1/26
CIT Data Protection Experts meet to discuss ticketing in relation with data protection
On 21 January, CIT Data Protection Experts met online to discuss recent topics relating to ticketing and data protection, with a focus on e-tickets. The meeting was chaired by Martin Leiter, Data Protection Officer at ÖBB-Holding AG.
Exchange about court decision on the sale of saver fare tickets
The meeting began with an exchange about a decision of the Higher Regional Court of Frankfurt am Main of 10 July 2025 (ref. 6 UKl 14/24) regarding the sale of saver fare tickets. The ruling concerned the sale of Sparpreis and Super-Sparpreis tickets (saver fare tickets) on the condition that an email address or mobile phone number is provided, and whether this complies with the General Data Protection Regulation (GDPR). The court ruled that the purchase of such a train ticket cannot require the provision of an email address or mobile phone number, as processing this data is not necessary for fulfilling the contract of carriage.
During the meeting, the Head of Data Protection Law and Privacy at DB Fernverkehr AG provided an overview of the background to the case. It was explained that the court held that making the purchase of such saver fare tickets conditional on providing an email address or phone number is unlawful as processing this data is not necessary for the performance of the contract, provided that standard fare tickets are available without the provision of an email address or phone number.
In this respect, however, the court showed a rather narrow understanding of what constitutes the “performance of the contract”, reducing it to transportation alone. However, this overlooks the fact that there are further obligations, such as keeping passengers informed, as required under the Rail Passengers Rights Regulation.
CIT Data Protection Experts discussed the case and how saver fare tickets are purchased in their countries, and which personal data is necessary for this. Criticism was also levelled at the Court decision for intervening in the entrepreneurial freedom of undertakings to offer specific services or products under certain conditions only.
Overview of GDPR roles within (international) e-tickets
An overview of GDPR roles within (international) e-tickets was presented at the meeting, and a “Worksheet on GDPR roles of different parties within (international) e-tickets” was reviewed. This will be refined in a subsequent step.
It was suggested that this worksheet could form the basis of a 'GDPR Code of Conduct on Ticketing'. In future, CIT will review the need for such a code of conduct jointly with experts from railway undertakings.