URGENT UPDATES
IC & ICE Express: Schedule Delay IC & ICE Express: Schedule Delay IC & ICE Express: Schedule Delay
Buy Ticket
GR
HomePrivacy Policy

Privacy Policy

Purpose of the Personal Data Protection Policy

Hellenic Train, a member of the FS Group, with registered address at 41 Syngrou Avenue & 13 Petmeza Street, P.C. 11743, Athens, in its capacity as Data Controller, guarantees respect for the privacy of natural persons engaging in transactions with the Company, as well as the protection of their personal data, whether such data are maintained online or within its premises.

For this reason, within the framework of the applicable national and European legal framework governing the protection of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter the “Regulation”), Law 4624/2019 and Law 3471/2006, as applicable, Hellenic Train publishes this lawful, fair and transparent Personal Data Protection Policy, with the aim of providing natural persons (“data subjects”) with adequate information regarding the personal data collected and processed during the provision of its services to the public, indicatively through its websites and applications related to its activities: www.hellenictrain.gr.

 

Definitions

For the purposes of this Policy, the following terms shall have the following meanings:

  • “Personal Data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one whose identity can be established, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person. 
  • “Special Categories of Personal Data”: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. 
  • “Processing”: any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 
  • “Anonymisation”: the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject. 
  • “Pseudonymisation”: the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures ensuring that the data are not attributed to an identified or identifiable natural person. 
  • “Data Controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law. 
  • “Data Processor”: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller. 
  • “Data Subject”: the natural person whose personal data are being processed. 
  • “Consent” of the data subject: any freely given, specific, explicit and informed indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. 
  • “Personal Data Breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. 
  • “Applicable Legislation”: the applicable national and European legislation on personal data protection, in particular Regulation (EU) 2016/679 (hereinafter “GDPR”), Law 4624/2019, Law 3471/2006, the case law of the Court of Justice of the European Union (“CJEU”), as well as the Decisions, Guidelines and Opinions of the European Data Protection Board (“EDPB”) and the Hellenic Data Protection Authority (“HDPA”). 

 

Collection of Personal Data

Hellenic Train, within the framework of its activities and operation, may collect personal data relating to its passengers, employees and, in general, its partners and associates.

Hellenic Train processes personal data transparently and in accordance with the principles of lawfulness, proportionality, confidentiality and integrity, purpose limitation, accuracy, storage limitation and data minimisation.

In principle, Hellenic Train may collect and process personal data for the following purposes:

  1. In order to comply with obligations imposed by legislation and by the provisions of its Articles of Association (Article 6(1)(c) GDPR), such as: 
    • the provision of rail passenger and freight transport services, 
    • the development, organisation and operation of urban, suburban, regional, intercity and international passenger and freight rail transport services, as well as transport services of every type and means, 
    • the development of any other activity aimed at enhancing transport operations and providing optimal service to the public. 
  2. In order to comply with obligations imposed by applicable legislation, in particular insurance and tax legislation, regarding its employees and associates (Article 6(1)(c) GDPR). 
  3. In order to recruit personnel and engage external associates. In such cases, personal data are collected and processed pursuant to Article 6(1)(b) GDPR for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. In particular, the processing of special categories of data of job applicants, such as health data, is based on Article 9(2)(b) GDPR and Article 9(2)(h) GDPR for the assessment of the employee’s working capacity and for compliance with obligations relating to employment and safeguarding the fundamental rights of the applicant employee.
  4. In order to ensure its proper operation within the framework of its statutory purposes and the applicable legislation (Article 6(1)(c) GDPR). 
  5. In order to ensure the security of its personnel, premises and equipment. In this case, personal data are collected and processed for the purposes of safeguarding the legitimate interests of the Company, pursuant to Article 6(1)(f) GDPR. 
  6. In order to lawfully enter into contracts and comply with the legal obligations arising therefrom. In this case, the processing of partners’ data takes place for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) GDPR). 
  7. In order to manage passengers’ requests/complaints. In this case, we collect and process the data submitted by data subjects either through the Company’s electronic platforms or in hard copy at the Company’s premises, in the context of safeguarding legitimate interests. Where information provided through requests/complaints includes special category data, the legal basis for processing is the explicit consent specifically granted for this purpose.
  8. In order to manage and register ticket bookings, including payment management, personal data are processed for the performance of a contract with you (Article 6(1)(b) GDPR) and for safeguarding our legitimate interests (Article 6(1)(f) GDPR). 
  9. In order to provide customers with the opportunity to participate in competitions or complete questionnaires within the framework of our contractual relationship (Article 6(1)(b) GDPR), as well as in the context of our legitimate interests in evaluating the services we provide. 
  10. In order to manage our websites, in the context of safeguarding our legitimate interests for the protection and security of our networks and for improving website content and our services (Article 6(1)(f) GDPR). 
  11. In order to contact you regarding products or services that may be of interest to you, only where we have obtained your prior consent. In such cases, you retain the right to withdraw your consent at any time. 

 

Purposes of Processing – Legal Basis for Processing

  1. Ticket/Card Issuance

Hellenic Train collects and processes passenger data in the context of ticket issuance, both at ticket offices and through its call centre, website and application (Hellenic Train App).

 

Personal Data Purpose Legal Basis
Passenger’s first and last name
Discount category (e.g. Student, Child, Persons with Disabilities (PWD))
Billing details (country, postal code, city, address)
Contact details (country, postal code, city, address, telephone number, email)		 Passenger service during ticket issuance, cancellation and refund procedures
Management of payments, fees and charges
Change of travel time
Change of travel itinerary
Facilitation of the refund process		 Necessary for the performance of a contract – Article 6(1)(b) GDPR
Compliance with a legal obligation – Article 6(1)(c) GDPR and Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366
Legitimate interest of the Company in providing better service to passengers – Article 6(1)(f) GDPR
Contact details (country, postal code, city, address, telephone number, email) Notification in the event of changes, delays or cancellations affecting train services Legitimate interest of the Company in providing better service to passengers – Article 6(1)(f) GDPR
Email address Newsletter subscription Consent – Article 6(1)(a) GDPR
Title, first name, last name, date of birth, email, telephone number, password, address, city, postal code Creation of an account for ticket issuance and management Necessary for the performance of a contract – Article 6(1)(b) GDPR
First name, last name, sender’s email address, recipient’s email address Issuance and delivery of a gift card Necessary for the performance of a contract – Article 6(1)(b) GDPR
Chat/conversation details Customer service Legitimate interest of the Company – transaction security and service quality assurance – Article 6(1)(f) GDPR

 

In particular, for ticket purchases through our website, call centre or the Hellenic Train App, Hellenic Train does not store any credit/debit card details provided during purchases, as payments are processed through a secure banking environment.

 

  1. Members – Hellenic Train HT Card

Within the framework of participation in the Hellenic Train HT Card programme, Hellenic Train collects and processes:

 

Personal Data Purpose Legal Basis
Member’s first and last name
Discount entitlement
Contact details (country, postal code, city, address, telephone number, email)		 Registration to the Hellenic Train HT Card programme Necessary for the performance of a contract – Article 6(1)(b) GDPR
Contact details (email/telephone number) Communication with members regarding offers and updates Consent – Article 6(1)(a) GDPR
Ticket details Passenger service during ticket issuance, cancellation and refund procedures
Management of payments, fees and charges		 Necessary for the performance of a contract – Article 6(1)(b) GDPR

 

  1. Transportation of Persons with Disabilities (PWDs)

Within the framework of handling requests for transportation assistance for Persons with Disabilities (PWDs), Hellenic Train collects and processes:

Personal Data Purpose Legal Basis
Passenger’s first and last name Passenger assistance services during the transportation of Persons with Disabilities (PWDs) Necessary for the performance of a contract – Article 6(1)(b) GDPR
Legitimate interest of the Company – Article 6(1)(f) GDPR
Contact details (country, postal code, city, address, telephone number, email) Notification in the event of changes, delays or cancellations affecting train services Consent – Article 6(1)(a) GDPR
Date and time of transportation
Boarding/disembarkation station – itinerary		 Passenger assistance services during the transportation of Persons with Disabilities (PWDs) Necessary for the performance of a contract – Article 6(1)(b) GDPR
Legitimate interest of the Company – Article 6(1)(f) GDPR
Any information included in the message Passenger assistance services during the transportation of Persons with Disabilities (PWDs) Consent – Article 6(1)(a) GDPR

 

  1. Communication with Hellenic Train

For the management of requests, complaints and information inquiries submitted through the contact form or by telephone, the Company may collect:

Personal Data Purpose Legal Basis
Incident description (subject, date and time of the incident, etc.)
First name, last name, email address, address, city, region, postal code, country, telephone number (landline), telephone number (mobile), fax
Any information included in the request, image		 Communication with Hellenic Train Article 6(1)(f) GDPR – direct communication between Hellenic Train and website users/passengers
Consent – Article 6(1)(a) GDPR
Telephone call Communication with Hellenic Train – ensuring the security of communications and the best possible passenger service Legitimate interest of the Company – transaction security and service quality assurance – Article 6(1)(f) GDPR
Email address Subscription to the Company’s newsletter Consent – Article 6(1)(a) GDPR

 

Call Recording

Calls received and made through the fixed-line telephones of the Operations Control Centre (KPK) for the positions “Traffic Monitoring” and “Passenger Care” are recorded for security and quality assurance purposes.

All recordings are made in accordance with the GDPR and the decisions and guidelines of the Hellenic Data Protection Authority and are governed by the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.

Such recordings are retained by the competent provider for a limited period not exceeding two (2) years, unless another lawful basis for longer retention applies.

Access to such recordings is granted only to the strictly necessary persons within the Company, namely the OCC Supervisor, the Head of the Traffic Control & Infrastructure Contract Monitoring Unit, and the Operations Director.

 

  1. Lost Property

Hellenic Train may collect:

Personal Data Purpose Legal Basis
First name, last name, date and time of the incident, station – itinerary, method of communication, any information included in the request Communication with Hellenic Train in the context of lost property requests Article 6(1)(f) GDPR – direct communication between Hellenic Train and passengers for request management
Consent – Article 6(1)(a) GDPR

 

  1. Freight Transport

Where you use Hellenic Train freight and parcel services, the following data may be collected:

Personal Data Purpose Legal Basis
Sender’s/recipient’s first and last name
Contact details (country, postal code, city, address, telephone number, email)		 Transportation of freight and parcels Necessary for the performance of a contract – Article 6(1)(b) GDPR
First name, last name, contact telephone number, capacity, sender’s and recipient’s address, billing details (IBAN, VAT number, Tax Office) Order completion Necessary for the performance of a contract – Article 6(1)(b) GDPR

 

  1. Submission of CVs

You may submit your CV to the Company for the filling of job vacancies. In this case, Hellenic Train collects and processes only the personal information necessary for assessing the candidate’s suitability for the specific position, as follows:

Personal Data Purpose Legal Basis
First name, last name, email address, mobile phone number, CV details (mandatory fields)
Other supporting documents submitted by the candidate (cover letter, degrees, certificates)		 Assessment of suitability for a job position
Communication with the candidate regarding the progress of the recruitment process		 Necessary for the performance of a contract or at the pre-contractual stage – Article 6(1)(b) GDPR

Necessary for the purposes of the legitimate interests pursued by the Company (employee suitability) – Article 6(1)(f) GDPR
Details of previous employers Communication with previous employers Consent – Article 6(1)(a) GDPR

 

  1. Automatically Collected Data

When using this website, certain information may be collected automatically, including:

  • Language settings 
  • IP address 
  • Location 
  • Device settings 
  • Operating system 
  • Activity information 
  • Usage time 
  • Redirect URLs 
  • Browser version 
  • Browsing history 
  • Cookies 

For further information regarding cookies, please refer to the relevant page on www.hellenictrain.gr.

 

Recipients

Hellenic Train does not, in principle, transfer the personal data collected through its website to third parties outside the FS Group. Your personal data are disclosed to employees working in the relevant department. In addition, they may be disclosed to partners to whom Hellenic Train has assigned the processing of personal data on its behalf, as well as to cooperating entities/companies.

More specifically, in the context of fulfilling the processing purposes referred to above, data may be transferred indicatively to:

  • third-party cooperating companies providing relevant services to Hellenic Train (e.g. ticket agencies, accounting support providers, technical support providers, payroll service providers, etc.); 
  • companies within the OSE Group, to the extent that such transfer is necessary for serving the requests of data subjects and fulfilling the purposes of Hellenic Train, obtaining the necessary consent where required; 
  • judicial and prosecutorial authorities, as well as other public authorities and supervisory bodies (e.g. tax authorities, etc.) in the exercise of their duties, either ex officio or following a request by a third party invoking a legitimate interest and in accordance with the applicable legal procedures. 

In all cases, third parties to whom data subjects’ personal data are transferred are contractually bound to Hellenic Train by confidentiality clauses and are subject to all obligations provided for under the Applicable Legislation regarding the protection of data subjects’ rights.

Transfer of Personal Data outside the EEA

As a rule, Hellenic Train does not transfer your personal data to third countries and/or International Organisations.

In the event that your personal data are transferred to a country outside the European Economic Area (EEA) or to an International Organisation, Hellenic Train shall first ensure that one of the legal bases under Article 6 or Article 9 of the Regulation applies and, cumulatively, that:

  1. a) the European Commission has issued an adequacy decision for the third country to which the transfer will take place (Article 45 GDPR); or
  2. b) appropriate safeguards pursuant to the GDPR are in place for such transfer of personal data (Article 46 GDPR); or
  3. c) in the case of occasional processing activities, one of the derogations provided for under Article 49 GDPR applies, such as the explicit consent of the user after being informed of the risks involved in such transfer, the transfer being necessary for the performance of a contract at the request of the data subject, important reasons of public interest, the establishment, exercise or defence of legal claims, or the protection of the vital interests of the data subject, etc.

 

Data Retention Period

 

The personal data of data subjects are collected and retained for a predefined and limited period of time, depending on the purpose of the processing, after which such data are deleted from our records.

 

Where processing is required as an obligation under the applicable legal framework or where a specific retention period is prescribed, your personal data will be stored for the period required by the relevant provisions.

 

Personal data collected and processed for the performance of a contract shall be retained for as long as necessary for the performance of the contract and for the establishment, exercise and/or defence of legal claims arising from the contract.

 

Personal data processed for marketing purposes based on the consent of the data subjects (e.g. data collected through Newsletter subscriptions) shall be retained until such consent is withdrawn, without such withdrawal affecting the lawfulness of the processing carried out prior thereto.

 

Personal Data Breach

 

In the event of a personal data breach incident, Hellenic Train implements a specific Personal Data Security Breach Management Policy.

 

If you become aware of or suspect that a personal data breach may have occurred or has occurred, please notify Hellenic Train without undue delay at: dpo@hellenictrain.gr.

 

Security of Personal Data

 

Taking into account the latest technological developments, the cost of implementation and the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of data subjects arising from the processing of their personal data, Hellenic Train implements the necessary technical and organisational measures to safeguard those rights.

 

Although no method of transmission over the Internet or method of electronic storage is entirely secure, Hellenic Train adopts all necessary data security measures (e.g. antivirus protection), in compliance with its obligations under the Applicable Legislation.

 

Rights of Data Subjects

 

Hellenic Train ensures that it is able to respond promptly to requests from data subjects regarding the exercise of their rights under the Applicable Legislation.

 

In particular, each data subject has the following rights:

 

  1. To request access to the personal data maintained by Hellenic Train. More specifically, the data subject may request a copy of the records maintained by Hellenic Train containing their personal data and verify the lawfulness of the processing thereof.

 

  1. To request the rectification of personal data in the event that such data are inaccurate or incomplete.

 

  1. To request the erasure of personal data where such data are no longer necessary for the purposes for which they were collected and where their retention is not based on any legal basis or legitimate interest.

 

  1. To request the restriction of the processing of personal data.

 

  1. To request the portability/transfer of personal data either to themselves or to third parties.

 

  1. To withdraw at any time the consent provided for the processing of personal data, without such withdrawal affecting the lawfulness of the processing carried out prior thereto.

 

Furthermore, the data subject has the right to object to the processing of their personal data by Hellenic Train.

 

In the event of the exercise of any of the above rights, Hellenic Train shall respond promptly [and in any case within thirty (30) days from submission of the request], informing you in writing of the progress of its handling.

 

For any complaint regarding this Privacy Notice or matters relating to personal data protection, if we fail to satisfy your request, you may contact the Hellenic Data Protection Authority through the following link: https://www.dpa.gr

 

Contact Details of the Data Protection Officer (DPO)

 

For the exercise of all the above rights, as well as for any matter concerning the processing of your personal data by Hellenic Train, you may contact the Company’s Data Protection Officer at: dpo@hellenictrain.gr

 

Disclaimer for Third-Party Websites – Social Media Buttons

This website contains social media widgets/buttons (e.g. Google, Twitter/X, LinkedIn). Through the use of such widgets, once the user logs into the relevant social network, a specific digital footprint is created, for which both Hellenic Train and the respective social network act as joint controllers.

 

For Hellenic Train, the purpose of processing such data is to improve the functionality of the Website and the services provided, as well as to analyse website traffic. The legal basis for the processing of personal data is the legitimate interest pursued in ensuring interoperability with applications used by the customer.

 

Hellenic Train neither controls nor bears responsibility for any subsequent processing carried out by the joint controllers.

 

For more information regarding the data processing policies and settings options of these networks, you may visit the following websites:

  • https://www.google.gr/ 
  • https://www.linkedin.com/ 
  • https://twitter.com/ 

 

Updates to the Personal Data Protection Policy

This Personal Data Protection Policy may be amended/revised in the future in the context of the Company’s regulatory compliance obligations, as well as the optimisation and upgrading of the Website’s services.

We therefore recommend that you consult the updated version of this Policy each time, in order to remain adequately informed.

May 2026