PRIVACY POLICY

Privacy Policy

First and foremost, we want you to know that your privacy concerns us, and we take the responsibility you directly or indirectly have entrusted us, seriously.

This policy explains how Horizons AS collects customer data, use the data and in which situations and to whom the data is disclosed. 

KILROY is part of a European group of companies that operates within travel, educational counselling and student benefits as subsidiaries of KILROY International A/S.

Collection and processing of personal data is an unavoidable and necessary part of conducting this kind of business and to fulfil the purposes described in this privacy policy.

KILROY is data-responsible for the processing of personal data for these purposes. 
If you have any questions regarding this privacy policy or to our handling of your personal data, our address is:

Horizons A/S

CVR 11153380
Nytorv 5,
DK-1450 Copenhagen K
Denmark

Privacy@kilroy.net

The head office address of the KILROY Group, is:

KILROY International A/S
Nytorv 5,
DK-1450 Copenhagen K
Denmark.

More information about the processing of customer data at KILROY can also be obtained by writing to privacy@kilroy.net.

  1. Protection and safety is important to us

Responsible handling of personal data collected as part of the operation of our business, is crucial to our business objectives and reputation. In this privacy policy we will account for how your personal data is collected and used when you are a customer, supplier or business partner and how you can gain access to you own personal data.

  1. What is personal data?

Personal data is any kind of data about an identified or identifiable living individual. An identifiable individual is understood as a person, who directly or indirectly can be identified, among other things, by an identification number or one or more elements, that are particular to a given person’s identity.

  1. What type of personal data are we processing and why?

Your personal data will be used for different purposes in relation to your position as customer and the operation of KILROY. The data collected may vary, depending on whether you are a customer, supplier or business partner, but in general it will be data regarding customer administration, supplier administration, direct marketing and data regarding KILROY’s rights and obligations. 

Failure to provide personal data on your part, may mean that KILROY is unable to fulfil its obligations towards you as customer or supplier. 
As a rule, KILROY only collects and processes regular personal data. In specific cases of booking an Interrail pass, it can be necessary for us to a limited extent, to process sensitive personal data (e.g. information regarding special needs assistance during your trip), but only when it is necessary for booking the trip and assistance you require. 
KILROY will typically gather the following information:

3.1 Information concerning our customers 
The information provided to us when booking an Interrail pass (first name, last name, e-mail address, address, phone number, orders/purchases (type of IRP), prices, total spent, total orders, applicable taxes, information regarding payment (credit card number credit card validity), IP address, date of birth, passport number, country of residence, validity of IRP, age range of the traveler (in between 4-11, in between 12-28 in between 28-60, over 60), IRP price, IRP number, seat class, the date of dispatch.

The information provided to us when requesting for seat reservation assistance: name, phone number, e-mail address, the request, KILROY order number, route (start and end destination), number of persons, departure date, departure time, comfort level - 1st or 2nd class,  night-train - comfort level: seat, berth (3, 2 or 1 bed).

The information provided to us when contacting our customer service / travel consultants: name, phone, e-mail, content of the message.

3.2 Information concerning our suppliers and business partners 
Information you provide when entering a contract or agreement with us, including contact information (job, job title, first name, middle name(s), surnames, addresses, telephone number, email address), information regarding your marketing and communication preferences, as well as information you have given us if you contact us with questions, to report a problem or when you contact us with reference to your customer relationship.

  1. What do we use your personal data for?

KILROY processes your personal data to fulfil the purposes stated below. Notice, that not all purposes, categories of information, recipients of information and types of procedures are applicable to you in all cases 

KILROY exclusively processes your personal data to the extent necessary for you as customer, supplier or business partner (as specific interests in each case, are taken into account) or in accordance with existing law.

4.1 Customer administration
KILROY processes your personal data when establishing and administering your customer relationship with KILROY, as a part of the operation of our company, including sales of Interrail passes and delivery of related services (e.g. customer support regarding products and services bought, seat reservations related to the Interrail passes sold, etc.), maintenance of our customer registers, billing, marketing, statistics, etc. All statistics and analysis are compiled in anonymized form and therefore do not contain information, that can lead directly back to you as a person. 

4.2 Administration of supplier and business partner relationships
KILROY processes your information when co-administrating supplier and business partner relations, where you are the supplier or business partner, or contact person with a supplier or business partner, which KILROY is working with as a part of the operation of our company, including maintenance of our CRM-registry with information about our contact with each supplier and business partner. 

4.3 Compliance with current laws and regulations
KILROY processes your personal data in compliance with the laws and regulations that KILROY is subject to with respect to the operation of the business or for filing different liability and disclosure requirements in accordance with applicable laws and regulations (tax laws, fraud prevention laws, etc.).

KILROY does not use your personal data to make decisions, that are solely based on automatic processing, except for profiling.

Profiling is a form of automated processing of your personal data. We use profiling and data modelling e.g. to be able to offer you specific services and products that meet your preferences for marketing purposes.

KILROY strives to guarantee that all personal data we process is correct and up to date. We therefore always ask you to inform us regarding possible changes in your personal details (e.g. change of address, name, phone number or payment) so that we can guarantee that your personal data is always correct and up to date. You should update your personal data immediately in case of changes.

  1. How long do we keep your personal information?

KILROY will retain information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with the Services or to comply with applicable legal, tax, or accounting requirements).

Data processing retention period for establishing and administering customer relationship with KILROY is 36 months after the provision of the services or expiration of the product you have purchased (Interrail pass expiry, etc.) whichever comes last. When you decline a proposal that you have asked for, the personal data is stored for 12 months after the proposal expires.

We use your personal data for direct marketing purposes for 40 months after you have subscribed for newsletters or after a receival of your consent. Your personal data is also used for direct marketing purposes for 24 months after you have bought products or services at KILROY. Your data shall be deleted after we have received and executed your request to delete your personal data or you have unsubscribed from newsletters.

To comply with tax laws your personal data on invoice is stored for 5 years from the day of invoice.

The personal data for the purposes of administration of supplier and business partner relationships is stored for 3 years after the expiration of business relations.

KILROY processes personal data accordingly to the retention periods provided by the laws and regulations. The data retention periods are never prolonged unless it is based under specific law and regulation.

  1. Legal base for processing your personal data

KILROY essentially processes your information on the following grounds: (1) Your consent (ex. Direct marketing), (2) Entering into and fulfilling contractual agreements with KILROY (ex. Customer administration, Administration of supplier and business partner relationships), (3) Consideration for the legitimate interests of KILROY, as described above (ex. Fraud prevention, Direct marketing), (4) Fulfilment of legal duties that KILROY is required to meet (ex. Billing, Anti-money laundering prevention), (5) Protection of your or another physical individual’s vital interests (ex. Customer administration), (6) The processing is necessary, in order for a legal claim to be established, enforced or defended (Ex. Customer administration).

In addition, there may be situations where we treat your personal data for the sake of KILROY’s or third parties' legitimate interests with regard to the purposes described above, unless consideration for your interests is deemed more important (ex. Direct marketing, Customer administration).

  1. Sharing of Personal Data

KILROY only discloses data to the extent necessary for the issue of your Interrail pass and related services.

Physical Interrail passes are issued by the responsible employees using the Deutche Bahn booking system (global distribution system - GDS is an IT network system owned or operated by a company that allows transactions between the travel agency and service providers, as Deutche Bahn).

For Interrail pass issue purposes KILROY will pass your personal data (first name, last name, date of birth, passport number, country of residence, validity of IRP, age range of the traveler (in between 4-11, in between 12-28 in between 28-60, over 60), IRP price, IRP number, seat class) to DB Vertrieb GmbH, Stephensonstrave 1, 60326 Frankfurt (Main) Germany, Interrail passes booking system, in order to issue physical Interrail pass.

When you request for seat reservation assistance, KILROY will pass you personal data regarding preferred seat reservation to the preferred carrier (name, route (start and end destination), number of persons, departure date, departure time, comfort level - 1st or 2nd class,  night-train - comfort level: seat, berth (3, 2 or 1 bed).

When ordering a student, teacher or youth card KILROY passes personal data to ISIC Global Office BV, Keizersgracht 174, Amsterdam, 1016 DW The Netherlands. This is where ISIC Global Office BV stores cardholder data for all active student, teacher or youth cards globally. The purpose of the data provision is to prove student, teacher or youth card validity globally. The following data is provided: first name, surname, birth date, place of study, photo, place of work (applies only for ITIC), email address, address, C/O-address, card number.

Furthermore, KILROY may disclose your personal data to other suppliers and service providers as a part of normal operation of the company, e.g. in connection with external administration of our IT systems, analysis reports, marketing, debt collection, credit rating, audit, legal assistance, etc.

For further information regarding our suppliers’ and partners' processing and protection of your personal data, please refer to their privacy policies and terms of use.

KILROY strives to limit the disclosure of personal data in personally identifiable format to the maximum extent possible, thereby limiting the cases where information can lead back to you personally. 

KILROY does not disclose your personal data unless it is necessary to perform our business or meet your needs.

  1. International transfers of your personal data

Personal data is not transferred to countries outside the EU / EEA when booking an Interrail pass with us, unless your preferred carrier operates in the country outside the EU / EEA (Albania, etc.). 

Without the possibility of transferring your information to recipients outside the EU / EEA, KILROY will be unable to deliver certain seat reservations or Interrail passes. This applies if booking your trip requires that information is sent to recipients outside the EU/EEA, for example, to book Interrail pass that would be valid in third country outside EU or EEA.

Data protection legislation in these countries may be more lenient than it is in Denmark and in the rest of the EU/EEA, as in most cases there will be countries where the EU Commission has assessed that the data protection level is not at par with the data protection level within the EU/EEA.

In the event that it is practically possible for us, the transfer of your personal data will be based on the standard transfer contracts developed by the European Commission, which are specially prepared for this purpose. However, in certain cases it may not be practical for KILROY to enter into a standard transfer contract as a legal transfer basis. In such cases, the transfer of the information will be carried out pursuant to Article 49.1(b) of the Data Protection Regulation, as the transfer of your personal data to a certain country is necessary for the purpose of fulfilling the contract between you and KILROY (the booking of your Interrail pass) or for the purpose of executing your request of seat reservation.

It is therefore important that you are aware that transferring your personal data to countries outside the EU/EEA when booking an Interrail pass with KILROY means that your personal data will not enjoy the same protection as when subject to Danish or EU laws and regulations.

When transferring data there is a potential risk that there are no clear, precise and accessible laws and regulations in the country in question regarding access to personal data by the authorities of the country; that there are no laws and regulations that the access of a country's authorities to your information, must be necessary and proportionate; that the country does not have an independent and effective supervisory authority and that the country has no available and effective legal remedies for the registered.

If you do not wish that KILROY sends your personal data to recipients outside of the EU/EEA, please advise us at the latest when booking your Interrail pass or sending a request for seat reservation. 
KILROY does not, in any case, pass your personal data to recipients outside of the EU/EEA, unless this is necessary to carry out our business and meet your needs e.g. by delivering the requested service.

  1. Data integrity and security

Personal data will be stored no longer than necessary in order to fulfil the purpose for which they have been collected, unless the storage is required to comply with national legal requirements, including statutory storage periods in connection with bookkeeping, etc.

It is KILROY’s policy to protect personal data by taking adequate technical and organizational security measures. When your personal data is no longer needed, we will ensure that they are deleted in a safe manner.

  1. Your rights

You are entitled to access to any personal data we have registered and use, information on where it comes from and what we use it for. You can obtain information about how long we store your data, who receives data about you and to what extent we disclose data in Denmark and abroad. Your right of access may, however, be restricted by legislation, protection of other persons’ privacy and consideration for our business and practices. Our know-how, business secrets as well as internal assessments and material may also be exempt from the right of access. 

In certain circumstances, you have the right to object to our processing your personal data. This is the case for example when the processing is based on our legitimate interests.

Objection to direct marketing. You have the right to object to our use of your personal data for direct marketing purposes, including profiling that is related to this purpose.

If the data is incorrect, incomplete or irrelevant, you are entitled to have the data corrected or erased with the restrictions that follow from existing legislation and rights to process data. These rights are known as the “right to rectification”, “right to erasure” or “right to be forgotten”. 

If you believe that the data we have registered about you is incorrect, or if you have objected to the use of the data, you may demand that we restrict the use of these data to storage. Use will be restricted to storage only until the correctness of the data can be established, or it can be checked whether our legitimate interests outweigh your interests.

If you are entitled to have the data we have registered about you erased, you may instead request us to restrict the use of these data to storage. If we need to use the data we have registered about you solely to assert a legal claim, you may also demand that other use of these data be restricted to storage. We may, however, be entitled to other use to assert a legal claim or if you have granted your consent to this.

You can withdraw your consent at any given time. Please note that if you withdraw your consent, we may not be able to offer you specific services or products. Note also that we will continue to use your personal data, for example, to fulfil an agreement we have made with you or if we are required to do so by law.

If we use data based on your consent or as a result of an agreement, and the data processing is automated, you have a right to receive a copy of the data you have provided in an electronic machine-readable format.

If you wish to claim one or more of your rights, please contact us at privacy@kilroy.dk. Your request will be processed in accordance with the data protection legislation currently in force.

 Complaint about the processing of your personal data by KILROY can be made to:

Denmark - Datatilsynet
Borgergade 28, 5. 1300 København K Denmark E-mail: dt@datatilsynet.dk  

  1. Updates

KILROY regularly evaluates and updates this privacy policy. Therefor please regularly check this privacy policy for any changes that may affect our processing of your personal data.

Updated 6 September 2019