Privacy Policy Eurolines | - Your connection across Europe

Privacy Policy Eurolines

I. Opening Provisions

The data controller pursuant to Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “GDPR”) is To Europe s.r.o., a company incorporated in the Commercial Register kept by the Municipal Court in Prague, Section C, Insert 109681, Company Identification No.: 27380335, with its registered office at Svážná 1158, 252 19 Rudná, Czech Republic (hereinafter the “Data Controller”).

Contact details of the Data Controller:

  • Postal address: Strojírenská 259/16, budova 22, 155 21 Praha 5, Zličín
  • E-mail:

1. Personal data shall mean any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as the first name, surname, contact details or an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2. The data subject is a natural person to whom the personal data pertain and who is identifiable according to the personal data.

3. The Data Controller is a natural person or legal entity who/which determines the purposes and means of processing personal data and is primarily responsible for that processing.

4. The Data Processor is a natural person or legal entity who/which, on the basis of the Data Controller’s instructions, processes personal data for the Data Controller.

5. Processing shall mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

6. The purpose of this Privacy Policy is to provide information about what personal data the Data Controller processes about natural persons in the provision of services at branches and e-shops and on visits to To Europe websites and contacts with potential customers, for what purposes and for how long the Data Controller processes these personal data in accordance with applicable law, to whom and for what reason the personal data may be transmitted, and what rights natural persons have in relation to the processing of their personal data.

7. The Data Controller has not appointed any data protection officer.

II. Statutory Basis for Processing Personal Data

1. The statutory basis for the processing of personal data is

  • The performance of the contract between you and the Data Controller under Article 6(1)b) of the GDPR,
  • The legitimate interest of the Data Controller in providing direct marketing (in particular for sending commercial messages and newsletters) under Article 6(1)f) of the GDPR,
  • Your consent to processing for the purpose of providing direct marketing (in particular for sending commercial messages and newsletters) pursuant to Article 6(1)a) of the GDPR in conjunction with Section 7(2) of Act No. 480/2004 Coll., on Certain Information Society Services, in case there is no order of goods or services.

2. The Data Controller is not involved in automated individual decision-making within the meaning of Article 22 of the GDPR.

III. Purpose of Processing, Categories, Sources and Recipients of Personal Data

Statutory reason



Source of data

Recipients of personal data (data processors)

Performance of the contract

Order processing - bookings, issuing and sending tickets, accepting for transportation, providing other services (insurance),

Complaints related to services

Personal data of clients - including all persons under the order (first name, surname, e-mail address, telephone number), ticket number, bank details (only in the case of complaints and damages)

E-mail communication, order information, contact form

Subcontractors - insurance: ERV travel insurance company (processing of personal data), execution of payments: GPWebpay (Security), mailing services, web hosting company

Legitimate interest

Providing direct marketing (in particular for sending commercial messages and newsletters)

First name, surname, contact details (e-mail, address, telephone number or other information you provide)

Order information

Mailing services, e-mail distribution services (Mailchimp), subcontractors


Marketing and website promotion

First name, surname, e-mail, IP addresses and other technical identifiers

Newsletter form, cookies (if cookies are allowed in the web browser)

Web hosting company, subcontractors, e-mail distribution services (Mailchimp)


1. We process only the information we absolutely need to fulfil the contract (i.e. booking, ordering, issuing and sending tickets, as well as accepting for transportation or providing other services) or a legitimate interest, or information that you provide to us with your consent beyond the scope of the necessary processing. As part of the payment processing, your data may be communicated to the payment service provider. The credit card number or other bank details are not stored with the Data Controller but are transferred directly to the payment service provider.

2. In some cases, we need to share your personal data with third parties - such as bus partners, only in cases where they are actively involved in your transportation. The necessary information is passed between individual bus carriers through global and local reservation and distribution systems.

3. In certain cases, we are obliged to provide your personal data to state authorities, both in the Czech Republic and, in particular, to those ensuring border control or security at the destinations. We provide your personal data to such authorities on the basis of a statutory obligation, otherwise you may not be accepted for transportation or allowed to enter the particular country. If an emergency occurs during the journey, we are obliged to report the situation to the relevant state administration authorities in certain cases.

4. Details of cookies and other tracking technologies can be found here.

5. In fulfilling its commitments and contractual obligations, the Data Controller uses expert and specialised services of other entities. Where such subcontractors process personal data transmitted by the Data Controller, they are in the position of data processors, shall process personal data only as directed by the Data Controller, and may not use them otherwise. These subcontracted services include: IT systems management, Internet advertising, marketing services, execution of payments and sales representatives. Each such entity is carefully selected and a personal data processing agreement is concluded with each such entity under which the data processor has strict obligations to protect and safeguard personal data.

6. Data processing usually occurs in the Czech Republic or in the European Union Member States. If data processing in third countries is planned in certain cases, it will only occur if the European Commission has established the appropriate level of protection of personal data in that third country under Article 45 of the General Data Protection Regulation or on the basis of standard EU contractual clauses. The recipients of personal data in third countries are providers of mailing services, cloud services and analytical tools.

7. Google (Ads Data Processing Terms)

8. Google Adwords - we use Google Inc. technology to optimise our web offer and for product recommendations. 

9. Google Analytics - this website uses Google Analytics, a web analysis service by Google Inc.

10. Mailchimp - we use the Mailchimp service to send newsletters.

11. Social add-ons - this website uses the so-called social plugins: Facebook Inc.Twitter and Instagram Inc. These plugins can be found on our product pages and are deactivated by default. 

IV. Data Retention Period

1. The Data Controller retains personal data

  • For the period necessary to exercise the rights and perform the obligations arising from the contractual relationship between you and the Data Controller and for the exercise of claims under these contractual relationships (for a period of 10 years from the termination of the contractual relationship), or 10 years after the end of the tax period in which the transaction occurred. The aforesaid period of processing follows from Act No. 89/2012 Coll., the Civil Code, as amended, or from Act No. 235/2004 Coll., on Value Added Tax, as amended. The reason for such processing is the statutory obligation or a legitimate interest of the Data Controller.
  • Until the consent to the processing of personal data for marketing purposes is revoked, for a maximum of 10 years if personal data are processed under a consent.

2. Upon the lapse of the retention period, the Data Controller shall erase the personal data.

3. If you contact our customer service centre or in the case of normal communication with us, we will erase your personal data much earlier than in the above-mentioned time limits. We will retain your personal data for as long as necessary to fulfil the purposes of our Privacy Policy or to comply with statutory obligations.

V. Your Rights

1. Under the conditions set out in the GDPR, you shall have

  • The right to access your personal data pursuant to Article 15 of the GDPR,
  • The right to rectify your personal data pursuant to Article 16 of the GDPR or to restrict processing pursuant to Article 18 of the GDPR,
  • The right to erase your personal data pursuant to Article 17 of the GDPR,
  • The right to object to processing pursuant to Article 21 of the GDPR,
  • The right to data portability pursuant to Article 20 of the GDPR, and
  • The right to withdraw your consent to processing in writing or electronically using the address or e-mail of the Data Controller specified in Article I of this Privacy Policy.

2. We are always committed to providing data subjects with information on what personal data we process, or to performing a rectification of such personal data. You may submit your request in writing or electronically to the address or e-mail of the Data Controller specified in Article I of this Privacy Policy. Please note that if we are not able to verify your identity electronically or if we have reasonable doubt about your identity, we will ask you to present your identity card at the registered office of the Data Controller. Only then can we ensure that we will not provide your personal data to a person who is impersonating you. We will process your requests in the shortest time possible. Depending on the complexity and extent of the request, it may take several weeks for it to be handled. In some cases, we cannot rectify your personal data. These include, for example, cases where your incorrect or outdated personal data (such as your family surname) are contained in a tax document that we archive under the law.

3. You shall also have the right to file a complaint with the Office for Personal Data Protection if you believe that your privacy has been violated.

VI. Personal Data Security Conditions

1. The Data Controller declares that it has taken all reasonable technical and organisational measures to safeguard personal data that will protect your personal data from unauthorised or unlawful processing and from unintentional loss, destruction or damage.

2. The Data Controller has taken technical and organisational measures to secure data warehouses and personal data repositories in printed form.

3. The Data Controller declares that personal data can only be accessed by persons authorised by the Data Controller.

VII. Final Provisions

1. By sending an order from the online order form, you acknowledge that you are familiar with the Privacy Policy and that you accept it in its entirety.

2. You give your consent to this Privacy Policy by ticking your consent via the online form. By ticking your consent, you acknowledge that you are familiar with the Privacy Policy and that you accept it in its entirety.

3. The Data Controller is entitled to change this Privacy Policy. The new version of the Privacy Policy will be published on its website.

This Privacy Policy shall enter into effect as of 25 May 2018.