1. Flytoget’s personal data protection statement
This personal data protection statement and its associated terms and conditions provide the information you are entitled to receive when your personal data are registered via a digital platform. The document also provides general information concerning the way we process personal data.
The terms and conditions are intended to give you, as our customer, sufficient information about the way that Flytoget handles non-sensitive personal details about you and your journeys, as in accordance with current privacy legislation.
Personal data refers to information that may be linked to a physical person, i.e. detail such as name, postal address, telephone number and email address. Processing refers to any handling of personal data, e.g. collecting, recording, collating, storing and sharing.
At Flytoget we are keen to ensure that all personal details are handled in a way that makes you feel reassured your data are subject to the strictest confidentiality regime. We process the personal data we need for you to make use of our services, and to conduct analyses that will enable us to improve our range of services. All such analyses will be based on aggregated and anonymised data which cannot be used to identify you as an individual. Beyond this, all personal data are handled as in accordance with the express consent you have given us. You are free to withdraw this consent at any time.
This personal data protection statement and the associated terms and conditions will be updated from time to time, for instance because our services are extended or amended, and we will notify you if this requires further consent from yourself. The current version of the terms and conditions can be found on flytoget.no at all times. If major changes are introduced, we may also try to contact you direct through available channels such as email or by puting up a notice on our website and digital services.
2. Flytoget’s digital platform
‘Flytoget’s digital platform’ refers to our website flytoget.no, ‘My page’, online ticket sales, and Flytoget’s app, data warehouse and integration platform.
When you create a profile on Flytoget’s digital platform, you will be asked to enter your personal details. Flytoget will process this information to ensure that we can offer you relevant and easy-to-use services. Our range of services is subject to constant development. We will also send you all necessary communications relating to the management of your customer account in relation to your use of Flytoget’s digital platform. If you have consented to receiving digital marketing material, you will also be getting details of offers and news from Flytoget.
By accepting the terms and conditions as you create a profile on Flytoget’s digital platform, you confirm that you have read, understood and consented to the content of this document and Flytoget’s processing of your personal details. Customers under the age of 13 need the consent of a parent or guardian. If children under the age of 13 nevertheless have given us their personal details, we will delete this information as soon as we become aware of the matter. Parents can contact us as explained under point 12.
Copyright, other rights and the content of Flytoget’s digital platform are the property of Flytoget or the company’s subcontractors and partners.
2.1 The Flytoget app
The Flytoget app allows you to buy tickets for Flytoget’s train services, plan your journeys and receive updated real-time travel information. The app will also allow you to retrieve receipts for your ticket purchases.
Before you can use and purchase tickets with the Flytoget app you need to register the following information:
- Mobile phone number
- Email address
- Payment card
You may also choose to provide your
- Date of birth
All purchases and payments are handled by the payment service provider, who acts as data controller on behalf of Flytoget.
2.2 Flytoget.no and ‘My page’
Flytoget.no allows you to create a personal profile under ‘My page’ by entering your personal details. This will enable you to receive receipts for your journeys and access your travel history. The profile registration is linked to ticketless journeys, your app purchases and purchases from our online shop.
Before you can use ‘My page’, you need to register the following information:
- Mobile phone number
- Email address
- Payment card
You may also choose to provide your
- Date of birth
2.3 Online sales
Flytoget.no allows you to buy e-tickets that will be sent to you by email.
Before you can buy tickets, you need to register the following information:
- Mobile phone number
Your mobile phone number is registered to enable us to provide good and efficient customer services. If the mobile phone number has already been recorded in Flytoget’s customer database, your purchase will be linked to the existing customer profile. All your ticket purchases are listed on ‘My page’.
To pay for your ticket, enter your card details. Your card will then be charged, and the transaction is completed. You will receive your ticket by email.
3. What personal data are processed and why?
Your personal data are stored on Flytoget’s digital platform. We obtain personal data for the following purposes:
- In order to manage your customer account, we register basic details such as your name, email address, mobile phone number, date of birth and type of ticket (adult, pensioner or student). Date of birth is optional.
- Personal profile settings are stored to enable us to send you automated receipts, receipt listings and/or newsletters as in accordance with your wishes.
- Changes to your profile will be stored as information by Customer Services on request from passengers.
- Your card details will need to be saved to your profile if you want access to ticketless travel, receipts, travel history, and any discounts.
- Payment details, including your departure and destination stations and the time of your ticket purchases, are stored to allow us to charge the right amount for the journey.
- Electronic and technical information, including information about your mobile device and app, IP address, search terms, traffic data, app ID, app version, operating system and phone model is stored so that we can provide you with the best possible assistance as required and offer relevant updates.
- Your location is stored to enable the Flytoget app to automatically suggest the nearest station as departure station, and to present our services in the location most relevant to yourself.
- Network communication data are obtained because the Flytoget app requires network access to retrieve the information held in Flytoget’s systems. Network access may be provided by a wireless network or a mobile network.
- If you get in touch with Flytoget’s Customer Services, this contact will be logged to ensure that we provide you with the best possible assistance.
- For Oslo Airport staff who hold an ID card, any registration of a telephone number in the Flytoget App will automatically trigger a search in Avinor’s ID card database in order to confirm employment. The objective is to offer employees the type of ticket to which they are entitled. No personal data will be exchanged in this process.
- For passengers who are linked to a corporate agreement, the link will be made via their email address. In some cases, the system will automatically enter the most recently used payment card details as the corporate agreement card. This ensures that passengers have access to the benefits provided under the agreement. No personal details are shared with the corporate party to the agreement.
To avoid abuse of Flytoget’s services we will make use of registered data for control purposes.
Flytoget anonymises personal data before they are used to analyse customer behaviour. This is to enable us to improve the travel experience and our digital platform.
4. Consent to receiving digital marketing material
For your personal details to be used for direct marketing purposes, you will need to opt in by giving your express consent. You can withdraw your consent at any time.
5. Is providing information optional?
You are free to choose whether you want to provide your personal data, but for you to make use of Flytoget’s advantageous methods of payment such as ticketless travel or the Flytoget app, some basic personal details have to be registered, see point 2. We will ask for your express consent for any further information.
6. Who is Flytoget’s data controller?
Flytoget, as represented by the managing director, is the data controller who under the Norwegian Personal Data Act is responsible for the company’s processing of personal data. The ‘controller’ is the person who determines the purpose of the processing of personal data and the tools to be employed in doing so.
Day-to-day operations have been delegated to our information safety officer. Only the work is delegated, not the responsibility. Additionally, Flytoget has appointed a privacy ombudsman.
7. What is the legal foundation?
Flytoget’s procedures are subject to the Norwegian Personal Data Act and the legal foundation provided by its section 8, Conditions for the processing of personal data. Your acceptance of our terms and conditions constitutes our legal basis for processing your personal data. For any other purpose we will obtain your express consent.
8. Are my personal details safe?
You can be assured that no details relating to yourself or your journeys may be abused by Flytoget in our capacity as controller of the personal data we process. All personal data will be securely stored and confidentially handled in accordance with:
- The Norwegian Personal Data Act of 14 April 2000, no. 31 and associated regulations.
- The industry standard for privacy and information security in electronic ticketing.
- Payment Card Industry Data Security Standard (PCI DSS).
Flytoget has implemented a set of rules and procedures to protect your personal data and privacy. To ensure that our data processing is securely conducted, only specially authorised personnel at Flytoget have access to the information you provide us with. Only a limited number of employees can hold such authorisation. All systems that we use to process customer data are subject to strict access control. Flytoget takes privacy seriously and the company carries out and updates privacy risk assessments.
Your personal data will never be transferred to a third party unless you have given Flytoget your consent that such transfer is acceptable.
If we share your personal data with a third party, we will ensure that there are arrangements and agreements in place to safeguard the information and prevent the third party from using the personal data for any purpose other than what has been agreed.
Flytoget has appointed a privacy ombudsman who works with the information safety officer to ensure that the company maintains a clear overview of the personal details handled by Flytoget. An overall information safety policy provides the framework and terms of reference for the current information safety plan at all times. All systems that make use of critical data, including personal details, are recorded and listed.
9. Will the data be shared with others?
Flytoget makes use of subcontractors for the purpose of conducting its business. If a subcontractor needs to process personal data on Flytoget’s behalf, privacy is secured through data processing agreements.
Data processors are subject to strict rules imposed by Flytoget and cannot make use of personal details for any purpose other than to provide the services they have agreed with us. We take precautions to ensure that subcontractors conduct their affairs in accordance with this personal data protection statement, the company’s internal data processing agreements and Norwegian privacy legislation.
If required by law, or if there is suspicion that a criminal offence may have been committed in connection with the use of our services, any information we hold about you may be submitted to public authorities.
10. How are the data stored and deleted?
We will not store your personal data for longer and to a greater extent than necessary to fulfil the objectives specified in this personal data protection statement, unless a longer storage period is imposed by law at any point. Storage of anonymised data is not subject to similar restrictions or requirements.
Flytoget has procedures in place for data deletion and anonymisation. You can also delete your own profile or enlist the assistance of Flytoget’s Customer Services in doing so. If you choose to delete your profile, your personal data will also be deleted. Your travel receipts will thus become anonymous, as was the case before you created a profile.
The main rule is for personal details to be deleted after two years if your account is inactive. Inactivity means that you have not checked your profile in the last two years. This applies irrespective of whether you have used the Flytoget app and/or has travelled by a Flytoget train during this period.
11. For how long will my travel receipts be stored?
By creating a profile, you accept that your personal data will be linked to stored information about ticket receipts for the last 700 days. This enables you to retrieve receipts from earlier journeys.
The purpose of an extended storage period in Flytoget’s customer data base is to enable Flytoget to offer customers access to retrieving receipts for earlier journeys, and because Flytoget wishes to identify customer groups based on their travel history, in order to offer them value-added services, such as loyalty programmes.
The information stored, such as your travel history, may include the time of purchase and the time of travel, type of ticket, method of payment and the number of tickets purchased.
Once you have created a profile you can reduce the storage time for your travel receipts on ‘My page’ to 104 days.
Should you choose to delete a profile with a reduced receipt storage period setting, this will be reset to 700 days. You can continue using your credit card for ticketless travel as before, but you will be unable to claim a discount when buying tickets online, have receipts or other information sent to you, or receive a tailored digital service based on the information available to us.
13. What are your rights and options?
You have a right to:
- Know what information we hold about you (within the restrictions set out in current legislation).
- Demand that erroneous, unnecessary, incomplete or outdated personal data be corrected, supplemented or removed.
- Withdraw any consent you may have given us to process the personal details you have provided us with. However, please note that this may render us unable to continue delivering some of our services or benefits to you.
You can exercise your rights by contacting Flytoget’s customer service by phone +47 23 15 90 00, email firstname.lastname@example.org or in writing to Flytoget AS (f.a.o.: Customer Services), Post Box 19 Sentrum, 0101 Oslo. Customer Services will also help you to contact Flytoget’s privacy ombudsman.
Flytoget is committed to responsible and sustainable business practices. If you feel that we fail to comply with this personal data protection statement or the current legislation, please address your concerns to Flytoget, or the Norwegian Data Protection Authority. Alternatively, you can make use of our whistleblowing portal (https://u.bdo.no/flytoget) which is operated by BDO to enable you to attract attention to your concerns in the strictest confidence.
14. Contacting us
You can contact Flytoget’s Customer Services by email on email@example.com or by phone on 23 15 90 00.