Privacy at Fjord Line

When you book a trip with Fjord Line, we collect the personal data of the travelling party in order to carry out the booking. Processing of personal data takes place on the basis of fulfilling an agreement made with the travelling party (GDPR Article 6(1)(b)). The data will be processed for as long as necessary in order to fulfil the agreement.

In addition, Fjord Line is obliged to collect and process data in accordance with legislation and regulations, such as the regulation on counting and registering passengers on board passenger ships. This includes name, gender, nationality and date of birth. This data is reported to SafeSeaNet Norway and is deleted once the journey has been completed safely.

We are also required by law to retain data in connection with accounting and tax management, such as in relation to the Accounting Act and the VAT Act (GDPR Article 6(1)(c)). We receive this data from you and it may be transferred to any authority to which we are obliged to disclose to.

Card numbers and bank details are stored by a third party who is the data controller for this data. Who this is depends on which payment solution you choose and the agreement you have with that payment processor, such as your bank or credit card company. See also the personal data policy of payment service providers for the payment service you use.

Travel data/history and written customer inquiries are linked to your customer account and stored for as long as the customer relationship is active and consent is given.

For the purposes of handling complaints and accounting, this data will be processed for as long as is necessary, which will be approximately six years.

Main traveller
We collect the following data about the main traveller (the person who books and pays for the trip): Name, address, mobile phone number, email address, date of birth, gender and nationality. In connection with the booking, we also collect payment data for the main traveller as well as other data related to the trip, such as time of travel, starting point and destination, hotels and other bookings related to the trip, etc.

Travel party
If there is more than one person travelling (including children), we collect the following information about them: Name, nationality, date of birth and gender, which is then linked to the main traveller.

Fjord Club Members
If the main traveller or others in the travel party are members of Fjord Club, this can be added to the booking if desired. If one wishes to obtain Fjord Club benefits, the membership number must be registered. See terms and conditions for Fjord Club.

Non-Nordic citizens
If the main traveller or others in the travel party are non-Nordic citizens, we are required by the Norwegian authorities to collect the passport numbers of these persons, in addition to the data mentioned above. This processing is therefore based on a legal obligation to which we are subject (GDPR Article 6(1)(c)), which is covered by Section 16 of the Border Act and Section 4-10 of the Border Regulations, Appendix 4 to Circular A-63/09 on the entry into force of the new Aliens Act and new Aliens Regulation from 1 January 2010 — Control of entry and exit, etc., as well as Regulations on border inspection and border control of persons (the Border Regulations) and Advance notification from the master of a ship to the police regarding travellers and crew members.

Passport numbers are deleted from our systems 10 days after conclusion of the trip.

Specific to disabilities

If the main traveller or others in the travel party have special requirements in relation to a disability, this is recorded in the booking so that any assistance required can be provided. Please note in particular that data provided regarding a disability in connection with booking a trip will be entirely deleted upon conclusion of the trip. In such cases, we will request consent to process the data (GDPR Article 6(1)(a)), unless the data is provided to us in connection with a physical order. See also below regarding processing based on consent.

We process personal data about those who contact us for the purposes of responding to and documenting the communication, and when forwarding to others. This applies to all forms of communication, both physical and digital, written and oral, such as via email, chat, telephone or by other means, including when visiting one of our booking offices. We primarily collect that personal data deemed necessary to handle your inquiry, data such as name and booking number. Depending on how you choose to contact us, we may also collect contact details such as email address and phone number.

In the case of personal contact, we also collect the additional personal data that you choose to provide. This may be data related to disabilities, allergies, health conditions or other information on you or others in your travel party.

The processing of such data is based on our having a necessary legitimate interest in processing personal data related to the above (see GDPR Article 6(1)(f)). We have therefore assessed that maintaining contact with others as part of our business operations, and documenting the business we run, as well as responding to those who contact us, and recording such contact should be viewed as our legitimate interest. We have assessed that it is essential that we handle the inquiries we receive and that the privacy of data subjects does not outweigh these interests.

Providing us with personal data is voluntary, but it is necessary to do so in order for us to respond effectively to inquiries.
We process data received until such time as we assess there is no further need for follow-up.

Personal data is collected and processed in connection with membership in Fjord Club for the purposes of managing membership and the customer relationship, and managing customer services and marketing in relation to members. The data is used to manage membership, and in relation to Fjord Line's partners, including follow-up on compliance with conditions of membership.

The following personal data is processed in connection with membership in Fjord Club: Name, date of birth, gender, nationality, address, phone number, email address, password and other data concerning travel preferences as well as data provided by the member in connection with competitions and campaigns.

In addition, the following may be processed: Purchases (itemised) registered on the member's profile, logged-in sessions on the fjordline.com domain (name, time and IP address) and responses to distributed advertising from the member database to Fjord Club.
Information about the individual customer is recorded and processed as part of managing their membership (GDPR Article 6(1)(b)), as well as consent, where required, e.g. for marketing purposes, which is obtained upon registration or upon later use of offers or purchases, as well as participation in competitions arranged by Fjord Line. The information provided during registration must be verified upon receipt of an email/text message.

Travel and personal information related to Fjord Club Members is stored for three years — counting from the last registered activity.

Fjord Line may terminate Fjord Club Membership and delete all data if a membership has been inactive for a period of three years or more. As an alternative to deleting the data, it may be anonymised and used for the purposes of gathering statistics and analysis.
See also the terms and conditions for Fjord Club here.

When you use Fjord Line's digital services or place an order on our website, we collect data about your usage. We also collect data on how you navigate the site, what searches you make, and what pages, products and articles you are interested in.

If you create an account with us (even without making a purchase), the following will be processed: Name, address, email address and phone number.

If you place an order and purchase/use our services, your data will be processed as above for “When booking a trip”.

The basis of, and storage period for, the processing if this data is also governed as above for “When booking a trip”.

If you are logged in as a Fjord Club Member or if you provide data that allows us to identify you, we link data about your usage patterns to the data we already hold on you. We do this to provide you with the best possible user experience and to form a picture of your interests for marketing purposes.

The data associated with your account with us will be stored and processed for as long as your account is active or until you delete your account. Accounts are automatically deleted after a period of three years' inactivity.

When you order services from Fjord Line, we use your personal data in various ways in order to deliver these services. The data is used to create travel documents, manage hotel stays for package holiday bookings, and to manage payment for services you have ordered.

If you have booked a package holiday, the data is used in the same way to provide these services. If you have ordered other services, such as theme park tickets, concert tickets or similar, the data is used in the same way to provide these services.

The administration of your trip also includes using your data for accounting, billing and auditing purposes; credit rating or other payment card checks, as well as immigration and customs checks.

If you have booked a trip with us, we will use your personal data to send you a booking confirmation, important information about your trip and information about offers relevant to the trip in question, provided that consent for this was given when booking. Such mailings will be sent to the email address you provided when booking.

Before and during your trip, we will send you important information via text message to the mobile number provided when booking. This may include: Information concerning changes, delays and cancellations.

The processing above is carried out for the purpose of fulfilling an agreement with the traveller (GDPR Article 6(1)(b)). Where we are required to collect and transfer data by law or regulation, personal data is processed to comply with the legal obligations to which we are subject (GDPR Article 6(1)(c)).

For storage duration etc., see the above section “When booking a trip”.

If you are a member of Fjord Club and therefore subscribe to our newsletter, use our services as a customer, or have consented to receive newsletters or information about our services in any other way, then we use your personal data when sending that newsletter and when personalising its content. This data includes email address and information about travel history, usage patterns and preferences. The use of this data allows us to provide you with offers that we believe will be of most interest and benefit to you.

In such cases, we may send information about our products and services, or those of our partners; newsletters and other information or marketing that may be of interest to you. The processing of personal data is based on your consent (GDPR Article 6(1)(a)), for the purpose of managing your membership (GDPR Article 6(1)(b)) or for the pursuit of legitimate interest if you are an existing customer (GDPR Article 6(1)(f)). You may withdraw your consent at any time by making use of the unsubscribe options in the mailings you receive, or by opting out of direct marketing and/or profiling pursuant to GDPR Article 21(2) by contacting us.

We process personal data only to the extent necessary for sending out mailings, i.e. email address and name, to provide a personalised experience, and ensure mailings reach the correct person. The email address and other details you provide will not be used for anything other than sending newsletters.

On Fjord Line's websites, we implement user data, including for personalisation purposes. This entails the use of your personal data and data on your use of our services in order to tailor our website content for you. Such adaptation can, for example, include storing and displaying data about travel destinations you have previously searched for on our website, storing language settings, and displaying advertisements and offers that we believe are relevant to you and your interests. See below for more information about the processing of personal data on websites using cookies, etc.

We may also send information about our services that does not contain marketing, such as updates to services and orders placed. This will be done regardless of whether you have given consent, and the personal data will be processed on the basis that we are either fulfilling an agreement with you as an existing customer (GDPR Article 6(1)(b)) or based on our legitimate interest in informing our users and contacts about our services (GDPR Article 6(1)(f)). Alternatively, we may process the data based on your consent (GDPR Article 6(1)(a)). The purpose of the processing is then to keep you updated about the services you receive and provide follow-up on purchases. The processing of personal data will continue as long as you are in receipt of our services.

We process the personal data of contact persons for existing and potential customers (in business relationships), suppliers and other partners in sales and marketing activities for the purpose of managing our relationship with suppliers and others; and to prepare, implement and document services, as well as to evaluate the use of such services. In such cases, we process the name, contact information, company name and information on our contact with the company represented by that person.

This processing of personal data is based on the fact that we have a necessary and legitimate interest (GDPR Article 6(1)(f)) in managing our relationship with our customers, partners and suppliers, and this interest outweighs any individual right to privacy.

We store and disclose data, including when we have a legal obligation to do so, for example in accordance with accounting and tax legislation.

Data is stored and processed for as long as is necessary, for example when documenting conditions relating to services.

In many cases, it is necessary for us to obtain personal data when entering into agreements with customers and suppliers, including to document that such an agreement has been entered into. If we do not receive the data we require, we will not be able to enter into such agreements.

Contact persons themselves choose whether they wish to provide us with personal data. If we collect personal data from others, it will mainly concern contact information (including name, address, phone number and email address), position, role and employer, as well as any information on competence and references, where relevant. The source of this data will be the contact person's employer, via, for example, the employer's website. In some cases, we obtain references from others sources to assess the suitability of a supplier or partner.

We retain such data until the relationship with the customer, supplier or business partner has ended, or until the contact person ceases to be the contact person, with the exceptions mentioned above.

When recruiting new staff members, we process personal data in connection with CVs, applications, certificates, notes from interviews, results of reference checks, etc.

We may make use of recruitment services to manage submitted applications, and these services will then act as our data processors. If you create a profile with a recruitment service, this service becomes the data controller, and you are referred to their privacy policy for information about the processing of personal data for this service. The processing of personal data is based on the consent you have given to the recruitment service (GDPR Article 6(1)(a), if this is obtained, or on the grounds set out below).

The basis for processing personal data in relation to recruitment is that such processing is necessary when making arrangements prior to any employment contract entered into with an applicant (GDPR Article 6(1)(b)).

If investigations are carried out in addition to contacting persons provided as references, or investigations via background checks etc., personal data will be processed on the basis of our necessary legitimate interest in ensuring that the right candidate is found for the position (GDPR Article 6(1)(f)). For the latter, we have assessed that our legitimate interest in recruiting new employees outweighs the individual's right to privacy. We encourage you not to include personal data of a sensitive nature, such as information concerning health, religion, political views, trade union membership, etc. in your application.

Any processing of personal data of a sensitive nature is carried out on the basis of your consent (GDPR Article 9(2)(a)). Consent may be withdrawn at any time, and the withdrawal of your consent will not affect the lawfulness of the processing of personal data that took place before consent was withdrawn.

Personal data will be deleted as soon as recruitment is complete, unless you have consented to storage for a longer period.

Photographs and videos may be obtained for use as part of our business operations. This may include: Use on websites, in marketing materials, etc. To the extent to which photographs/videos are obtained and published/made accessible to multiple people, consent to such publication will be requested if people are the subject in accordance with Section 104 of the Copyright Act. If photographs/videos of children or others unable to personally give consent are obtained, consent is to be provided by parents, guardians etc. If the photographed/filmed individuals do not constitute the main content, and if the images concerned are from situational footage, footage of gatherings, etc., consent is not obtained.

The processing of personal data related to photographs/videos will be based on our legitimate interest in using such photographs/videos to display and market our activities (GDPR Article 6(1)(f)), where we assess that our interest outweighs any consequences that the use of photographs and videos may have for those depicted. We will only use photographs and videos where the people depicted are aware that photographs/videos have been taken.

Personal data associated with photographs and videos will be processed for as long as is necessary to make use of these photographs/videos. This is dependent on the purpose of the photographs/videos and may vary depending on that purpose. We review photographs/videos at least once a year to assess whether individual photographs/videos should be deleted or retained.

Regarding event participants, contact information and information about the event the person in question is participating in will be registered and processed so that that person may be identified as attending, and necessary communications as well as any invoicing of participation fees can be made. The processing of personal data will take place on the basis of fulfilling an agreement with the participant (GDPR Article 6(1)(b)), or in cases where the participant represents a company, on the basis of our assessment that we have a necessary legitimate interest (GDPR Article 6(1)(f)) to hold events as part of our business operations. In the latter case, we have assessed that our legitimate interest outweighs the individual's personal rights.

In the event that food and/or drinks are served, we may collect data regarding preferences that could reveal health and/or religious information. This data will only be processed by us and will be deleted immediately after the event in question. In such cases, the data will be processed on the basis of consent.

In order to comply with occupational health and safety standards (labour, environment and safety), in connection with our necessary legitimate interests, as well as to protect our employees, customers, property, equipment, etc., we may process personal data via the use of camera surveillance.

Notification that monitoring is taking place will be provided at the locations where this occurs. Footage from camera surveillance will be deleted within seven days, unless it is likely that the footage will be handed over to the police. In the latter case, recordings will be deleted after 30 days, unless otherwise required for legal reasons.

We also process the personal data of visitors to our premises and other facilities via their inclusion in the visitor registration system. Visitors will be informed via notices when this is the case.

Log files from access control systems are deleted within 90 days.

Our websites and services use solutions for the collection and processing of data, such as cookies and similar technologies. Data collected may include your IP address, browser and operating system, date and time of accessing the website and using our services.

Data is used, among other things, to analyse trends and thereby make our website and services more user-friendly; to collect data for the purpose of improving the customer experience on our websites and with our services through customising content; and to ensure good functionality on our websites. This is done through analysis of visitor behaviour, e.g. services used, links clicked, or information read, as well through behaviour analysis of other users with similar usage patterns. In addition, data is used to deliver targeted marketing on our websites, within advertising networks and on social media. To the extent practically possible, we aim to do this using anonymised data, not connected to specific individual visitors.

The cookies used on our website fall under for four categories:

2.13.1 Necessary

These cookies are essential for the proper functioning of the pages on the website. Without these cookies, you will not be able to navigate the website, search for and book ferry tickets, or log in to your Fjord Club profile. The website cannot function optimally without these cookies. It is therefore not possible to opt out of these.

2.13.2 Functionality/features

In order to improve the usability of www.fjordline.com we use cookies that “remember” previous choices you have made on our website. This may include, for example, your preferred port of departure, the types of articles you read most frequently and which products you are most interested in.

2.13.3 Statistics and analysis

An important part of creating a user-friendly website involves looking at the usage patterns of those who visit the website. In order to analyse this data, we use analytics tools such as Google Analytics.

Google Analytics uses cookies that register users' IP addresses and provide data about individual users' movements online. Examples of what the statistics may include: Number of visitors to different pages, duration of visits, which websites users arrive from and which browsers are used. None of the cookies enable us to link data about your use of the website to you as an individual.

Data collected by Google Analytics is stored on Google servers in the United States. The information received is subject to Google's Privacy Policy.

Our website uses Microsoft Clarity, a web analytics service provided by Microsoft Corporation, to collect data on how users interact with the website. Microsoft Clarity uses cookies and other tracking technology to collect data on user behaviour, click patterns, navigation paths, and other data related to the user's experience on our website. This data helps us analyse and understand how our content is consumed, identify areas for improvement, and enhance the overall user experience.

Data collected through Microsoft Clarity is aggregated and anonymised. Individual users are not identified and data is used only to enhance the performance and usability of the website.

In order to create a user-friendly website, we analyse visitor usage patterns with the help of various analysis and optimisation tools. This includes using the Convert tool for A/B testing and personalisation purposes.

Convert helps us test different versions of our website to find out which changes provide the best user experience. The tool uses cookies to track how different user groups interact with different versions of the website. The data collected is anonymised and cannot be linked to you as an individual.

Convert is used to better understand how visitors navigate and interact with our content, allowing us to improve the website's design, performance and usability.

2.13.4 Marketing

These cookies are used for showing you advertising that may be relevant to you on other websites you visit. They are placed on our website by third-party advertising networks (Meta, Google, Microsoft Bing, LinkedIn, Schibsted, Amedia, etc.), on our behalf and with our permission.

Examples of data used by these cookies are: Preferred port of departure, articles you like and products you are interested in.

Our website uses Salesforce Collect Code to collect data about visitor interactions. This technology helps us understand how visitors use our website so that we can improve the user experience, personalise content, and enhance our services.

2.13.5 Consent to the use of cookies

We use cookies and similar technologies based on your consent, which you are asked to provide when visiting the site for the first time. This consent covers the use of such technology for storing or accessing data on users' devices, except in cases where it is strictly necessary to use this technology, see Section 3-15 of the Electronic Communications Act.

Personal data collected through the use of cookies that are strictly necessary for the functioning of the website, and other functional cookies for statistics and website customisation, are processed on the basis of our necessary legitimate interest (GDPR Article 6(1)(f)). We have assessed that our interest in processing personal data outweighs the individual user's right to privacy. We do, however, protect the privacy of visitors to the website by using the data for statistics only. These statistics do not allow for the identification of individuals. This data will be stored for as long as deemed necessary for the stated purposes.

The personal data we collect and process is, depending on the nature of that data, processed based on your consent (GDPR Article 6(1)(a)).

Information concerning which cookies, etc., we use on our websites, for how long these cookies collect data/information, who the data is shared with etc., is provided when you first visit a website, where you also provide consent via the banner/box that appears, or by clicking on the circle at the bottom left of any page. Here, you may also change your cookie preferences or withdraw consent.

2.13.6 Processing of personal data for security purposes

We also process technical logs and security logs, including the IP address used to register an order, as we must document any potential fraud and secure our systems. Logs and statistics are also stored and processed for the purpose of developing the service.

Every time you edit your personal data on My Page, your IP address is recorded and stored along with the changes made. This practice is important in documenting who made specific changes to an account and for ensuring that the data is accurate and legitimate. For completed orders, we also store the IP address associated with the order as part of its metadata for up to 30 days. This assists in verifying the validity of the transaction and increases security.

For our Fjord Club Members, we store IP addresses linked to changes on their personal account pages for as long as they are remain members. This process is an important element of our commitment to protecting your account and personal data from unauthorised access or alteration, which in turn is part of our commitment to maintaining the highest standards of data security and privacy.

The processing described above is carried out on the basis that we feel that or interest in securing and developing our systems and the data they hold is legitimate, and that this legitimate interest outweighs consideration for the information in question. (GDPR Article 6(1)(f) and Article 32). The data generated through our systems may be provided to the police in connection with investigations into, for example, fraud.

Unless otherwise stated above, the data is processed for approximately one year.

2.13.7 Links to third parties/other websites

Our websites may contain links to other websites or third parties that offer products or services, or link to other locations, that are not under our control. These links are only provided to allow the user to obtain more information. Websites that are not part of our own, i.e. those which are not included in the www.fjordline.com addresses, process personal data as a data controller in their own right and may have separate and independent privacy policies. We hold no responsibility for the content and activities of these websites.

We maintain contact with stakeholders and others via social media. Among other things, we have created a Facebook page where we are responsible for the processing of personal data in connection with that page together with Facebook.

We also have accounts on other social media platforms. On our Facebook page and other social media pages, personal data is processed when you comment on posts, “like” or follow us/our page. The purpose of processing personal data in relation to social media is maintaining contact with those who wish to communicate with us or interact with us in other ways, see also points concerning communication under point 2.2 above.

In this context, your name and connection to any other information you have made public on the social media account associated with your name are processed. In addition, everything you share via posts and comments in connection with us on social media, as well as the fact that you have “liked”/followed us, is processed.

If you share personal information in posts or comments related to us on social media, and in particular, if you share personal information about others, e.g. By “tagging” or mentioning people, this is your responsibility as a user of that social media platform.

We process personal data on social media on the basis that we believe we have a necessary legitimate interest in communicating with the public via these channels, and we therefore process personal data in this context (GDPR Article 6(1)(f)). We have assessed that this is necessary if we are to be able to communicate with the public and handle any inquiries we receive, and that the privacy of the data subjects does not outweigh these interests.

The data is processed for as long as posts/comments are available on the social media platform in question, and you may at any time delete these yourself.

We process your personal data in order to fulfil legal requirements and regulations, for example those related to security and accounting.

Fjord Line may be required to disclose personal data to authorities, such as the police or customs, in accordance with various laws. These authorities have access to the passenger manifest through the National Single Window Safe Sea Net, which is administered by the Norwegian Coastal Administration.

If we are to disclose such information, a written request referring to the applicable legal basis for disclosure must first be sent to Fjord Line. An application for disclosure of personal data must be attached to the request.

We process and disclose personal data based on the fact that we have a legal obligation to carry out such processing (GDPR Article 6(1)(c)). The data is processed as long as we have a legal obligation to do so, see also above under “When booking a trip.”

We prioritise the security of personal data in our company and implement all necessary technical and organisational measures to secure your personal data. Fjord Line uses several forms of security to protect personal data against unauthorised access, use or transfer.

We handle information in a proper and transparent manner that is appropriate to the degree of sensitivity of the data in question. Furthermore, we employ a variety of security technologies and data security procedures to protect personal data from unauthorised access, use, or disclosure. For example, we store personal data in data centres with physical security measures and access control in place. We use reputable encryption technologies for data transmission, and only allow the relevant personnel to gain access to systems containing personal data.

As part of our security routines, we also regularly test our security mechanisms. Risk assessments are carried out for the processing of personal data.

We enter into data processing agreements with all suppliers who must process personal data on our behalf, where they guarantee the same level of security for the processing of personal data as we ourselves maintain.

We limit access to personal data to those personnel or third parties who are required to process the data on our behalf. These parties are subject to confidentiality obligations.

Routines have been established for managing breaches of data security and personal data breaches, and if a breach occurs that poses a risk to the privacy of those connected to the personal data concerned, we undertake to send a notification of non-compliance to the Danish Data Protection Authority at the earliest opportunity, and no later than 72 hours after discovery of such a breach. If the breach poses a high risk to the privacy of the individuals affected, we will also notify them directly.

To enhance the security and integrity of your data, Fjord Line uses Keycloak, an open source tool for identity and access management, in order to authenticate and manage access to your account when logging in to “My Page” and our “Customer Club”.

Keycloak helps us manage your login information and authentication data securely. This includes:

• Username and password: Important for securing access to your account.
• Authentication logs: Contain data such as timestamps and IP addresses, which help monitor and protect against unauthorised access.

The central aim with collecting this data is to authenticate users and ensure a secure user experience across our digital platforms.

Authentication-related data is retained for a period of 30 days. After this period, such data is securely deleted from our systems in accordance with our retention guidelines.

If you choose to log in via a social platform such as Google Sign-in or Facebook, we store your first name, last name, and email address in our database. This data is retained until it is to be deleted in accordance with our retention and deletion policies.

Keycloak data is managed internally and is not shared with third parties unless necessary for the provision of essential services.

You have the right to gain information about the personal data we process concerning you. In this statement, we inform you about our processing of personal data. You may also contact us if you would like more information.

If we have disclosed data to others, we have an obligation to inform the recipient of any requests for correction or deletion of personal data, see section 10.3 below, or restrictions on processing, see section 10.5 below if such information is not possible to provide or involves disproportionate effort. We also have an obligation to inform you of any such disclosure, should you request it.

You have the right to gain insight into the personal data we process concerning you. Contact us if you wish to gain insight. If you have created an account, the majority of the data you have provided can be managed via this service, unless that data has been deleted, in which case, see above.

If requested, you may also receive a copy of the personal data we process concerning you. In order to simplify the provision of such data, we may ask you to specify which data you would like a copy of. When providing a copy of your personal data, we may require that you identify yourself to ensure personal data is not released to unauthorised persons. The data concerning you will be transferred in digital form unless you request to have it transferred in another format.

You can also ask us to correct any data we hold on you that is incorrect, or request that personal data be deleted. We will, wherever possible, comply with a request for deletion of personal data, but we cannot do this in cases where we have a continued need for that data.

If you delete your membership account, data associated with that membership will also be deleted or anonymised. However, this does not apply to data that we must process, e.g. information related to booked or completed trips.

If we process personal data based on your consent, you may withdraw this consent at any time. The easiest way to do this is to use the same method as that you used to initially give consent, alternatively, you may contact us.

You may require that our processing of your personal data be restricted in certain cases if the conditions for this are met. If processing is restricted, then personal data may only be stored. For more details, see GDPR Article 21.

When our processing is based on legitimate interest, you have the right to object to the processing of your personal data. If you object, we must stop the processing in question, unless there are compelling legitimate grounds for continued processing.

You may also object to the processing of personal data concerning you for marketing purposes, including profiling to the extent that this is related to direct marketing, see GDPR Article 22(2).

For data that you have provided to us that is necessary for the execution of an agreement with us, and that is processed automatically (i.e. not manually by us), you may request that the personal data concerning you be provided or transferred to another supplier in a structured, commonly used and machine-readable format (data portability).

No automated processing, including profiling, will be carried out based on your personal data that has any legal effects or significantly affects you personally. See GDPR Article 22(1) and (4).

If a personal data breach occurs, i.e. a breach of personal data security that poses a high risk to your privacy, we will notify you without undue delay.