Jump to main content

Personal data protection statement

Any questions?

Contact customer service in our chat or by phone.
(+47) 23 15 90 00
We are open Monday to Friday from 8 am to 6 pm.

1. Flytoget’s personal data protection statement

At Flytoget, we are concerned with processing personal data in a way that allows you to feel confident that information about you is well looked after. The purpose of the statement is to provide you as a customer with sufficient information about how Flytoget processes personal data about you and your journeys in line with the privacy legislation currently in force.    

The personal data protection statement will be updated from time to time, e.g. as a result of the services being extended or changed, and we will notify you in the event of major changes. The currently applicable version of the statement and the terms and conditions can be found at flytoget.no.

2. Flytoget’s digital platform

Flytoget has the following sales channels available: 

  • App
  • Ticket machine
  • Ticketless journeys
  • Flytoget.no
  • Flybag.no
  • Manned sales  

By using Flytoget's digital platform, contacting us or otherwise establishing a customer relationship with us, we will be able to process your personal data. Flytoget's digital platform means "My side", development platform, as well as data warehouse and integration platform. The personal information is stored on Flytoget's digital platform and enables you to switch between the different sales channels without having to register your information several times.  

By accepting the terms when creating a profile with Flytogets, you confirm that you have read and understood the content of this statement. For customers under the age of 13, the consent of their guardian or guardian is required. If children under the age of 13 have nevertheless given us personal data, we will delete the data as soon as we become aware of the situation. Guardians can contact us as stated in section 13.

3. What personal data are processed and why?

We collect the following personal data for the following purposes: 

  • In order to manage your customer relationship, basic information is recorded, such as name, email address, mobile number, date of birth and ticket type. Date of birth is not required.  
  • Electronic and technical information, including information about your mobile device and app, IP address, keywords, traffic data, app ID, app version, operating system and phone model are stored, so that we can help you as best as possible when needed and offer relevant updates. Data on network communication is also collected, as all information in Flytoget's app requires network access to retrieve the information in Flytoget's systems. The network access can be a wireless network or a mobile network. 
  • Personal profile settings are saved so that we can send you automatic receipts, receipt overview and/or newsletter in line with your wishes. Changes to the profile are saved as information by customer service for use in your enquiry. If you contact Flytoget's customer service, this contact will be logged in order to provide the best possible assistance. 
  • Card data (Card number/account number) must be saved if you want to buy a ticket in the app or travel without a ticket and have access to receipts and travel history, as well as any discounts. When using "My page", we also have to store the account number for NFC (contactless payment). If you want to be able to switch between Flytoget's sales channels without having to register your information several times, Flytoget will store your card data information and other information across such sales channels.
  • Payment information, including the purchase of a trip, including the place of departure and destination for the trip, as well as the time of purchase is stored in order to charge you the correct amount for the trip and to be able to generate a receipt for the trip afterwards.  
  • Travel information in the form of flight number and date of departure is obtained when ordering the Flybag service so that your luggage can be handled correctly at Oslo Airport. When using Flymatch, you are asked about flight departure, but this information is only stored on your own device. 
  • If you contact Flytoget's customer service, this contact will be logged in order to provide the best possible assistance.  
  • Flytoget uses limited camera surveillance in our trains. The cameras have a preventive effect against unwanted actions directed at passengers, employees or material. Such monitoring involves the processing of personal data.
  • When registering a telephone number in Flytoget's app and by further use of the app, Flytoget will automatically check whether the given telephone number is listed in Avinor's database of employees with ID cards at Oslo Airport. If the telephone number is listed in the database, confirmation of the employment relationship will be automatically obtained from Avinor's ID card database. The purpose is to offer the type of ticket the employee is entitled to. No personal information will be stored with third parties in this process. 
  • For travelers who are linked to a company agreement, the link will be made via the e-mail address. In some cases, the system will automatically set the last used payment card as the active card in the agreement. This ensures that the traveler has access to the benefits of the agreement. In the case of business agreements, personal data is not shared with the contracting party. 
  • In lost property cases, the name, telephone, e-mail and description of the missing property are registered. This is done to be able to connect objects with their owner. When returning lost property, the address is also stored in the system. All information in the lost property system is deleted after 410 days.
  • Flytoget's app collects anonymous information about how customers use the app through analysis tools to prepare statistics/reports in order to improve the app.  
  • Flytoget's ticket inspectors process personal data such as name, address, ticket type and date of birth of travellers without a valid ticket. In certain cases, Flytoget also processes personal identification numbers or D numbers from passengers who are caught traveling without a valid ticket.  
  • To avoid misuse of Flytoget's services, we will use registered data for control purposes. 

If Flytoget uses your information to analyze customer behavior so that we can improve the travel experience and our digital platform, we will anonymize the information before such data is processed. 

4. What is the legal foundation?

Flytoget will process personal data so that we can: 

a) Manage your profile on "My page". 

b) Invoice you and accept payment for our services. 

c) Suggest the nearest station as a departure station using your location and present our services where they are most relevant to you (app only).  

d) Give you access to discounts and other benefits. 

e) Dealing with delays, cancellations and claims for refunds or replacements. 

f) Handle lost property cases.

g) Imposing and collecting fees or demands for payment as a result of failing to present a valid ticket during ticket control or discovered misuse of discounted ticket categories. 

h) Have camera surveillance on trains. 

i)  Communicate with you in connection with your use of Flytoget's digital platform and your customer relationship. 

j)  Comply with legal requirements according to, among other things, the Norwegian Bookkeeping Act and the Norwegian Accounting Act. 

k) Send you receipts and travel information. 

l) Develop, maintain, correct errors and offer Flytoget's digital platform. 

m) Offer you our services and manage your customer relationship with us.

For the processing referred to in letter g) above, the legal basis is Flytoget's legitimate interest pursuant to Article 6(1)(f) of the General Data Protection Regulation (GDPR) and Section 12 of the Norwegian Personal Data Act. This includes Flytoget's interest in imposing and enforcing fees and payment demands for missing tickets during ticket inspections or uncovered misuse of discounted ticket categories as part of Flytoget's enforcement of the transportation terms, section 6, and safeguarding Flytoget's general operations. Similarly, Flytoget has a legitimate interest in the camera surveillance mentioned in letter h). The cameras have a preventive effect against undesirable actions targeting passengers, employees, or equipment. We have therefore implemented a range of technical and organizational measures to safeguard the privacy of those being filmed. This includes, among other things, strict access controls and ongoing deletion routines.

The processing referred to in letter j) above is necessary to comply with the legal requirements to which Flytoget is subject, cf. Article 6(1)(c) of the General Data Protection Regulation (GDPR).

If you have consented to electronic marketing, we will also process your personal data to enable you to receive information about offers and news from Flytoget. The legal basis for such processing is your consent, cf. Article 6(1)(a) of the GDPR. You must actively consent to the use of your personal data for direct marketing, and you may withdraw this consent at any time.

For all other processing, our legal basis is Article 6(1)(b) of the GDPR, including the necessity of processing your personal data to enter into and fulfill an agreement with you and to provide the services you have ordered.

5. Is providing information optional?

You are free to choose whether you want to provide your personal data, but for you to make use of Flytoget’s advantageous methods of payment such as ticketless travel or the Flytoget app, some basic personal details have to be registered, see point 2.                              

6. Who is Flytoget’s data controller?

Flytoget, as represented by the managing director, is the data controller who under the Norwegian Personal Data Act is responsible for the company’s processing of personal data. The ‘controller’ is the person who determines the purpose of the processing of personal data and the tools to be employed in doing so.

Day-to-day responsibility have been delegated to our information safety officer. Only the work is delegated, not the responsibility. Additionally, Flytoget has appointed a Data Protection Officer.

7. Are my personal data safe?

Yes, you can rest assured that we take your safety seriously, both when you travel with us and when we process your personal data. Therefore, we have implemented measures to maintain the physical and technical security of offices and information storage facilities to prevent the loss, misuse, unauthorized access, disclosure, or modification of your personal data.

Flytoget complies with the Payment Card Industry Data Security Standard (PCI DSS) when handling passengers' payment information.

Flytoget adheres to HB-v821, the industry standard for privacy and information security in electronic ticketing – privacy and information security in public transport. Flytoget has also established internal rules and routines for the protection of personal data and privacy. To ensure that data processing at Flytoget is conducted securely, only specially authorized personnel at Flytoget have access to the information you provide. The number of employees with such authorization is limited. All systems that process customer data are subject to strict access control. Flytoget takes privacy seriously and conducts and updates risk assessments related to privacy.

If we share your personal data with a third party, we ensure that there are arrangements and agreements in place to protect the data and prevent the third party from using the personal data for purposes other than those agreed upon.

Flytoget has a Data Protection Officer (DPO) who, together with the Information Security Manager, ensures an overview of the personal data processed by Flytoget. An overarching information security policy provides the framework and guidelines for the current information security plan. A record is kept of all systems containing critical data, including personal data.

8. Will the data be shared with others?

We collaborate with third parties to manage your use of our digital platform and your customer relationship, as well as to carry out our operations so that we can offer you our services. Our providers of IT services, newsletter and marketing services, accounting, payment processing, invoicing/collection, and other services may have access to these personal data. If required by law or if there is suspicion of a criminal offense related to the use of our services, the information we have stored about you may be disclosed to public authorities.

Our providers are subject to strict terms set by Flytoget and are not permitted to use personal data for any purpose other than providing the agreed-upon service or as otherwise compliant with applicable legislation.

We may also share your personal data with our partners in connection with their provision of services (e.g., payment services) as part of your booking of travel with us. These partners will act as independent data controllers, and we encourage you to read their privacy policies to understand how they process your personal data.

9. Are personal data transferred abroad?

We mainly process personal data within the EU/EEA. If it becomes necessary to transfer personal data outside the EU/EEA, we will ensure that the necessary measures and safeguards are in place before such a transfer occurs. We always use the EU’s standard contractual clauses as the transfer mechanism when transferring personal data outside the EU/EEA.

10.  For how long is the data stored?

Basis

We will not retain your personal data longer than necessary to fulfil the purposes outlined in this privacy policy, unless a longer retention period is required by applicable law. The retention of anonymized data is not subject to such limitations or requirements.

As a general rule, personal data will be deleted after 1,450 days of inactivity. Inactivity means that you have not accessed your profile within this period. This applies regardless of whether you have traveled with Flytoget during this time. You will be notified 30 days before your account is deleted.

Unless otherwise stated in this statement, sales and travel information will be deleted after 410 days in accordance with the industry standard for privacy in electronic ticketing. Sales information refers to details related to the purchase of services provided by Flytoget, such as date, time, amount, and payment method, as well as route and quantity. Travel information includes data from the journey itself, recorded through the use of the service, such as ticket category, usage time, and location.

If you have withdrawn your consent, customer data will generally be deleted within 14 days. Customer data refers to contact information such as name, address, and card number.

My Page

By creating a profile, you agree that your personal data will be linked to stored information about travel receipts. This allows you to retrieve receipts from previous journeys. Additionally, Flytoget aims to identify customer segments based on travel history to offer value-added services, such as loyalty programs.

Information stored as travel history may include the time of purchase and travel, ticket type, payment method, and the number of tickets purchased.

You can delete your profile yourself or get assistance from Flytoget's customer service. If you choose to delete your profile, your personal data will also be deleted. As a result, your travel receipts will become anonymous, as they were before you created a profile. If you delete your profile, you can still purchase tickets on flytoget.no, at ticket machines, or use your credit card for ticketless travel as before. However, you will no longer be able to receive discounts for electronic ticket purchases, receive receipts or other information, or access a tailored digital service based on the information we have available.

Ticket inspection

If you are issued a fine by Flytoget for traveling without a valid ticket or Flytoet makes a claim for payment for completed journeys resulting from the misuse of discounted ticket categories, we will store your sales and travel information for up to 12 months from the date the fee or claim is paid.

If you fail to pay the fee or claim, we may store the sales and travel information for up to three years unless legal action is taken to recover the fee or claim.

Customer Service and the Norwegian Travel Complaint Handling Body 
If you contact us, we will store the sales and travel information related to your inquiry for up to 12 months after your last contact with us.

Personal data is stored to safeguard your right to file a complaint with the Norwegian Travel Complaint Handling Body. If you have submitted a complaint to the Norwegian Travel Complaint Handling Body, we will retain your sales and travel information until the case has been fully resolved.

Accounting

According to Norwegian accounting legislation, we are required to store your personal data (both travel and customer data) for up to five years.

Camera surveillance

Recordings from camera surveillance are normally deleted after 72 hours, unless events have occurred that warrant a longer storage period. In the event of such incidents, upon request from the police, we will hand over the recordings. Please note that we do not hand out recordings to private individuals. This applies even if you have been the victim of theft etc. Such incidents must then be reported to the police, and on request the recordings can be handed over to the police.

11.  Do we use cookies?

Yes, Flytoget uses cookies on flytoget.no, subject to the terms and conditions pertaining to cookies. 

12.  What are your rights and options?

You have a right to:

  • Request access: You have a right to information about what information we process about you and how we process it. 
  • Withdraw consent: You can withdraw your consent at any time by contacting us about this. 
  • Request correction: You can ask us to correct incorrect information about yourself. This means that you can also request that Flytoget update or complete your personal data. 
  • Request deletion: You can ask Flytoget to delete your personal data. Flytoget will delete your information, unless we are required to store your information according to applicable law. 
  • Data portability: In some cases, you can ask Flytoget to hand over your personal data to you in a structured, commonly used and machine-readable format; and/or transfer said information to another data controller.
  • Protest against the processing: In some cases, you have the right to ask Flytoget not to process your personal data.
  • Request restriction of processing: In some cases, you can ask Flytoget to restrict the processing of your personal data to certain purposes and under certain conditions.

13.  Contacting us

If you wish to exercise your rights as described in the first bullet point, or if you have questions or requests regarding this privacy policy or our processing of your personal data, you can contact us at:

Email: personvernombud@flytoget.no

Phone: +47 23 15 90 00

Mail: Flytoget AS (Attn: Customer Service), P.O. Box 19 Sentrum, 0101 Oslo, Norway

Our customer service center can connect you with Flytoget’s Data Protection Officer.

Flytoget is committed to conducting responsible and sustainable business operations. If you believe we are not adhering to this privacy policy or applicable law, you can file a complaint with Flytoget or with the Norwegian Data Protection Authority (Datatilsynet). You can also use our whistleblowing portal (https://u.bdo.no/flytoget), operated by BDO, which allows you to confidentially report any concerns. We will review all complaints, and if a complaint is found to be valid, we will take all reasonable steps to resolve the issue.

You also have the right to file a complaint with the Norwegian Data Protection Authority (Datatilsynet) regarding any aspect of our processing of your personal data. Information on how to file a complaint with Datatilsynet can be found on their website.

Print