.

According to the provisions of the General Data Protection Regulation, data subjects having their data processed are entitled to claim the following rights:

  • Right of access by the data subject (Art 15 GDPR);
  • Right to rectification (Art 16 GDPR);
  • Right to data portability (Art 20 GDPR);

As far as data is no longer required for the legal purposes it has been collected for, data subjects also have the following rights:

  • Right to erasure (Art 17 GDPR);
  • Right to restriction of processing (Art 18 GDPR);

Schienen-Control GmbH wants to further emphasize at this point that, given the standardized anonymization of the IP-adresses of every visitor to our website, no personal data is being collected by Google Analytics. Furthermore, other cookies used to support the functionality of our website are being deleted immediately after leaving our website. Thus, the aforementioned rights might only be applicable within a limited scope ore might not be applicable at all.

In case the use of cookies for the services of Google Analytics is nevertheless object of a claim according to the rights of the data subject, tools for exercising the data subject rights provided by Google can be found here.

Nonwithstanding the aforementioned rights, data subjects are entitled to object to the processing of their personal data at any given time according to Art 21 GDPR. The successful exertion of the right to objection does however require the occurrence of special circumstances if data is being rightfully processed.

Data subjects also have the possibility to address the Supervisory Authority at any given time if they feel their personal data is being unlawfully processed.

If any questions should arise concerning this Data Protection Declaration, the protection of privacy or personal data or if data subjects want to exert their rights, please contact the data protection officer by E-Mail or letter:

Caroline Trefil

Postal address:
Schienen-Control GmbH
Linke Wienzeile 4/1/6
A-1060 Wien
Phone: +43 1 505 07 07

Austrian Supervisory Authority:
The competent Supervisory Authority for Austria is the Federal Data Protection Authority (“Datenschutzbehörde”, DSB):