GDPR Data Protection

1. Why We Issue These Policies

Protecting your personal data is important to us. At Leo Express Global a.s. (hereinafter referred to as "Leo Express"), we are committed to safeguarding and processing the personal data you provide in accordance with these Personal Data Processing Policies (hereinafter referred to as the "Policies"). (Leo Express is headquartered at Řehořova 908/4, Žižkov, 130 00 Prague 3, Company ID: 290 16 002, and is registered in the Commercial Register under file number B 15847 at the Municipal Court in Prague.)

In these Policies, you will find information about:

  • Who is responsible for processing personal data;
  • The purposes for which we process personal data;
  • What categories of personal data we process;
  • Why and for how long we process personal data;
  • With whom we share personal data;
  • Your rights; and
  • How to contact us.

2. Basic Terms and Information

Personal data is any information relating to an identified or identifiable individual. This can include, for example, your first and last name, email address, phone number, date of birth, identity document number, or payment details. It also includes technical data, such as an IP address or cookies, if they can lead to identifying the user.

A data subject is any person whose personal data we collect and process, such as a passenger. If we process your personal data, you are the data subject. For simplicity, we will address you formally as "you" throughout these Policies.

The controller is the person who determines why and how personal data is processed and bears responsibility for it. Unless otherwise stated in these Policies or in the terms of a specific service, Leo Express is the controller of your personal data.

The processor is the person who processes personal data on behalf of the controller based on their instructions.

Processing of personal data means any handling of your data – whether automatic or manual. Simply put, if Leo Express obtains your data and works with it in any way (for example, stores it in a database, uses it to send an email, or transfers it to another party), this is considered personal data processing.

3. Purposes of Personal Data Processing

We process your personal data for the following purposes and retain it for the periods specified below. We also indicate whether providing the data is a contractual or legal requirement, and the consequences of not providing such data.

3.1. Purchase of Travel Tickets

3.2. Managing Smile Club Account

3.3. Sending Commercial Communications and Satisfaction Surveys

3.1. Purchase of Tickets

3.1.1 Purpose of Processing Personal Data

We process your personal data for the purpose of concluding and fulfilling the transportation contract. This is necessary so that we can sell you a ticket, enable your travel on our services, and provide related services. This applies whether or not you are a registered customer in the Smile Club loyalty program, whether you purchase an electronic or printed ticket, and whether the purchase was made online via our website www.leoexpress.com, our mobile app, at our ticket offices, or through our commission sellers. Your personal data is processed, for example, when creating and managing your reservation, sending payment confirmations, informing you about changes in transport, or handling any complaints. We do not process any personal data if you purchase a single printed ticket and do not provide contact details through which we could inform you about cancellations, changes to services, or other extraordinary situations.

Data processing is also necessary to fulfill our legal obligations, such as accounting and tax purposes, compliance with transportation regulations, or in case of cooperation with public authorities such as the Police of the Czech Republic.

3.1.2 Legal Basis for Processing

The processing of your personal data when purchasing a ticket is based on the following legal grounds:

Performance of a Contract – We process personal data because it is necessary for the conclusion and performance of the transportation contract, i.e., selling the ticket, ensuring your travel, providing related services, and handling any complaints.

Compliance with Legal Obligations – We must retain and process certain personal data to comply with legal obligations arising from laws, such as accounting and tax regulations, transportation rules, or when cooperating with public authorities like the Police of the Czech Republic.

3.1.3 Types of Personal Data Processed

The scope of personal data we process varies depending on whether you purchase a printed or electronic ticket, whether it is for domestic or international transport, and whether the ticket is transferable or non-transferable.

Electronic Tickets

a) If you purchase any electronic ticket, we process the following:

Personal dataLegal BasisRetention PeriodConsequence of Not Providing the Data
E-mail address

Performance of a contract: 

- to send the ticket; 

- to send payment confirmation; 

- to send notifications in case of timetable changes (cancellation/change of the service for which you purchased the ticket); 

- to handle any complaints.

For the validity period of the ticket and the following 3 years for the purpose of handling complaints, claims, and other legal matters.

Providing this data is our contractual requirement. Without it, we cannot provide you with the relevant service (transport).

Phone number

Performance of a contract: 

- to send notifications in case of timetable changes (cancellation/change of the service for which you purchased the ticket).

Will be deleted immediately after the completion of transport/expiry of the ticket.Providing this data is voluntary. If you do not provide it, transport will not be affected, and we will send notifications only by email.
Your payment details according to the chosen payment methodPerformance of a contract and compliance with legal obligations.For 10 years from the issuance of the ticket.Providing this data is both our contractual and statutory requirement. Without it, we cannot provide you with the relevant service.
IP adress

Performance of a contract: 

- to ensure the proper functioning of the e-shop.

For 3 months from the purchase date, to ensure system security and record redirections from the payment gateway.Providing this data is our contractual requirement. Without it, we cannot provide you with the relevant service (enable online purchase).

b) If you purchase a time ticket, we additionally process the following:

Personal DataLegal BasisRetention PeriodConsequence of Not Providing the Data
Name, surname, date of birth

Performance of a contract: 

- to verify your identity (the ticket is non-transferable).

For the validity period of the time ticket and the following 3 years for the purpose of handling complaints, claims, or other legal matters.Providing this data is our contractual requirement. Without it, we cannot provide you with the relevant service. A prerequisite for the sale of a time ticket is prior registration in the Smile Club program.

c) If you purchase a ticket from Ukraine or to Ukraine, we additionally process the following:

Personal DataLegal BasisRetention PeriodConsequence of Not Providing the Data
Name, surname, and, where applicable, the name and surname of accompanying passengers for whom the ticket is intended, phone numberCompliance with legal obligations and performance of a contract.For the validity period of the ticket and the following 12 months. Your phone number will cease to be processed immediately after the completion of the journey.Providing this data is both a legal and contractual requirement. For international journeys, we must ensure that each passenger is properly identified. Without it, we cannot provide you with the relevant service.

d) If you purchase a ticket with an Interrail/Eurail fare, we additionally process the following:

Personal DataLegal BasisRetention PeriodConsequence of Not Providing the Data
Name, surname, and, where applicable, the name and surname of accompanying passengers for whom the ticket is intended, Interrail/Eurail pass numberCompliance with legal obligations and performance of a contract.For the validity period of the ticket and the following 12 months.Providing this data is both our contractual and legal requirement (in accordance with applicable laws of the Czech Republic and the EU, including compliance with the General Conditions of Carriage for Rail Passengers GCC-CIV/PRR). For international journeys, we must ensure that each passenger is properly identified. Your pass number is required to verify its validity. Without this data, we cannot provide you with the relevant service.

Printed tickets

a) If you purchase a ticket through our authorized resellers or at Leo Express ticket offices, we process the following data:

Personal DataLegal BasisRetention PeriodConsequence of Not Providing the Data
Phone number

Performance of the contract: 

- to send notifications in case of timetable changes (cancellation/change of the connection for which you purchased a ticket).

Will be deleted immediately after the transportation is completed / the validity of the ticket expires.Providing this data is optional. If you do not provide it, your transportation will not be affected, but we will not be able to notify you about important changes in your journey.
E-mail address

Performance of the contract: 

- to assign the ticket to your account in the Smile Club program.

We process this data for the duration of our contractual relationship established by registration in Smile Club. If you cancel your registration, this data will be deleted immediately.Providing this data is optional. If you provide the email under which you are registered in the Smile Club loyalty program, we can assign the ticket purchase to your account. If you do not provide it, your transportation will not be affected.

b) If you purchase a time ticket, we process the following data:

Personal DataLegal BasisRetention PeriodConsequence of Not Providing the Data
First name, last name, date of birth, and, if applicable, the first and last name of the person for whom the ticket is intended

Performance of the contract: 

- to verify your identity (the ticket is non-transferable).

For the duration of the time ticket and for the following 3 years in case of complaints, claims, or other legal matters.Providing this data is a contractual requirement. Without it, we cannot provide the relevant service. A prerequisite for purchasing a time ticket is prior registration in the Smile Club program.

c) If you purchase a ticket from Ukraine or to Ukraine, we process the following data:

Personal DataLegal BasisRetention PeriodConsequence of Not Providing the Data
First name, last name, and, if applicable, the first and last name of accompanying passengers for whom the ticket is intended, phone numberCompliance with legal obligations and performance of the contract.For the duration of the ticket and the following 12 months. Your phone number will be deleted immediately after the transportation is completed.Providing this data is both a contractual and legal requirement (under applicable Czech and EU laws, including compliance with the General Conditions of Carriage for Rail Passengers GCC-CIV/PRR). For international travel, we must ensure that each passenger is properly identified. Without this information, we cannot provide the relevant service. Processing the phone number is a contractual requirement, as it allows us to inform you of cancellations or delays, which may be up to several hours.

3.2. Smile Club Account Management

3.2.1 Purpose of Personal Data Processing

We process your personal data for the purpose of creating and managing your Smile Club user loyalty account, which allows you to conveniently purchase tickets, manage reservations, enjoy various benefits, collect rewards, and use other services related to our transport system.

This account enables us to manage your interactions with us more efficiently, ensure faster reservations, apply loyalty rewards, and provide you with easier access to information about your journeys and payments.

3.2.2 Legal Basis for Processing

The processing of personal data for the purpose of managing the user account is based on the legal basis:

Performance of a contract – when you create a user account, we enter into a contract to provide our services, which includes, for example, the possibility to purchase tickets, manage reservations, use benefits, and collect rewards. Processing your personal data is necessary to fulfill this contract because without this data, we would not be able to ensure that you can use all services associated with your account.

3.2.3 What Personal Data We Process

a) If you create a Smile Club account with us, we process:

Personal DataLegal BasisRetention PeriodConsequence of Not Providing the Data
First name, last name, email, date of birth, information about purchased tickets, IP address

Performance of the contract: 

- for managing your reservations and maintaining their history; 

- for sending emails necessary for managing your account; 

- for sending information about credited cashback; 

- for sending receipts for refreshments purchased during your journey; 

- for verifying your identity when purchasing tickets where providing this information is required.

We process this data for the duration of our contractual relationship established by registration in Smile Club. If you cancel your registration, your data will be deleted immediately.Providing this data is a contractual requirement. Without it, we cannot provide the relevant service. However, you may opt out of receiving information about credited cashback and receipts for refreshments purchased during your journey via email (you will then receive a printed receipt). You may also opt out of providing your date of birth; however, in that case, we cannot provide services that require age verification or other benefits, such as bonus credits on your birthday.

b) If your account is linked within the Corporate system, we additionally process:

Personal DataLegal BasisRetention PeriodConsequence of Not Providing the Data
First name, last name, name of the company you belong to, information about purchased tickets, their type, and any discounts appliedPerformance of the contractWe process this data for the duration of your connection within the Corporate system. If you terminate this connection, the information about the company under which you are registered will be deleted immediately.Providing this data is a contractual requirement. Without it, we cannot ensure the linking of your account to the Corporate system.

c) If your account is linked within the Corporate Family system, we additionally process:

Personal DataLegal BasisRetention PeriodConsequence of Not Providing the Data
First name, last name, date of birth, information about purchased tickets, IP addressPerformance of the contractWe process this data for the duration of your connection within the Corporate Family system. In the event of termination or cancellation of participation in this program, this connection with the Corporate Family program will be removed.Providing this data is a contractual requirement. Without it, we cannot ensure the linking of your account to the Corporate Family system.

3.3. Sending satisfaction surveys regarding completed journeys

3.3.1 Purpose of processing personal data

We process your personal data to determine how satisfied you were with the completed journey and the related services provided to you.

3.3.2 Legal basis for processing

We process personal data based on our legitimate interest in improving the quality of the services provided.

3.3.3 Personal data we process

Personal DataLegal BasisRetention PeriodConsequence of Not Providing the Data
E-mail address

Legitimate interest: 

- for the purpose of improving the quality of services provided.

For the period necessary to send the survey and evaluate the responses. Afterwards, your responses are anonymized.Providing this data is optional. When purchasing a ticket, you can choose not to receive the satisfaction survey. If you are registered in Smile Club, you can opt out of receiving the survey in your account settings.

3.4. Sending commercial offers (newsletter)

3.4.1 Purpose of processing personal data

We process your personal data for the purpose of sending commercial offers, in particular in the form of discounts, seasonal promotions, or special campaigns such as news about our services, the introduction of new routes, competitions, etc.

3.4.2 Legal basis for processing

The processing of personal data for the purpose of sending commercial communications is based on your consent, which you have provided to allow us to send you such communications.

3.4.3 Personal data we process

Personal DataLegal BasisRetention PeriodConsequence of Not Providing the Data
E-mail

Consent

For this purpose, your personal data may be processed until you withdraw your consent, but for a maximum of three years. Before this period expires, a so-called reactivation email will be sent to you, allowing you to click the relevant link to indicate that you still wish to receive commercial communications from us.

If you do not provide your consent or withdraw it, we will not send you commercial communications (newsletter).

4. Who Has Access to Your Personal Data

Your personal data is accessible only to those individuals or companies that need it to fulfil a specific purpose, such as the companies within the Leo Express group (Leo Express s.r.o., Leo Express Tenders s.r.o., Leo Express Slovensko s.r.o.), our business partners who provide us with transport services, external contractual ticket vendors, or other external processors who assist us with IT services and administration. Their list is available here: SYMBIO Digital, s.r.o., Company ID: 26492407; trueScan s.r.o., Company ID: 27400905; Avedeo, s.r.o., Company ID: 06160522; OREDO s.r.o., Company ID: 25981854; CENDIS s.p., Company ID: 00311391. We may also disclose your data in accordance with legal regulations, for example, based on requests from public authorities.

If your account is linked within the Corporate system, we also provide information about your completed journeys to the company you are affiliated with, for billing purposes.

We ensure that your personal data is shared only to the extent strictly necessary and exclusively with entities that provide appropriate guarantees for data protection and process them in accordance with applicable legal regulations.

As part of our business relationships, your personal data may be shared with or made accessible to third parties, which may also be located outside the European Economic Area (EEA), i.e., in third countries. Transfers to a third country are carried out only in accordance with applicable data protection regulations, in particular with a guarantee of an adequate level of data protection. This means that your data will be transferred only if there is an EU Commission decision on an adequate level of data protection (Art. 45 GDPR), appropriate safeguards for the protection of your personal data are provided (Art. 46 GDPR), or there is a statutory provision allowing it (Art. 49 GDPR). Appropriate safeguards within the meaning of Art. 46 GDPR include the standard contractual clauses on personal data protection published by the EU Commission.

For more information about data transfers outside the EEA, please feel free to contact us.

5. Your Rights and Other Important Information

5.1. Right of Access

You have the right to request information about what personal data we process about you, how we handle it, and why we process it. If you request this information, we will provide you with a copy of your stored data without undue delay. This right helps you control how your data is processed and ensures it is accurate and up-to-date.

Example: If you want to see what personal data we have about you, you can easily view it directly in your user account. If some data is not available in the account, you can contact us, and we will provide an overview of all the data we process.

5.2. Right to Rectification

If you believe that we are processing inaccurate, outdated, or incomplete personal data about you, you have the right to request its correction or completion.

Example: If you have changed your last name or phone number, you can update it yourself directly in your user account settings. For correcting other data, you can contact us, and we will provide an overview of all the data we process.

5.3. Right to Erasure

You have the right to request the deletion of your personal data. However, this right does not apply in all situations, and in some cases, there may be reasons why we cannot delete the data.

If you submit a request to delete your personal data, we will delete your personal data if (i) it is no longer necessary for the purposes for which it was collected or otherwise processed; (ii) you have withdrawn consent on which the processing was based, and there is no other legal basis for processing; (iii) you object to the processing and there are no overriding legitimate grounds for processing your data; (iv) the processing is unlawful; or (v) there is no longer any legal obligation to process the personal data under EU or national law.

Example: If you have completed all your trips and no longer wish to maintain an account, you may ask us to delete the personal data we have collected about you, such as bookings or contact information. Please note, however, that some data must be retained, for example, payment information, as we are required to keep it for accounting and tax purposes.

5.4. Right to Restriction of Processing

While any dispute regarding the processing of your personal data is being resolved, you may request the restriction of processing of your personal data. If processing was restricted, your personal data may only be processed, aside from storage, with your consent, for the establishment, exercise, or defense of legal claims, for the protection of the rights of another person, or for important public interest reasons of the EU or a member state.

5.5. Right to Data Portability

You have the right to receive the personal data concerning you that (i) you have provided to us, (ii) is processed based on your consent or contract, and (iii) is processed by automated means, in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller. However, if exercising this right would adversely affect the rights and freedoms of others, we will not be able to comply. The controller will not perform automated decision-making, including profiling.

5.6. Right to Object

You have the right to object to the processing of your personal data if it is processed based on public interest or our legitimate interests, including profiling. If you object, we will stop processing your data unless there are compelling legitimate grounds for the processing. You also have the right to object to processing for direct marketing purposes at any time. If you object, your personal data will no longer be processed for this purpose.

5.7. Right to Withdraw Consent

If we process your personal data based on your consent, you have the right to withdraw it at any time. After receiving your withdrawal, we will no longer process your data for the given purpose. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

5.8. Right to Lodge a Complaint

Our activities are supervised by the Office for Personal Data Protection, where you can file a complaint if you are dissatisfied. You can send your complaint to:

Office for Personal Data Protection
Pplk. Sochora 27, 170 00 Prague 7, Česká republika
Email: [email protected]
Website: www.uoou.gov.cz

6. How to Exercise Your Rights and Contact Leo Express

We generally handle your requests free of charge because it is important to us that you have transparency regarding the processing of your personal data. However, in cases of repeated or manifestly unfounded requests to exercise the rights mentioned above, we may charge a reasonable fee for processing the request or refuse to act on it. We would inform you of such a decision along with the reasons.

If you wish to exercise any of your rights mentioned above, please contact us:

  • By email at [email protected];
  • By data message at ID: 5r2izx7;
  • By mail at Leo Express Global a.s., Řehořova 908/4, Žižkov, 130 00 Prague 3.

We will need to verify that you are indeed the person to whom the request relates. We will choose a verification method that is appropriate and minimally burdensome.

We recommend securing your request with a qualified electronic signature or a notarized signature. If you send the request from the email address associated with your Smile Club account, simply providing your name as the sender will suffice. However, if there are doubts about your identity, we may request additional information for verification.

We will respond to your questions or requests without undue delay (at the latest within one month; however, in justified cases, this period may be extended).

Log into the loyalty program Smile Club

or

Don't have an account yet?

By logging in I agree with conditions of the loyalty program, processing of personal data and declare that I have reached the age of 16. Cancellation of tickets is only possible to leo credits.