Privacy Policy of Gornergrat Bahn AG
Table of contents
Responsible entity and content of this Privacy Policy
Public transport companies’ customer promise
Contact person for data protection
Data processing during phone & e-mail contact
Data processing during WhatsApp contact
Data processing when registering for a user account
Data processing when using the website as a registered user
Background data processing on our website 8.1 Data processing when purchasing vouchers
Data processing when using the online Photopoint Station and ordering your personalised video
Data processing during payment processing
Data processing during e-mail marketing
Data processing during use of our WiFi network
Data processing by video cameras
Background data processing on our website 14.1 Data processing when visiting our website (log file data) 14.2 Cookies 14.3 Tracking and web analysis tools 14.4 Online advertising and targeting
Embedding videos
Social media profiles
Data Storage Location
Centralised data storage and analysis
Disclosure to third parties and transfer abroad 19.1 Shared responsibility in public transport 19.2 Disclosure to third parties and access by third parties 19.3 Transfer of personal data abroad 19.4 Information on data transfers to the USA
Retention periods
Data security
Your rights
1. Responsible entity and content of this Privacy Policy
We, Gornergrat Bahn AG, Bahnhofplatz 9, 3920 Zermatt, CHE-104.075.581, are the operator of the website www.gornergrat.ch (website) and, unless otherwise stated in this Privacy Policy, are responsible for the data processing listed in this Privacy Policy.
We are a company belonging to BVZ Holding. The individual Group companies use the data pursuant to their internal group guidelines. If you contact the individual Group companies and use other BVZ Holding websites, the respective Group companies are solely responsible for the collection, processing and use of your personal data and for data processing in compliance with the law pursuant to the current privacy policy of the respective Group company, unless otherwise stated in this Privacy Policy.
Your trust is important to us. That is why we take the issue of data protection seriously and ensure appropriate security. Consequently, we consider it a matter of course to comply with the legal requirements of the Swiss Federal Act on Data Protection (FADP), the Ordinance onData Protection (Data Protection Ordinance, DPO), the Telecommunications Act (TCA) and the European General Data Protection Regulation (GDPR), the provisions of which may be applicable in individual cases.
Please take note of the following information so that you know what personal data we collect from you and for what purposes we use it. Please also note that the following information is reviewed and amended from time to time. We therefore recommend that you consult this Privacy Policy on a regular basis. Furthermore, other companies are responsible or jointly responsible with us under data protection law for the individual data processing operations listed below, so that in these cases the information provided by these providers is also authoritative.
2. Public transport companies customer promise
Public transport companies handle your data confidentially. The protection of your personality and your privacy is an important concern for us, the public transport companies. We guarantee that your personal data will be processed pursuant to the applicable provisions of data protection law. To summarise, we process personal data exclusively in accordance with the following principles:
You yourself decide on the processing of your personal data. Within the legal framework, you can refuse data processing or withdraw your consent or have your data deleted at any time. You always have the option of travelling anonymously, i.e. without your personal data being collected.
We offer you added value when processing your data. We use your data exclusively in the context of providing our services and to offer you added value (e.g. customised offers, information and support). We therefore only use your data for the development, provision, optimisation and evaluation of our services or to maintain the customer relationship.
Your data will not be sold. Your data will only be disclosed to selected third parties listed in this Privacy Policy and only for the purposes explicitly stated. If we commission third parties to process data, they are obliged to comply with our data protection standards.
We guarantee the security and protection of your data. We guarantee careful handling of your data as well as its security and protection. We take the necessary organisational and technical precautions to ensure this.
Below you will find detailed information on how we handle your data.
3. Contact person for data protection
If you have any questions about data protection or would like to exercise your rights, please contact our data protection officer by sending an e-mail to the following address: datenschutz@gornergrat.ch
You can reach our EU data protection representative at:
MLL EU-GDPR GmbH Ganghoferstrasse 33 DE-80339 Munich gornergratbahn@mll-gdpr.com
4. Data processing during phone & e-mail contact
If you contact us by phone or e-mail, your personal data will be processed. The data you provide us with, such as your name, e-mail address or phone number and your enquiry, will be processed. In addition, the time of receipt of the enquiry is documented. We process this data in order to fulfil your request (e.g. providing information about our products and services, assisting with contract processing, incorporating your feedback into the improvement of our products and services, etc.).
5. Data processing during WhatsApp contact
We offer you the option of contacting us via the WhatsApp messaging service provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Meta). When using WhatsApp, personal data is processed. In addition to your phone number, we process the data that you provide to us, such as your name and your request. In addition, the time of receipt of the enquiry is documented. We process this data in order to fulfil your request (e.g. providing information about our products and services, assisting with contract processing, incorporating your feedback into the improvement of our products and services, etc.).
The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the use of the services of third-party providers and in the implementation of your request or, if your request is aimed at the conclusion or execution of a contract, the necessity for the implementation of the required contractual measures within the meaning of Art. 6 para. 1 lit. b GDPR.
When you use WhatsApp, your data is stored in a Meta database. The data processed by Meta may include, in particular, your phone number, message content, device information and location information. Meta is responsible for the data processing carried out by Meta and must ensure compliance with data protection laws in connection with this data processing. Information on the processing of data by third parties and any transfer abroad can be found in section 18 of this Privacy Policy. Further information about data processing by Meta can be found here.
6. Data processing when registering for a user account
We collect the following data when you open a user account on our website:
Personal details:
First name and last name
Date of birth
Gender
Billing and delivery address
Login data:
E-mail address
Password
We use your personal details to establish your identity and to check the requirements for registration. The e-mail address and password together serve as login data and thus to ensure that the correct person is using the website with your details. We also need your e-mail address for future communication with you, which is required for contract fulfilment. Furthermore, this data is stored in the customer account for future contract conclusions. For this purpose, we also allow you to store further details in the account (e.g. billing and delivery address).
In addition, we use the data to provide an overview of the orders placed and services purchased (cf. in particular section 17) and a simple way to manage your personal data, to administer our website and the contractual relationships, i.e. to establish, organise the content of, process and amend the contracts concluded with you via your customer account (e.g. in connection with your order with us).
The legal basis for processing your data for the aforementioned purpose is your consent pursuant to Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time for the future by removing your information from the customer account or deleting your customer account or having it deleted by sending us a message.
To avoid misuse, you should always treat login data confidentially and log out after each session and delete the browser history, especially if you share the end device with others.
7. Data processing when using the website as a registered user
During the use of the website by registered users who are logged in (cf. section 6), we collect data for statistical reasons and to enable the website to function properly. In particular, the following data is collected:
the type, frequency and intensity of use of the website
the duration of your membership
the orders placed
the composition of the shopping basket
We use cookies to recognise you as a registered user when you use the website after logging in. Please also note the information in section 14.2.
The legal basis for processing your data for this purpose is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time for the future by deleting your customer account or having it deleted by sending us a message.
8. Data processing when using our web shop
You have the option of ordering products or booking services on our website (e.g. train tickets, vouchers or leisure activities). You can place orders and bookings as a guest or as a registered user (cf. section 7). We require various data from you to process the contract. Depending on the product or service, we collect the following data:
Your last name and first name and those of any other service recipients
Postal address (street, house number, postal code, town, country)
E-mail address
Information in the context of payment
Date of birth
Phone number
Existing tickets/subscriptions (e.g. half-fare card, Keycard)
SwissPass ID
In order to process the contractual relationship, we also collect data regarding the services you have purchased (service data). Depending on the product or service, this includes the following information:
Type of product or service purchased
Price
Date and time of purchase
Time of service provision (e.g. date of event or trip or period of validity)
Place of departure and destination
We use your personal details to establish your identity before concluding a contract. We need your e-mail address to confirm your order and for future communication with you that is required to fulfil the contract. We store your data together with the order details (e.g. time, order number, etc.), the data regarding the services ordered (e.g. description, price and features of the product; product data), the payment data (e.g. payment method selected, confirmation of payment and time; cf. section 10 as well as information on the processing and fulfilment of the contract, e.g. return of products, use of service or warranty services, etc.) so that we can ensure correct order processing and contract fulfilment. The legal basis for this data processing is the fulfilment of a contract with you pursuant to Art. 6 para. 1 lit. b GDPR.
Insofar as this is necessary for the fulfilment of the contract, we will also pass this information on to the respective third-party service providers (e.g. transport companies such as SBB), restaurants or an insurance company (when booking travel cancellation insurance). Information on the processing of data by third parties and any transfer abroad can be found in section 18 of this Privacy Policy. The legal basis for this processing is the fulfilment of a contract pursuant to Art. 6 para. 1 lit. b GDPR.
Data generated when purchasing public transport services is stored in a central database (cf. section 17) and also processed for other purposes, including marketing purposes (cf. section 11). In addition, the data is used as part of ticket control to identify the holder of a personalised ticket and to prevent misuse. The data is also used to provide our service-après-vente to identify and support you in the event of concerns or difficulties and to process any claims for compensation. Finally, the data is used to distribute the revenue generated by the purchase of tickets fairly among the companies and associations of direct transport. Information on the processing of data by third parties can be found in section 18.2 of this Privacy Policy. Our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR forms the legal basis for this data processing.
The provision of data that is not labelled as mandatory is voluntary. We process this data to tailor our products and services to your personal needs in the best possible way, to facilitate the processing of contracts, to contact you via an alternative communication channel if required to fulfil the contract or for statistical recording and evaluation to optimise our products and services. The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time for the future by sending us a message.
If you purchase services after opening a customer account or using your login data for the customer account, we will store your data in the customer account (cf. section 6 and 7). The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR.
For the provision of the web shop, we use an online sales solution from Alturos Destination GmbH, Lakeside B03, 9020 Klagenfurt am Wörthersee, Austria (Alturos). Therefore, your data is stored in Alturos' database, which may allow Alturos to access your data if this is required for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 18 of this Privacy Policy. The legal basis for this processing is our legitimate interest within the meaning of Art. 6 para 1 lit. f GDPR in using the services of third-party providers.
Alturos may wish to use some of this data for its own purposes (e.g. to send marketing e-mails or for statistical analyses). Alturos is responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. You can find information about data processing by Alturos here.
In addition, certain functional aspects of our website (e.g. pop-ups) require that a cookie (cf. section 14.2) is set by our service provider Powr, Inc, 44 Tehama St, San Francisco, 94105 California, USA (POWR). Information on the processing of data by third parties and any transfer abroad can be found in section 18 of this Privacy Policy. The legal basis for this processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in using the services of third-party providers. You can find more information about data processing in connection with POWR here.
8.1 Data processing when purchasing vouchers
You have the option of ordering tickets and vouchers on our websites. We collect the following data for this purpose, whereby mandatory information is marked with an asterisk (*) during the ordering process:
Salutation
First name
Last name
Company
Address
Country
Phone
E-mail address
Voucher for
Voucher from
Dedication
We use your personal details to verify your identity before concluding a contract. We require your e-mail address to confirm your order, to send you the voucher, receipt and invoice in digital form and for future communication with you that is necessary to fulfil the contract. The legal basis for this data processing is the fulfilment of a contract with you pursuant to Art. 6 para. 1 lit. b GDPR.
The provision of data that is not labelled as mandatory is voluntary. We process this data in order to tailor our offer to your personal needs in the best possible way, to facilitate the processing of contracts, to contact you via an alternative communication channel if required with regard to the fulfilment of the contract or for statistical recording and evaluation to optimise our offers. The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit a GDPR. You can revoke your consent at any time by sending us a message.
We use a software application by Idea Creation GmbH, Walchestrasse 15, 8006 Zurich, Switzerland (E-GUMA) to provide the online shop. To purchase the vouchers, you will be redirected to the E-GUMA website. Therefore, your data will be stored in an E-GUMA database, which may allow E-GUMA to access your data if this is required for the provision of the software and for support in using the software. Information on the processing of data by third parties and any transfer abroad can be found in section 18 of this privacy policy. The legal basis for this data processing is the fulfilment of a contract with you pursuant to Art. 6 para. 1 lit. b GDPR.
E-GUMA may wish to use some of this data for its own purposes (e.g. to send marketing e-mails or for statistical analyses). E-GUMA is responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. You can find information about data processing by E-GUMA here.
9. Data processing when using the online Photopoint Station and ordering your personalised video
You can take a photo at the Photopoint at the Gornergrat mountain station, which will then be integrated into the personalised video of your ride on the Gornergratbahn. To take a photo, you need to scan your Skidata ticket or SwissPass at the Photopoint. Only the respective ticket number will be recorded for further processing. No other information is processed when the photo is taken. The respective number is linked to your photo. However, it will not be assigned to you by name. You can then order and download a personalised video of your ride on the Gornergratbahn on our website. The photo taken at the Photopoint will also be processed for this purpose. We require the following mandatory information from you:
Travelling date
SwissPass number or ski pass holder number
E-mail address
First name and last name
Country of origin
The processing of your data (creation of a personalised video) is carried out by Alturos Destinations GmbH, Lakeside B03, 9020 Klagenfurt, Austria (Alturos). Your data is therefore stored in an Alturos database, which enables Alturos to access your data if this is required for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 18 of this Privacy Policy. The legal basis for this processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in using the services of third-party providers.
Alturos may wish to use some of this data for its own purposes (e.g. to send marketing e-mails or for statistical analyses). Alturos is responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. You can find information about data processing by Alturos here.
10. Data processing during payment processing
The processing of personal data is required if you purchase products, services or vouchers in our online shop or at a counter of a public transport company using electronic means of payment.
By using the payment terminals, you transmit the information stored in your means of payment, such as the name of the cardholder and the card number, to the payment service providers involved (e.g. payment solution providers, credit card issuers and credit card acquirers). They also receive the information that the payment method was used at our point of sale, as well as the amount and the time of the transaction. Conversely, we only receive the credit of the amount of the payment made at the relevant time, which we can assign to the relevant receipt number, or the information that the transaction was not possible or was cancelled. If you purchase products, services or vouchers in our web shop for a fee, you may be required to provide additional data, such as your credit card information or the login for your payment service provider, depending on the service and the desired payment method. This information and the fact that you have purchased a service from us at the relevant amount and time will be forwarded to the respective payment service providers (e.g. providers of payment solutions, credit card issuers and credit card acquirers). The legal basis for our data processing is the fulfilment of a contract pursuant to Art. 6 para. 1 lit. b GDPR.
With wallet payment solutions (Twint, Apple Pay, PayPal, SwissPass), your card details are securely stored in the wallet beforehand. If you decide to pay with a wallet solution, you generally no longer need to enter any payment card information. Only the data required for authorisation and transaction processing is transferred via the wallet. Always pay attention to the information provided by the respective company, in particular the privacy policy and general terms and conditions.
11. Data processing during e-mail marketing
If you register for our marketing e-mails (e.g. when you open a customer account or when you order a product or service), the following data will be collected:
E-mail address
Salutation
First name and last name
To prevent misuse and to ensure that the owner of an e-mail address has actually given their consent to receive marketing e-mails, we use the so-called double opt-in for registration. After submitting your registration, you will receive an e-mail from us with a confirmation link. You must click on this link to definitively register for the marketing e-mails. If you do not confirm your e-mail address using the confirmation link within the specified period, your data will be deleted and our marketing e-mails will not be sent to this address.
By registering, you give us your consent to process this data for the purpose of sending you communications about our company, our tourism and transport offers and related products and services (such as hotel accommodation) from us, the companies in which BVZ Holding holds an interest and selected partner companies, such as service providers in municipalities in our route network. This may also include requests to participate in surveys (market research) or competitions or to rate one of the services/products or companies mentioned. The collection of the e-mail address also allows us to assign the registration to any existing customer account and thereby personalise the content of the marketing e-mails. The link to a customer account allows us to make the offers and content contained in the marketing e-mails more relevant to you and better tailored to your potential needs.
Your consent constitutes the legal basis for the processing of data within the meaning of Art. 6 para. 1 lit. a GDPR. We will use your data to send you marketing e-mails until you withdraw your consent. Withdrawal is possible at any time, in particular via the unsubscribe link contained in all marketing e-mails.
Our marketing e-mails may contain a so-called web beacon, 1x1 pixel (tracking pixel) or similar technical aids. A web beacon is an invisible graphic that is linked to the user ID of the respective subscriber. For each marketing e-mail sent, we receive information on which e-mail addresses it was successfully sent to, which e-mail addresses have not yet received the marketing e-mail and which e-mail addresses failed to receive it. We also see which e-mail addresses have opened the marketing e-mail, for how long and which links have been clicked. Finally, we also receive information about which subscribers have unsubscribed from the mailing list. We use this data for statistical purposes and to optimise the marketing e-mails in terms of frequency and time of sending as well as the structure and content of the marketing e-mails. This enables us to better tailor the information and offers in our marketing e-mails to the individual interests of the recipients.
By subscribing to the marketing e-mails, you also consent to the statistical analysis of user behaviour for the purpose of optimising and adapting the marketing e-mails. This consent constitutes our legal basis for processing the data within the meaning of Art. 6 para. 1 lit. a GDPR. The web beacon is deleted when you delete the marketing e-mail. You can prevent the use of web beacons in our marketing e-mails and thus revoke your consent by setting the parameters of your e-mail programme so that HTML is not displayed in messages. You can find information on how to configure this setting in the help section of your e-mail software application, e.g. here for Microsoft Outlook.
For the provision of marketing e-mails, we use a software application from Alturos Destinations GmbH, Lakeside B03, 9020 Klagenfurt, Austria (Alturos). Your data is stored in a database of BRAZE Ltd, Exchange House 10th Floor, 12 Primrose Street, London, England, EC2A 2EG (BRAZE). Therefore, Alturos and BRAZE may have access to your data if this is necessary for the provision of the software and for support in the use of the software.
Alturos and BRAZE may wish to use some of this data for their own purposes (e.g. to send marketing e-mails or for statistical analyses). Alturos and BRAZE are responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. Information about data processing by Alturos and BRAZE can be found under the following links:
Information on the processing of data by third parties and any transfer abroad can be found in section 18 of this Privacy Policy. Your consent constitutes the legal basis for the processing of data within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time for the future.
In certain cases, contact can also be made by SBB or another company involved in direct transport under strict conditions. Please refer to the information in section 18.1. You can refuse to be contacted by SBB (e.g. in connection with your GA or half-fare card) or by other public transport companies at any time. The following options are available to you:
Every e-mail you receive from public transport companies contains an unsubscribe link that you can click to unsubscribe from further messages.
If you have a SwissPass login, you can log in to SwissPass and manage your settings for receiving messages in your user account at any time.
You can also deregister at any counter of a public transport company.
12. Data processing during use of our WiFi network
Together with the public limited company Matterhorn Gotthard, we provide our customers free access to the internet via a WiFi network at selected locations for a fixed period of use within the scope of technical, operational and economic possibilities. To a certain extent, we are therefore deemed to be jointly responsible with the public limited company Matterhorn Gotthard Bahn for data processing in the context of providing the WiFi network.
Prior registration is required to prevent misuse and to punish unlawful behaviour. In doing so, you transmit the following data to us:
Mobile phone number
MAC address of the end device (automatic)
End device used (operating system, device type and manufacturer)
IP address of the end device
User browser
In addition to the above data, data on the time and date of use and data on the train station area visited are transmitted each time the WiFi network is used. The legal basis for this processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time for the future.
For the provision of our WiFi network, we work together with onway (schweiz) ag, Stauffacherstrasse 16, 8004 Zurich, Switzerland (onway). Therefore, your data may be stored in a onway database, which may allow onway to access your data if this is necessary for the provision of the software and for support in the use of the software. Information about the processing of data by third parties can be found in section 18 of this Privacy Policy. You can find more information about data processing by onway here.
onway must comply with the legal obligations of the Federal Act on the Surveillance of Post and Telecommunications (SPTA) and the associated ordinance. If the legal requirements are met, the operator of the WiFi network must monitor the use of the internet and data traffic on behalf of the competent authority. The operator of the WiFi network may also be obliged to disclose the customer's contact, usage and marginal data to the authorised authorities. The contact, usage and peripheral data in connection with your person will be stored for 6 months and then deleted.
The legal basis for this processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the provision of a WiFi network in compliance with the applicable legal regulations.
13. Data processing by video cameras
To protect our customers and employees as well as our property and to prevent and punish unlawful behaviour (in particular theft and damage to property), the entrance area and the publicly accessible areas of our facilities, with the exception of the sanitary facilities, may be monitored by cameras. The image data will only be viewed if there is a suspicion of unlawful behaviour. Otherwise, the images are automatically deleted after 72 hours.
For the provision of the video surveillance system, we rely on the service provider Annax Schweiz AG, Zentweg 9, 3006 Bern, Switzerland (Annax). Annax has access to the data insofar as this is necessary for the provision of the system. If the suspicion of unlawful behaviour is substantiated, the data may be passed on to the extent necessary for the enforcement of claims or for the filing of a complaint to consulting firms (in particular to a law firm) and authorities. Information on the processing of data by third parties and any transfer abroad can be found in section 18 of this Privacy Policy. Further information about data processing in connection with Annax can be found here. The legal basis for this processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in using the services of third-party providers.
14. Background data processing on our website
14.1 Data processing when visiting our website (log file data)
When you visit our website, the web servers temporarily store every access in a log file. The following data is recorded without any action on your part and stored by us until it is automatically deleted:
IP address of the requesting computer;
Date and time of access;
Name and URL of the retrieved file;
Website from which the access was made, if applicable with the search term used;
Your computer's operating system and the browser you are using (incl. type, version and language setting);
Device type in the event of access by mobile phones;
City or region from which the access was made; and
Name of your internet access provider.
This data is collected and processed for the purpose of enabling the use of our website (connection establishment), ensuring system security and stability in the long term and enabling error and performance analysis and optimisation of our website (cf. section 14.3, which also pertains to the last points).
In the event of an attack on the network infrastructure of the website or in the event of suspicion of other unauthorised or improper use of the website, the IP address and other data will be evaluated for clarification and defence purposes and, if necessary, used to identify the user concerned in the context of civil or criminal proceedings.
The purposes described above constitute our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR and thus the legal basis for data processing.
For the operation of our website we use the services of our hosting provider iWay AG, Badenerstrasse 569, 8048 Zurich, Switzerland (iWay). Your data is therefore stored in an iWay database, which enables iWay to access your data if this is necessary for the provision of the software and for support in the use of the software. The website is hosted on servers in Switzerland. Information on the processing of data by third parties can be found in section 18.2 of this Privacy Policy. The legal basis for this processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in using the services of third-party providers.
iWay may wish to use some of this data for its own purposes (e.g. for statistical analyses for product optimisation). iWay is responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. You can find more information about data processing in connection with iWay here.
Finally, when you visit our website, we use cookies as well as applications and tools that are based on the use of cookies. The data described here may also be processed in this context. You will find more detailed information on this in the following sections of this Privacy Policy, in particular the following section 14.2.
14.2 Cookies
Cookies are information files that your web browser stores on your computer's hard drive or memory when you visit our website. Cookies are assigned identification numbers that identify your browser and allow the information contained in the cookie to be read.
Cookies help, among other things, to make your visit to our website easier, more pleasant and more meaningful. We use cookies for various purposes that are required for your desired use of the website, i.e. that are "technically necessary". For example, we use cookies to identify you as a registered user after you have logged in without you having to log in again each time you navigate through the various subpages. The provision of website elements such as the order function is also based on the use of cookies, which temporarily store your entries when you fill out a form on the website so that you do not have to repeat the entry when you call up another subpage. Cookies also perform other technical functions required for the operation of the website, such as load balancing, i.e. the distribution of the performance load of the site to different web servers in order to reduce the load on the servers. Cookies are also used for security purposes, e.g. to prevent the unauthorised posting of content. Finally, we also use cookies as part of the design and programming of our website, e.g. to enable the uploading of scripts or codes.
The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the provision of a user-friendly and up-to-date website.
Most internet browsers accept cookies automatically. However, when you access our website, we ask for your consent to the cookies we use that are not technically necessary, especially when using third-party cookies for marketing purposes. You can make your desired settings using the corresponding buttons in the cookie banner. Details on the services and data processing associated with the individual cookies can be found within the cookie banner and in the following sections of this Privacy Policy.
We use the service Cookiebot by Usersentrics, Sendlinger Strasse 7, 80331 Munich, Germany (Cookiebot) to control and consent to all cookies on the website. Cookiebot is responsible for the data processing carried out by Cookiebot and must ensure compliance with data protection laws in connection with this data processing. Information on the processing of data by third parties and any transfer abroad can be found in section 18 of this Privacy Policy. Further information about data processing by Cookiebot can be found here.
You may also be able to configure your browser so that no cookies are stored on your computer or so that a message always appears when you receive a new cookie. You can use the links below to find out how you can configure the processing of cookies in selected browsers.
If you deactivate cookies, you may not be able to use all the functions of our website.
14.3 Tracking and web analysis tools
General information about tracking
We use the web analysis services listed below for the purpose of designing and continuously optimising our website in line with requirements. In this context, pseudonymised user profiles are created and cookies are used (please also refer to section 14.2). The information generated by the cookie about your use of this website is generally transferred together with the data specified in section 14.1 to a server of the service provider, where it is stored and processed. This may also result in a transfer to servers abroad, e.g. the USA (cf., in particular, the lack of an adequate level of data protection and the guarantees provided, section 18.3 and 18.4).
By processing the data, we obtain the following information, among others:
Navigation path followed by a visitor on the site (incl. content viewed and products selected or purchased or services booked);
Time spent on the website or subpage;
Subpage on which the website is left;
Country, region or city from where access is made;
End device (type, version, colour depth, resolution, width and height of the browser window); and
Returning or new visitor.
The provider will use this information on our behalf to analyse the use of the website, in particular to compile reports on website activity and to provide other services relating to website activity and internet usage for the purposes of market research and the needs-based design of these websites. For these processing operations, we and the providers can be regarded as joint responsible entities under data protection law to a certain extent.
The legal basis for this data processing with the following services is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. Some of the data processing may also be assessed as profiling (with or without high risk), to which your consent also extends. You can withdraw your consent or object to processing at any time by rejecting or switching off the relevant cookies in your web browser settings (cf. section 14.2) or by making use of the service-specific options described below.
For the further processing of the data by the respective provider as the (sole) responsible entity under data protection law, in particular any disclosure of this information to third parties, e.g. to authorities due to national legal regulations, please refer to the respective data protection information of the provider.
Google Analytics
We use the web analysis service Google Analytics by Google Ireland Limited (Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google).
In deviation from the description in section 14.3.1 IP addresses are not logged or stored in Google Analytics (in the "Google Analytics 4" version used here). In the case of access originating from the EU, IP address data is only used to derive location data and then deleted immediately. When collecting measurement data in Google Analytics, all IP searches are carried out on EU-based servers before the traffic is forwarded to Analytics servers for processing. Regional data centres are used in Google Analytics. If a connection is established in Google Analytics to the nearest available Google data centre, the measurement data is sent to Analytics via an encrypted HTTPS connection. In these centres, the data is further encrypted before it is forwarded to the Analytics processing servers and made available on the platform. The most suitable local data centre is determined based on the IP addresses. This may also result in data being transferred to servers abroad, e.g. in the USA (cf., in particular, the lack of an adequate level of data protection and the guarantees provided, section 18.3 and 18.4).
We also use the technical extension "Google Signals", which enables cross-device tracking. This means that an individual website visitor can be assigned to different end devices. However, this only happens if the visitor has logged into a Google service when visiting the website and has also activated the "personalised advertising" option in their Google account settings. Even then, however, no personal data or user profiles are made available to us. If you do not wish to use "Google Signals", you can deactivate the "personalised advertising" option in your Google account settings.
Users can prevent Google from collecting the data generated by the cookie and relating to the use of the website by the user concerned (including the IP address) and from processing this data by Google and revoke their consent by rejecting or switching off the relevant cookies in the cookie banner or in the settings of their web browser (cf. section 14.2) or by downloading and installing the browser add-on available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en. For the further processing of data by Google, please refer to Google's Privacy Policy: https://policies.google.com/privacy?hl=en&gl=en.
Fusedeck
We use the web analysis service Fusedeck by Capture Media AG, Löwenstrasse 3, 8001 Zurich, Switzerland (Fusedeck). The data described regarding the use of the website for the processing purposes explained (cf. section 14.3.1) may be transmitted to Fusedeck's servers in the EU. All data collected by Fusedeck will not be shared with third parties and Fusedeck will not use the tracking data collected for its own purposes.
Fusedeck enables tracking in three ways: classic full cookie tracking, cookie-less user tracking or cookie-less session tracking. With full cookie tracking, an identifier is persistently written to the user's device to uniquely recognise the device and user (cf. section 14.2). With cookie-less user tracking and cookie-less session tracking, you as a user are not tracked individually and only anonymised data is used. Further information on data processing by Fusedeck can be found in the Fusedeck Privacy Policy: https://fusedeck.com/en/privacy-policy/
14.4 Online advertising and targeting
In general
We use the services of various companies to provide you with interesting online offers. Your user behaviour on our website and the websites of other providers is analysed so that we can then display online advertising tailored to you.
Most technologies for tracking your user behaviour (tracking) and for the targeted display of advertising (targeting) use cookies (cf. section 14.2) or similar technologies and unique identifiers (e.g. advertising ID) with which your browser can be recognised via various websites. Depending on the service provider, it may also be possible for you to be recognised online even when using different end devices (e.g. laptop and smartphone). This may be the case, for example, if you have registered with a service that you use on several devices.
For these purposes, the data collected when websites are accessed (log file data, cf. section 14.1) and the use of cookies (section 14.2) may be passed on to the companies involved in the advertising networks and processed further by them. This also results in the data being disclosed to potentially all countries worldwide (cf., in particular, the lack of an adequate level of data protection and the guarantees provided, section 18.3 and 18.4). In addition, the following data in particular is used to select the advertising that is potentially most relevant to you:
Information about you that you provided when registering or using a service from advertising partners (e.g. your gender, age group); and
User behaviour (e.g. search queries, interactions with advertising, types of websites visited, products or services viewed and purchased, newsletters subscribed to).
We and our service providers use this data to recognise whether you belong to the target group we are addressing and take this into account when selecting advertisements. For example, after you have visited our site, you may be shown adverts for the products or services you have consulted when you visit other sites (re-targeting). Depending on the scope of the data, a user profile may also be created, which is evaluated automatically, i.e. with so-called profiling, whereby the ads are selected according to the information stored in the profile, such as membership of certain demographic segments or potential interests or behaviours. Such adverts can be displayed to you on various channels, which, in addition to our website as part of on-site marketing, also include adverts that are placed via the online advertising networks we use, such as Google.
The data may then be analysed for the purpose of billing the service provider and to assess the effectiveness of advertising measures to better understand the needs of our users and customers and to improve future campaigns. This may also include the information that the performance of an action (e.g. visiting certain sections of our websites or sending information) is attributable to a specific advertisement. We also receive aggregated reports from the service providers on advertising activities and information on how users interact with our website and our adverts.
The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. Some of the data processing can also be assessed as profiling (with or without high risk), to which your consent also extends. You can withdraw your consent at any time by rejecting or switching off the relevant cookies in the settings of your web browser (cf. section 14.2). Further options for blocking advertising can also be found in the information provided by the respective service provider, e.g. Google.
Google Ads
This website uses, as described in section 14.4.1, the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google) for online advertising. Google uses cookies (cf. the list here) and similar technologies and unique identifiers (in particular advertising IDs) that enable your browser to be recognised when you visit other websites. The information generated about your visit to these websites (including your IP address) is transferred to Google's servers in the USA and stored there (cf., in particular, the lack of an adequate level of data protection and the guarantees provided, section 18.3 and 18.4). Google will process the data by name in order to show you personalised advertising on Google services (e.g. the search engine). You can find more information on data protection at Google here.
The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time by rejecting or switching off the relevant cookies in the settings of your web browser (cf. section 14.2). You can find further options to block advertising here.
Facebook pixel / Facebook custom audience
On our website, we use the so-called "Facebook pixel" by the social network Facebook, which is operated by Meta Platforms Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. With the help of the Facebook pixel, Facebook can determine the visitors to our website as a target group to display adverts (so-called Facebook ads). Accordingly, we use Facebook pixels to display Facebook ads placed by us only to those Facebook users who have also shown an interest in our website or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited) that we transmit to Facebook (so-called custom audiences).
With the help of the Facebook pixel, we also want to ensure that our Facebook ads correspond to the potential interest of users and are not annoying. With the help of the Facebook pixel, we can also track the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called conversion). The Facebook pixel is integrated directly by Facebook when you visit our website and can store a cookie on your device (cf. section 14.2). If you subsequently log in to Facebook or visit Facebook while logged in, the visit to our website will be noted in your profile. The data collected about you is anonymous to us, and therefore does not allow us to draw any conclusions about the identity of the user. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible. The data can therefore be used by Facebook for its own market research and advertising purposes. If we transmit data to Facebook for comparison purposes, it is encrypted locally on the browser and only then sent to Facebook via a secure https connection. This is done for the sole purpose of creating a comparison with the data encrypted in the same way by Facebook. Furthermore, when using the Facebook pixel, we use the additional function "extended synchronisation", whereby data for the creation of target groups (custom audiences or look-alike audiences) is transmitted to Facebook in encrypted form.
We also use the Facebook pixel for re-targeting purposes (cf. section 14.4.1). With the help of the Facebook pixel, we can track the Facebook adverts that you have seen when you visit our website, which subpages you visit and which products you add to your shopping cart. This information is used to offer you customised advertising on partner websites as well
The processing of data by Facebook takes place within the framework of Facebook's Privacy Policy (https://www.facebook.com/about/privacy/update). You can also find specific information and details about the Facebook pixel and how it works in the Facebook help section. You can object to the collection by the Facebook pixel and use of your data to display Facebook ads or withdraw your consent. To set which types of adverts are displayed to you within Facebook, you can go to the page set up by Facebook and follow the instructions on the settings for usage-based advertising.
The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time by rejecting or switching off the relevant cookies in the settings of your web browser (cf. section 14.2).
Based on your prior consent, we may also use data as part of a so-called customer match in the "advanced matching" function of Facebook custom audience. We transmit encrypted data (such as e-mail address, phone number or other identification features) to Facebook, which compares this data with your existing data. If the comparison results in a match, this means that the user is also active on this third-party platform. Based on the matched customer data, a target group is created that enables us to target advertising campaigns to this target group, which leads to greater relevance and effectiveness of the advertising.
The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time for the future.
Teads
Our website uses the services of Teads S.A. (“Teads”), 5, rue de la Boucherie L-1247 Luxembourg,
a digital advertising company. Teads collects and processes certain information, including technical information such as IP addresses and device data, as well as usage data that includes clicks and interactions with ads. This information is used by Teads to deliver personalised advertisements that meet individual interests and to measure and optimise advertising campaigns. You can find more information about data protection at Teads here: https://privacy-policy.teads.com/
The legal basis for this data processing is your consent within the meaning of Art. 6 (1) (a) GDPR. You can revoke your consent at any time by rejecting or deactivating the relevant cookies in your browser settings (see section 14.2).
15. Embedding videos
You can load videos and webcams in various places on our websites. The videos are displayed by means of embedding (iFrame) or directly by link to the websites of the following providers:
Google Ireland Limited Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (YouTube)
Seitz Phototechnik AG, Frauenfelderstrasse 26, 8512 Lustdorf, Switzerland (Seitz Phototechnik)
feratel media technologies AG, Maria-Theresien-Straße 8, 6020 Innsbruck, Austria (feratel)
By clicking on the video, a connection is established with the servers of YouTube, Seitz Phototechnik and feratel (together referred to as video providers). In the process, your browser may display the information described in section 14.1 (incl. IP address) to the video providers. This may also result in data being transferred to servers abroad, e.g. in the USA (cf., in particular, the lack of an adequate level of data protection and the guarantees provided, section 18.3 and 18.4).
For the further processing of data by the video providers, please note the following data protection provisions of the respective company:
16. Social media profiles
We have included links to our profiles in the social networks of the following providers on our website:
Meta Platforms Ireland Limited (Facebook, Instagram & WhatsApp), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, Privacy Policy;
Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland, Privacy Policy;
Google Ireland Limited (YouTube) Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, Privacy Policy;
If you click on the social network icons, you will be automatically redirected to our profile on the respective network. This establishes a direct connection between your browser and the server of the respective social network. As a result, the network receives in particular the data described in the section on log files (section 14.1), i.e. in particular the information that you have visited our website with your IP address and clicked on the link. This may also result in data being transferred to servers abroad, e.g. in the USA (cf., in particular, the lack of an adequate level of data protection and the guarantees provided, section 18.3 and 18.4).
If you click on a link to a network while you are logged into your user account with the network in question, the content of our website can be linked to your profile so that the network can assign your visit to our website directly to your account. If you want to prevent this, you should log out before clicking on the relevant links. A connection between your access to our website and your user account takes place in any case if you log in to the respective network after clicking on the link. The respective provider is responsible under data protection law for the associated data processing. Therefore, please note the data protection information on the network's website.
The legal basis for any data processing attributed to us is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the use and advertising of our social media profiles.
17. Data Storage Location
Your data is generally stored in databases within Switzerland. However, in some cases listed in this privacy policy, the data will also be passed on to third parties based outside Switzerland. If the country in question does not have an adequate level of data protection, we ensure through contractual arrangements with these companies that your data is adequately protected by these companies.
18. Centralised data storage and analysis
If a clear assignment to your person is possible, we will store and link the data described in this Privacy Policy, i.e. in particular your personal details, your contacts, your contract data and your surfing behaviour on our websites, in a central database. This serves to efficiently manage customer data, allows us to adequately process your requests and enables us to efficiently provide the services you require and process the associated contracts.
The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the efficient management of user data.
We also analyse this data to further develop our products and services in line with your needs and to provide you with information and offers that are as relevant as possible (cf. section 11) or to display them (cf. section 14.4.1). We also use methods that predict possible interests and future orders based on your use of our website. Some of these analyses can also be assessed as profiling (with or without high risk).
The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in carrying out marketing activities.
19. Disclosure to third parties and transfer abroad
19.1 Shared responsibility in public transport
Unless otherwise stated, we are responsible for the data listed in this Privacy Policy. However, as a public transport company, we are obliged by law to provide certain transport services with other transport companies and associations (direct transport). For this purpose and for other purposes described in this Privacy Policy, data is passed on at a national level within the so-called National Direct Transport (NDV), an association of over 240 transport companies (TC) and public transport associations. The individual TCs and networks are listed here.
The data is stored in the central database NOVA (network-wide public transport connection), which is managed by SBB on behalf of the NDV and for which we are responsible together with the other companies and associations of the NDV. NOVA is a technical platform for the sale of public transport services. It contains all the central elements for the sale of public transport services, such as the customer database. The scope of access to the shared databases by the individual transport companies and associations is governed by a joint agreement. The forwarding of data and its processing by the transport companies and associations in connection with centralised storage is limited to the following purposes:
Provision of transport service: To ensure that your journey runs smoothly, your travel and purchase details are forwarded within the NDV.
Contract processing: We process this data for the establishment, administration and processing of contractual relationships.
Maintaining customer relations and support: We process your data for purposes related to communication with you, in particular to respond to enquiries and assert your rights and to identify and provide you with the best possible support in the event of concerns or difficulties across public transport, as well as to process any claims for compensation.
Ticket control and revenue protection: Customer and season ticket data is required and processed to protect revenue (checking the validity of tickets or discount cards, debt collection, combating abuse). Incidents of travelling without a valid or partially valid ticket can be recorded via the national fare evasion register.
Revenue distribution: The Alliance SwissPass office, managed by ch-integral, fulfils the legal mandate defined in the Swiss Passenger Transport Act to collect travel data for the correct distribution of revenue (surveys on the use of public transport tickets). The office acts as the mandate holder for revenue distribution in national direct transport on behalf of the companies that are members of the NDV.
Joint marketing and market research activities: Furthermore, the data collected when purchasing public transport services is also processed for marketing purposes in certain cases. If you have given your consent and processing or contact is made with you for this purpose, this will generally only be carried out by the transport company or association from which you purchased the corresponding public transport service. Processing or contacting by the other transport companies and networks participating in the NDV will only take place in exceptional cases and under strict conditions, and only if the evaluation of the data shows that a particular public transport service could provide added value for you as a customer. An exception to this is processing and contacting by SBB. SBB manages the marketing mandate for NDV services (e.g. GA card and half-fare card) on behalf of NDV and can contact you regularly in this role. We also process your data for market research, to improve our services and for product development.
Further development of public transport systems with anonymous data: We analyse your data anonymously to further develop the overall public transport system in line with your needs.
Customer information: For group trips, we will notify you via SMS about your group reservation and any delays or cancellations. You can decide for yourself whether you would like to receive these notifications when you book a group trip.
The legal basis for the data processing mentioned here is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.
19.2 Disclosure to third parties and access by third parties
Without the support of other companies, we would not be able to provide our products and services in the desired form. For us to be able to use the services of these companies, it is also necessary to pass on your personal data to these companies to a certain extent. Your data will be passed on to selected third-party service providers and only to the extent necessary to optimise the provision of our services. Your personal data will only be passed on to other third parties outside of public transport (cf. section 18.1) such as SwissPass partners and companies that have been authorised by the public transport companies to broker public transport services based on a contractual agreement. These intermediaries will only have access to your personal data if you wish to obtain a public transport service through them and have given them your consent for access. Even in this case, they will only have access to your data to the extent necessary to determine whether you already have tickets or travelcards for the planned travel period that are relevant to your journey and the service you require from the third party. The legal basis for this data processing is therefore your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future (cf. section 21).
If you use offers from a SwissPass partner using your SwissPass, data about any services you have purchased from us (e.g. a GA card, half-fare card or regional travelcard) may be transmitted to the SwissPass partners in order to check whether you can benefit from a specific offer from the SwissPass partner (e.g. discount for GA card holders). In the event of loss, theft, misuse, counterfeiting or card replacement after the purchase of a service, the partner concerned will be informed. This data processing is necessary for the performance of the contract for the use of SwissPass within the meaning of Art. 6 para. 1 lit. b GDPR and is therefore based on this legal basis. Further information can be found in the privacy policy at www.swisspass.ch and in the privacy policy of the respective SwissPass partner.
Various third-party service providers are already explicitly mentioned in this Privacy Policy. These are the following service providers:
Skidata (Schweiz) GmbH, Soodstrasse 52, 8134 Adliswil, Switzerland (ticketing system for Shuttle Täsch - Zermatt). Further information about data processing in connection with Skidata (Schweiz) GmbH can be found here.
Datatrans AG, Kreuzbühlstrasse.26, 8008 Zurich, Switzerland (payment processing). Further information about data processing in connection with Datatrans AG can be found here.
The legal basis for these transfers is the necessity for the fulfilment of a contract within the meaning of Art. 6 para. 1 lit. b GDPR.
Your data will also be passed on if this is necessary to fulfil the services you have requested, e.g. to restaurants or providers of other services for which you have made a reservation through us. The legal basis for these transfers is the necessity for the fulfilment of a contract within the meaning of Art. 6 para. 1 lit. b GDPR. The third-party service providers are responsible for this data processing within the meaning of the Data Protection Act and not us. It is the responsibility of these third-party service providers to inform you about their own data processing – beyond the transfer of data for the provision of services – and to comply with data protection laws.
In addition, your data may be passed on to authorities, legal advisors or debt collection agencies, in particular if we are legally obliged to do so or if this is required to protect our rights, in particular to enforce claims arising from the relationship with you. Data may also be disclosed if another company intends to acquire our company or parts thereof and such disclosure is required to carry out a due diligence review or to complete the transaction.
The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the protection of our rights and fulfilment of our obligations or the sale of our company or parts thereof.
19.3 Transfer of personal data abroad
We are authorised to transfer your personal data to third parties abroad if this is necessary to carry out the data processing mentioned in this Privacy Policy. Individual data transfers have been mentioned above (cf. in particular para. 14 and 16). It is self-understood that we strictly comply with the statutory provisions on the disclosure of personal data to third parties. The countries to which data is transferred include those that the Federal Council and the EU Commission have decided have an adequate level of data protection (such as the member states of the EEA or, from the EU's point of view, Switzerland), but also countries (such as the USA) whose level of data protection is not considered adequate (cf. Annex 1 of the General Data Protection Regulation (GDPR) and the EU Commission's website). If the country in question does not have an adequate level of data protection, we ensure that your data is adequately protected by these companies through appropriate guarantees, unless an exception is specified for individual data processing (cf. Art. 49 GDPR). Unless otherwise stated, these are the choice of companies that are certified under the Privacy Framework Agreement or standard contractual clauses within the meaning of Art. 46 para. 2 lit. c GDPR, which can be found on the websites of the Federal Data Protection and Information Commissioner (FDPIC) and the EU Commission. If you have any questions regarding the measures taken, please get in touch with our contact person for data protection (cf. section 3).
19.4 Information on data transfers to the USA
Some of the third-party service providers mentioned in this Privacy Policy are based in the USA. For the sake of completeness, we would like to point out to users residing or domiciled in Switzerland or the EU that there are surveillance measures in place in the USA by US authorities that generally allow the storage of all personal data of all persons whose data has been transferred from Switzerland or the EU to the USA. This is done without differentiation, restriction or exception based on the objective pursued and without an objective criterion that makes it possible to restrict the US authorities' access to the data and its subsequent use to very specific, strictly limited purposes that justify the interference associated with both access to this data and its use. Furthermore, we would like to point out that in the USA there are no legal remedies or effective legal protection for data subjects from Switzerland or the EU against general access rights of US authorities that allow them to obtain access to the data concerning them and to obtain its correction or deletion. We explicitly draw your attention to this legal and factual situation to enable you to make an appropriately informed decision to consent to or object to the use of your data.
We would also like to point out to users residing in Switzerland or a member state of the EU that the USA does not have an adequate level of data protection from the perspective of the European Union and Switzerland – partly due to the explanations in this section. Insofar as we have explained in this Privacy Policy that recipients of data (such as Google) are based in the USA, we will ensure that your data is adequately protected by our third-party service providers by selecting companies that are certified under the Privacy Framework Agreement or by contractual arrangements with these companies and, if required, additional appropriate safeguards.
20. Retention periods
We only store personal data for as long as is necessary to carry out the processing described in this Privacy Policy within the scope of our legitimate interest. For contractual data, storage is prescribed by statutory retention obligations. Requirements that oblige us to retain data result from accounting and tax regulations. According to these regulations, business communication, concluded contracts and accounting documents must be stored for up to 10 years. Once we no longer require this data to provide the services, the data will be blocked. This means that the data may then only be used for the fulfilment of retention obligations or for the defence and enforcement of our legal interests. The data will be deleted as soon as there is no longer an obligation to retain it and there is no longer a legitimate interest in retaining it.
21. Data security
We use suitable technical and organisational security measures to protect your personal data stored by us against loss and unlawful processing, in particular unauthorised access by third parties. Our employees and the service companies commissioned by us are obliged by us to maintain confidentiality and to comply with data protection regulations. Furthermore, these persons are only granted access to personal data to the extent necessary to fulfil their tasks.
Our security measures are continuously adapted in line with technological developments. However, the transmission of information via the internet and electronic means of communication always harbours certain security risks and therefore we provide no absolute guarantee for the security of information transmitted in this way.
22. Your rights
Provided that the legal requirements are met, you have the following rights as a data subject affected by data processing:
Right to information: You have the right to request access to your personal data stored by us at any time free of charge when we process it. This gives you the opportunity to check what personal data we process about you and whether we process it pursuant to the applicable data protection regulations.
Right to rectification: You have the right to have incorrect or incomplete personal data rectified and to be informed of the rectification. In this case, we will also inform the recipients of the data concerned about the adjustments we have made, unless this is impossible or involves disproportionate effort.
Right to deletion: You have the right to have your personal data deleted under certain circumstances. In individual cases, particularly in the case of statutory retention obligations, the right to deletion may be excluded. In this case, the data may be blocked instead of deleted if the conditions are met.
Right to restriction of processing: You have the right to request that the processing of your personal data be restricted.
Right to data portability: You have the right to receive from us, free of charge, the personal data that you have provided to us in a readable format.
Right to object: You can object to data processing at any time, particularly in the case of data processing in connection with direct marketing (e.g. marketing e-mails).
Right of revocation: In principle, you have the right to revoke your consent at any time. However, processing activities based on your consent in the past are not rendered unlawful by your revocation.
To exercise these rights, please send us an e-mail to the following address: datenschutz@mgbahn.ch
If you would like information regarding or deletion of your personal data under public transport data protection law, you can contact SBB in writing. The request for information or deletion should be sent to the following address: SBB AG, Legal & Compliance, Data Protection Office, Hilfikerstrasse 1, 3000 Bern 65.
Right to lodge a complaint: You have the right to lodge a complaint with a competent supervisory authority, e.g. against the way in which we process your personal data.
Status 17.01.2024