Data protection guidelines

The Matterhorn Gotthard Bahn in Brig, in front of the railway offices, on a sunny day.

Privacy Policy of the public limited company Matterhorn Gotthard Railway

Responsible entity and content of this Privacy Policy
Public transport companies’ customer promise
Contact person for data protection
Data processing during phone, e-mail contact and thrugh online forms
Data processing during WhatsApp contact
Data processing when registering for a user account at
Data processing when using the website as a registered user
Data processing when using our web shop 8.1 Data processing when buying gift vouchers
Data processing during payment processing
Data processing in e-mail marketing
Data processing when using our WiFi network
Data processing through licence plate recognition systems
Data processing by video cameras
Data processing when applying for an advertised job
Data processing when registering for a job alert
Background data processing on our website 16.1 Data processing when visiting our website (log file data) 16.2 Cookies 16.3 Tracking and web analysis tools 16.4 Online advertising and targeting
Embedding videos
Social media profiles
Data Storage Location
Centralised data storage and analysis
Disclosure to third parties and transfer abroad 21.1 Shared responsibility in public transport 21.2 Disclosure to third parties and access by third parties 21.3 Transfer of personal data abroad 21.4 Information on data transfers to the USA
Retention periods
Data security
Your rights

1. Responsible entity and content of this Privacy Policy

We, the public limited company Matterhorn Gotthard Bahn, Bahnhofplatz 7, 3900 Brig , CHE-109.897.716, are the operator of the websites www.matterhorngotthardbahn.ch and www.mgbahn.ch (websites) and, unless otherwise stated in this Privacy Policy, are responsible for the data processing listed in this Privacy Policy.

We are a company belonging to BVZ Holding. The individual Group companies use the data pursuant to their internal group guidelines. If you contact the individual Group companies and use other BVZ Holding websites, the respective Group companies are solely responsible for the collection, processing and use of your personal data and for data processing in compliance with the law pursuant to the current privacy policy of the respective Group company, unless otherwise stated in this Privacy Policy.

Your trust is important to us. That is why we take the issue of data protection seriously and ensure appropriate security. Consequently, we consider it a matter of course to comply with the legal requirements of the Swiss Federal Act on Data Protection (FADP), the Ordinance onData Protection (Data Protection Ordinance, DPO), the Telecommunications Act (TCA) and the European General Data Protection Regulation (GDPR), the provisions of which may be applicable in individual cases.

Please take note of the following information so that you know what personal data we collect from you and for what purposes we use it. Please also note that the following information is reviewed and amended from time to time. We therefore recommend that you consult this Privacy Policy on a regular basis. Furthermore, other companies are responsible or jointly responsible with us under data protection law for the individual data processing operations listed below, so that in these cases the information provided by these providers is also authoritative.

2. Public transport companies’ customer promise

Public transport companies handle your data confidentially. The protection of your personality and your privacy is an important concern for us, the public transport companies. We guarantee that your personal data will be processed pursuant to the applicable provisions of data protection law. To summarise, we process personal data exclusively in accordance with the following principles:

You yourself decide on the processing of your personal data. Within the legal framework, you can refuse data processing or withdraw your consent or have your data deleted at any time. You always have the option of travelling anonymously, i.e. without your personal data being collected.
We offer you added value when processing your data. We use your data exclusively in the context of providing our services and to offer you added value (e.g. customised offers, information and support). We therefore only use your data for the development, provision, optimisation and evaluation of our services or to maintain the customer relationship.
Your data will not be sold. Your data will only be disclosed to selected third parties listed in this Privacy Policy and only for the purposes explicitly stated. If we commission third parties to process data, they are obliged to comply with our data protection standards.
We guarantee the security and protection of your data. We guarantee careful handling of your data as well as its security and protection. We take the necessary organisational and technical precautions to ensure this.

Below you will find detailed information on how we handle your data.

3. Contact person for data protection

If you have any questions about data protection or would like to exercise your rights, please contact our data protection officer by sending an e-mail to the following address: datenschutz@mgbahn.ch

You can reach our EU data protection representative at:

MLL EU-GDPR GmbH Ganghoferstrasse 33 DE-80339 Munich mgverkehrsag@mll-gdpr.com

4. Data processing during phone & e-mail contact and thrugh online forms

If you contact us by phone or e-mail or use an online form, your personal data will be processed. The data you provide us with, such as your name, e-mail address or phone number and your enquiry, will be processed. In addition, the time of receipt of the enquiry is documented. We process this data in order to fulfil your request (e.g. providing information about our products and services, assisting with contract processing, incorporating your feedback into the improvement of our products and services, etc.).

5. Data processing during WhatsApp contact

We offer you the option of contacting us via the WhatsApp messaging service provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Meta). When using WhatsApp, personal data is processed. In addition to your phone number, we process the data that you provide to us, such as your name and your request. In addition, the time of receipt of the enquiry is documented. We process this data in order to fulfil your request (e.g. providing information about our products and services, assisting with contract processing, incorporating your feedback into the improvement of our products and services, etc.).

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the use of the services of third-party providers and in the implementation of your request or, if your request is aimed at the conclusion or execution of a contract, the necessity for the implementation of the required contractual measures within the meaning of Art. 6 para. 1 lit. b GDPR.

When you use WhatsApp, your data is stored in a Meta database. The data processed by Meta may include, in particular, your phone number, message content, device information and location information. Meta is responsible for the data processing carried out by Meta and must ensure compliance with data protection laws in connection with this data processing. Information on the processing of data by third parties and any transfer abroad can be found in section 20 of this Privacy Policy. Further information about data processing by Meta can be found here.

6. Data processing when registering for a user account

You have the option of opening a user account on our website. Registration and authentication are carried out using your SwissPass login. This is a so-called Single Sign-On (SSO). When you register your user account, we collect the data stored in your SwissPass account. Further information on the use of the SSO and joint responsibility in public transport can be found under section 2.

We use the personal details to establish your identity and to check the requirements for registration. The e-mail address and password together serve as login data and thus ensure that the correct person is using the website with your details. We also need your e-mail address for future communication with you, which is required for contract fulfilment. Furthermore, this data is stored in the customer account for future contract conclusions. For this purpose, we also allow you to store further details in the account (e.g. billing and delivery address).

In addition, we use the data to provide an overview of the orders placed and services purchased (see in particular section [section]) and a simple way to manage your personal data, to administer our website and the contractual relationships, i.e. to establish, organise the content of, process and amend the contracts concluded with you via your customer account (e.g. in connection with your order with us).

The legal basis for the processing of your data for the aforementioned purpose is your consent pursuant to Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time for the future by removing your information from the customer account or deleting your customer account or having it deleted by sending us a message.

To prevent misuse, you should always treat your login data confidentially, log out after each session and delete your browser history, especially if you share the end-device with others.

7. Data processing when using the website as a registered user

During the use of the website by registered users who are logged in (cf. section 6), we collect data for statistical reasons and to enable the website to function properly. In particular, the following data is collected:

the type, frequency and intensity of use of the website
the duration of your membership
the orders placed
the composition of the shopping basket

We use cookies to recognise you as a registered user when you use the website after logging in. Please also note the information in section 16.2.

The legal basis for processing your data for this purpose is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time for the future by deleting your customer account or having it deleted by sending us a message.

8. Data processing when using our web shop

You have the option of ordering products or booking services on our website (e.g. train tickets, car park tickets, car transport tickets or leisure activities). You can place orders and bookings as a guest or as a registered user (cf. section 7). We require various data from you to process the contract. Depending on the product or service, we collect the following data:

Your last name and first name and those of any other service recipients
Postal address (street, house number, postal code, town, country)
E-mail address
Information in the context of payment
Date of birth
Phone number
Loading direction, loading time, vehicle type, trailer
Car licence plate and country
Existing tickets/subscriptions (e.g. half-fare card)
SwissPass ID

In order to process the contractual relationship, we also collect data regarding the services you have purchased (service data). Depending on the product or service, this includes the following information:

Type of product or service purchased
Price
Date and time of purchase
Time of service provision (e.g. event, overnight stay or travel date or period of validity)
Place of departure and destination

We use your personal details to establish your identity before concluding a contract. We need your e-mail address to confirm your order and for future communication with you that is required to fulfil the contract. We store your data together with the order details (e.g. time, order number, etc.), the data regarding the services ordered (e.g. description, price and features of the product; product data), the payment data (e.g. payment method selected, confirmation of payment and time; cf. section 9 as well as information on the processing and fulfilment of the contract, e.g. return of products, use of service or warranty services, etc.) so that we can ensure correct order processing and contract fulfilment. The legal basis for this data processing is the fulfilment of a contract with you pursuant to Art. 6 para. 1 lit. b GDPR.

Insofar as this is necessary for the fulfilment of the contract, we will also pass this information on to the respective third-party service providers (e.g. transport companies such as SBB or Gornergrat Bahn AG) or an insurance company (when booking travel cancellation insurance). Information on the processing of data by third parties and any transfer abroad can be found in section 20 of this Privacy Policy. The legal basis for this processing is the fulfilment of a contract pursuant to Art. 6 para. 1 lit. b GDPR.

Data generated when purchasing public transport services is stored in a central database (cf. section 19) and also processed for other purposes, including marketing purposes (cf. section 10). In addition, the data is used as part of ticket control to identify the holder of a personalised ticket and to prevent misuse. The data is also used to provide our service-après-vente to identify and support you in the event of concerns or difficulties and to process any claims for compensation. Finally, the data is used to distribute the revenue generated by the purchase of tickets fairly among the companies and associations of direct transport. Information on the processing of data by third parties can be found in section 20.2 of this Privacy Policy. Our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR forms the legal basis for this data processing.

The provision of data that is not labelled as mandatory is voluntary. We process this data to tailor our products and services to your personal needs in the best possible way, to facilitate the processing of contracts, to contact you via an alternative communication channel if necessary with a view to fulfilling the contract or for statistical recording and evaluation to optimise our products and services. The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time for the future by sending us a message.

If you purchase services after opening a customer account or using your login data for the customer account, we will store your data in the customer account (cf. also section 6 and 7). The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR.

For the provision of the web shop, we use an online sales solution from Alturos Destination GmbH, Lakeside B03, 9020 Klagenfurt am Wörthersee, Austria (Alturos). Therefore, your data is stored in Alturos' database, which may allow Alturos to access your data if this is necessary for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 20 of this Privacy Policy. The legal basis for this processing is our legitimate interest within the meaning of Art. 6 para 1 lit. f GDPR in using the services of third-party providers.

Alturos may wish to use some of this data for its own purposes (e.g. to send marketing e-mails or for statistical analyses). Alturos is responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. Information about data processing by Alturos can be found below:

In addition, certain functional aspects of our website (e.g. pop-ups) require that a cookie (cf. section 16.2) is set by our service provider Powr, Inc, 44 Tehama St, San Francisco, 94105 California, USA (POWR). Information on the processing of data by third parties and any transfer abroad can be found in section 20 of this Privacy Policy. The legal basis for this processing is our legitimate interest within the meaning of Article 6(1)(f) GDPR in using the services of third-party providers. You can find more information about data processing in connection with POWR here.

8.1 Data processing when purchasing vouchers

You have the option of odering vouchers on our websites. We collect the following data for this purpose, whereby mandatory information is marked with an asterisk (*) during the ordering process:

Salutation
First name
Last name
Company
Address
Country
Phone
E-mail address
Voucher for
Voucher from
Dedication

We use your personal details to verify your identity before concluding a contract. We require your e-mail address to confirm your order, to send you the voucher, receipt and invoice in digital form and for future communication with you that is necessary to fulfil the contract. The legal basis for this data processing is the fulfilment of a contract with you pursuant to Art. 6 para. 1 lit. b GDPR.

The provision of data that is not labelled as mandatory is voluntary. We process this data in order to tailor our offer to your personal needs in the best possible way, to facilitate the processing of contracts, to contact you via an alternative communication channel if required with regard to the fulfilment of the contract or for statistical recording and evaluation to optimise our offers. The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit a GDPR. You can revoke your consent at any time by sending us a message.

We use a software application by Idea Creation GmbH, Walchestrasse 15, 8006 Zurich, Switzerland (E-GUMA) to provide the online shop. To purchase the vouchers, you will be redirected to the E-GUMA website. Therefore, your data will be stored in an E-GUMA database, which may allow E-GUMA to access your data if this is required for the provision of the software and for support in using the software. Information on the processing of data by third parties and any transfer abroad can be found in section 20 of this privacy policy. The legal basis for this data processing is the fulfilment of a contract with you pursuant to Art. 6 para. 1 lit. b GDPR.

E-GUMA may wish to use some of this data for its own purposes (e.g. to send marketing e-mails or for statistical analyses). E-GUMA is responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. You can find information about data processing by E-GUMA here.

9. Data processing during payment processing

The processing of personal data is required if you purchase products, services or vouchers in our online shop or at a counter of a public transport company using electronic means of payment.

By using the payment terminals, you transmit the information stored in your means of payment, such as the name of the cardholder and the card number, to the payment service providers involved (e.g. payment solution providers, credit card issuers and credit card acquirers). They also receive the information that the payment method was used at our point of sale, as well as the amount and the time of the transaction. Conversely, we only receive the credit of the amount of the payment made at the relevant time, which we can assign to the relevant receipt number, or the information that the transaction was not possible or was cancelled. If you purchase products, services or vouchers in our web shop for a fee, you may be required to provide additional data, such as your credit card information or the login for your payment service provider, depending on the service and the desired payment method. This information and the fact that you have purchased a service from us at the relevant amount and time will be forwarded to the respective payment service providers (e.g. providers of payment solutions, credit card issuers and credit card acquirers). The legal basis for our data processing is the fulfilment of a contract pursuant to Art. 6 para. 1 lit. b GDPR.

For payment processing, we use a software application from Datatrans AG, Kreuzbühlstrasse 26, 8008 Zurich, Switzerland (Datatrans). Your data may therefore be stored in a Datatrans database, which may enable Datatrans to access your data if this is required for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 20 of this Privacy Policy. The legal basis for our data processing is the fulfilment of a contract with you pursuant to Art. 6 para. 1 lit. b GDPR.

With wallet payment solutions (Twint, Apple Pay, PayPal, SwissPass), your card details are securely stored in the wallet beforehand. If you decide to pay with a wallet solution, you generally no longer need to enter any payment card information. Only the data required for authorisation and transaction processing is transferred via the wallet. Always pay attention to the information provided by the respective company, in particular the privacy policy and general terms and conditions.

10. Data processing in e-mail marketing

If you register for our marketing e-mails (e.g. when you open a customer account or when you order a product or service), the following data will be collected:

E-mail address
Salutation
First name and last name

To prevent misuse and to ensure that the owner of an e-mail address has actually given their consent to receive marketing e-mails, we use the so-called double opt-in for registration. After submitting your registration, you will receive an e-mail from us with a confirmation link. You must click on this link to definitively register for the marketing e-mails. If you do not confirm your e-mail address using the confirmation link within the specified period, your data will be deleted and our marketing e-mails will not be sent to this address.

By registering, you give us your consent to process this data for the purpose of sending you communications about our company, our tourism and transport offers and related products and services from us, the companies in which BVZ Holding holds an interest and selected partner companies, such as service providers in municipalities in our route network. This may also include requests to participate in surveys (market research) or competitions or to evaluate one of the services/products or companies mentioned. The collection of the e-mail address also allows us to assign the registration to any existing customer account and thereby personalise the content of the marketing e-mails. The link to a customer account allows us to make the offers and content contained in the marketing e-mails more relevant to you and better tailored to your potential needs.

Your consent constitutes the legal basis for the processing of data within the meaning of Art. 6 para. 1 lit. a GDPR. We will use your data to send you marketing e-mails until you withdraw your consent. Withdrawal is possible at any time, in particular via the unsubscribe link contained in all marketing e-mails.

Our marketing e-mails may contain a so-called web beacon, 1x1 pixel (tracking pixel) or similar technical aids. A web beacon is an invisible graphic that is linked to the user ID of the respective subscriber. For each marketing e-mail sent, we receive information on which e-mail addresses it was successfully sent to, which e-mail addresses have not yet received the marketing e-mail and which e-mail addresses failed to receive it. We also see which e-mail addresses have opened the marketing e-mail, for how long and which links have been clicked. Finally, we also receive information about which subscribers have unsubscribed from the mailing list. We use this data for statistical purposes and to optimise the marketing e-mails in terms of frequency and time of sending as well as the structure and content of the marketing e-mails. This enables us to better tailor the information and offers in our marketing e-mails to the individual interests of the recipients.

By subscribing to the marketing e-mails, you also consent to the statistical analysis of user behaviour for the purpose of optimising and adapting the marketing e-mails. This consent constitutes our legal basis for processing the data within the meaning of Art. 6 para. 1 lit. a GDPR. The web beacon is deleted when you delete the marketing e-mail. You can prevent the use of web beacons in our marketing e-mails and thus revoke your consent by setting the parameters of your e-mail programme so that HTML is not displayed in messages. You can find information on how to configure this setting in the help section of your e-mail software application, e.g. here for Microsoft Outlook.

For the provision of marketing e-mails, we use a software application from Alturos Destinations GmbH, Lakeside B03, 9020 Klagenfurt, Austria (Alturos). Your data is stored in a database of BRAZE Ltd, Exchange House 10th Floor, 12 Primrose Street, London, England, EC2A 2EG (BRAZE). Therefore, Alturos and BRAZE may have access to your data if this is necessary for the provision of the software and for support in the use of the software.

Alturos and BRAZE may wish to use some of this data for their own purposes (e.g. to send marketing e-mails or for statistical analyses). Alturos and BRAZE are responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. Information about data processing by Alturos and BRAZE can be found under the following links:

Information on the processing of data by third parties and any transfer abroad can be found in section 20 of this Privacy Policy. Your consent constitutes the legal basis for the processing of data within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time for the future.

In certain cases, contact may also be made by SBB or another company involved in direct transport under strict conditions. Please refer to the information in section 20.1. You can refuse to be contacted by SBB (e.g. in connection with your GA or half-fare card) or by other public transport companies at any time. The following options are available to you:

Every e-mail you receive from public transport companies contains an unsubscribe link that you can click to unsubscribe from further messages.
If you have a SwissPass login, you can log in to SwissPass and manage your settings for receiving messages in your user account at any time.
You can also deregister at any counter of a public transport company.

11. Data processing when using our WiFi network

Together with Gornergrat Bahn AG, we provide our customers free access to the Internet via WiFi network at selected locations for a fixed period of use within the scope of technical, operational and economic possibilities. To a certain extent, we are therefore deemed to be jointly responsible with Gornergrat Bahn AG for data processing in the context of providing the WiFi network.

Prior registration is required to prevent misuse and to punish unlawful behaviour. In doing so, you transmit the following data to us:

Mobile phone number
MAC address of the end device (automatic)
End device used (operating system, device type and manufacturer)
IP address of the end device
User browser

In addition to the above data, data on the time and date of use and data on the train station area visited are transmitted each time the WiFi network is used. The legal basis for this processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time for the future.

For the provision of our WiFi network, we work together with onway (schweiz) ag, Stauffacherstrasse 16, 8004 Zurich, Switzerland (onway). Therefore, your data may be stored in a onway database, which may allow onway to access your data if this is necessary for the provision of the software and for support in the use of the software. Information about the processing of data by third parties can be found in section 20 of this Privacy Policy. You can find more information about data processing by onway here.

onway must comply with the legal obligations of the Federal Act on the Surveillance of Post and Telecommunications (SPTA) and the associated ordinance. If the legal requirements are met, the operator of the WiFi network must monitor the use of the internet and data traffic on behalf of the competent authority. The operator of the WiFi network may also be obliged to disclose the customer's contact, usage and marginal data to the authorised authorities. The contact, usage and peripheral data in connection with your person will be stored for 6 months and then deleted.

The legal basis for this processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the provision of a WiFi network in compliance with the applicable legal regulations.

12. Data processing through licence plate recognition systems

The cameras in the access areas of the Furka car loading bay and the Matterhorn Terminal Täsch scan the licence plates of vehicles. The purpose of this processing is the comparison of vehicle licence plates with valid vehicle tickets (entry and exit control) and thus the prevention of misuse. The legal basis is our legitimate interest in entry, exit and misuse control within the meaning of Art. 6 para. 1 lit. f. GDPR. When purchasing an online ticket for the Furka Car Transport or the Matterhorn Terminal Täsch, you can enter your licence plate number in the web shop (cf. section 8). The licence plates of the vehicles scanned by the camera are compared with the list of licence plates that were specified when the online ticket was ordered. If a valid ticket for your licence plate number has been registered with the online shop operator, ALTUROS Destinations GmbH, Lakeside B03, 9020 Klagenfurt, Austria (cf. section 8), you will be granted access. The legal basis for processing your data for this purpose is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. It is also possible to purchase an anonymous ticket without recording your licence plate number. The images recorded during video surveillance are stored for seven days and then deleted.

We rely on the service provider Schenk AG, Fännring 1, 6403 Küssnacht am Rigi (Schenk) to provide the licence plate generation system for the Furka Car Transport and we use a system from Digitalparking AG, Rütistrasse 13, 8952 Schlieren (Digitalparking) for the Matterhorn Terminal Täsch. Schenk and Digitalparking have access to the data insofar as this is necessary for the provision of the systems. If the suspicion of unlawful behaviour is substantiated, the data may be passed on to consulting firms (in particular to a law firms) and authorities to the extent necessary for the enforcement of claims or the filing of charges and thus stored for longer. Information on the processing of data by third parties can be found in section 20 of this Privacy Policy. Further information about data processing in connection with Schenk can be found here. Further information about data processing in connection with Digitalparking can be found here. The legal basis for this processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in using the services of third-party providers.

13. Data processing by video cameras

To protect our customers and employees as well as our property and to prevent and punish unlawful behaviour (in particular theft and damage to property), the entrance area and the publicly accessible areas of our facilities, with the exception of the sanitary facilities, may be monitored by cameras. The image data will only be viewed if there is a suspicion of unlawful behaviour. Otherwise, the images are automatically deleted after 72 hours.

For the provision of the video surveillance system, we rely on the service provider Annax Schweiz AG, Zentweg 9, 3006 Bern, Switzerland (Annax). Annax has access to the data insofar as this is necessary for the provision of the system. If the suspicion of unlawful behaviour is substantiated, the data may be passed on to the extent necessary for the enforcement of claims or for the filing of a complaint to consulting firms (in particular to a law firm) and authorities. Information on the processing of data by third parties and any transfer abroad can be found in section 20 of this Privacy Policy. Further information about data processing in connection with Annax can be found here. The legal basis for this processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in using the services of third-party providers.

14. Data processing when applying for an advertised job

You have the option of sending us an unsolicited application or applying in response to a specific job advertisement. In doing so, we process the personal data you provide. You can also apply for advertised jobs directly online via our job portal. Our job portal is operated by BVZ Holding and we are therefore jointly responsible with BVZ Holding for the personal data processed in the job portal or in an online application. When you apply online, we collect the following data from you, whereby mandatory information is marked with an asterisk (*) in the relevant form:

General information:

Salutation
First name
Last name
Street
Postal code
Place
Country
Date of birth
Phone
E-mail address
Further information:
Salary expectations
Current termination period
Details of the location of the advert
Details of a personal recommendation by one of our employees
Desired level of employment
Information regarding visual aid
Information regarding hearing aid
Information on chronic diseases
Information on red and/or green deficiency or any other eye disease
Information on entries in the Swiss criminal register
Possession of a driving licence cat. B
Application documents (cover letter, CV, photo, etc.)

We will only use the data we receive from you to check your suitability for the advertised position and to contact you regarding the next steps in the application process. We require information on chronic illnesses and other physical limitations (visual aid, hearing aid, red and/or green deficiency or other eye disease) for jobs that may not be filled by persons with certain chronic and/or physical limitations due to safety risks.

If you use the "Apply with LinkedIn profile" or "Apply with Finest Jobs profile" functions, your first name, last name, e-mail address and your photo from the respective profile will be stored in the form. This calls up the web server of LinkedIn Unlimited Company, Wilton Place, Dublin 2, Ireland (LinkedIn) or the web server of Finest-Jobs, a service by Rexx Systems GmbH, Südstrasse 75-79, 20097 Hamburg, Germany (Finest-Jobs), and your web browser transmits a corresponding data request to the respective portal operator. By logging in to the respective portal, the data request can be assigned to your profile and linked to the required information. The operators of the job portals obtain information about your visit and your interactions on our website. The further processing of data by LinkedIn and Finest-Jobs is governed by their privacy policies, which you can access via the links below:

Your personal data will automatically be partially deleted six months after acceptance/rejection. From this point onwards, only the following information will remain in our system for statistical reasons:

Salutation
Date of birth
Country
Postal code and place
Application channel
Reason for cancellation (if applicable)

Our online job portal is provided via the servers of our hosting provider Rexx Systems GmbH, Südstrasse 75-79, 20097 Hamburg, Germany (Rexx). Therefore, when you apply online, your data will be stored in a Rexx database, which may allow Rexx to access your data if this is required for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 20 of this Privacy Policy.

Rexx may wish to use some of this data for its own purposes (e.g. for statistical analyses for product optimisation). Rexx is responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. You can find more information about data processing in connection with Rexx here.

The legal basis for processing your data for this purpose is the fulfilment of a contract (pre-contractual phase) pursuant to Art. 6 para. 1 lit. b GDPR.

15. Data processing when registering for a job alert

You can register for an automatic job alert on the BVZ Holding job portal (cf. section 14). You will be notified directly in the event of a new vacancy. When registering for this job alert, you must provide the following information:

Location for which you would like to apply
Your e-mail address

To prevent misuse and to ensure that the owner of an e-mail address has actually given their consent to receive job alert e-mails, we use the double opt-in process for registration. After submitting your registration, you will receive an e-mail from us with a confirmation link. To definitively register for the job alert e-mails, you must click on this link. If you do not confirm your e-mail address using the confirmation link within the specified period of 7 days, your data will be deleted and our job alert e-mails will not be sent to this address.

By registering, you consent to the processing of the data provided to receive job alert e-mails from us about vacancies advertised by us.

We will use your data to send you job alert e-mails until you withdraw your consent. Revocation is possible at any time, in particular via the unsubscribe link contained in all job alert e-mails.

We use a software application from Rexx Systems GmbH, Süderstrasse 75-79, 20097 Hamburg, Germany (Rexx) to send job alert e-mails. Therefore, your e-mail address is stored in a database of Rexx, which may allow Rexx to access your data if required for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 20 of this Privacy Policy.

Your consent constitutes the legal basis for the processing of data within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time for the future.

16. Background data processing on our website

16.1 Data processing when visiting our website (log file data)

When you visit our website, the web servers temporarily store every access in a log file. The following data is recorded without any action on your part and stored by us until it is automatically deleted:

IP address of the requesting computer;
Date and time of access;
Name and URL of the retrieved file;
Website from which the access was made, if applicable with the search term used;
Your computer's operating system and the browser you are using (incl. type, version and language setting);
Device type in the event of access by mobile phones;
City or region from which the access was made; and
Name of your Internet access provider.

This data is collected and processed for the purpose of enabling the use of our website (connection establishment), ensuring system security and stability in the long term and enabling error and performance analysis and optimisation of our website (cf. section 16.3).

In the event of an attack on the network infrastructure of the website or in the event of suspicion of other unauthorised or improper use of the website, the IP address and other data will be evaluated for clarification and defence purposes and, if necessary, used to identify the user concerned in the context of civil or criminal proceedings.

The purposes described above constitute our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR and thus the legal basis for data processing.

For the operation of our website we use the services of our hosting provider iWay AG, Badenerstrasse 569, 8048 Zurich, Switzerland (iWay). Your data is therefore stored in an iWay database, which enables iWay to access your data if this is necessary for the provision of the software and for support in the use of the software. The website is hosted on servers in Switzerland. Information on the processing of data by third parties can be found in section 20.2 of this Privacy Policy. The legal basis for this processing is our legitimate interest within the meaning of Art. 6 para. 1 lit.f GDPR in using the services of third-party providers.

iWay may wish to use some of this data for its own purposes (e.g. for statistical analyses for product optimisation). iWay is responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. You can find more information about data processing in connection with iWay here.

Finally, when you visit our website, we use cookies as well as applications and tools that are based on the use of cookies. The data described here may also be processed in this context. You will find more detailed information on this in the following sections of this Privacy Policy, in particular the following section 16.2.

16.2 Cookies

Cookies are information files that your web browser stores on your computer's hard drive or memory when you visit our website. Cookies are assigned identification numbers that identify your browser and allow the information contained in the cookie to be read.

Cookies help, among other things, to make your visit to our website easier, more pleasant and more meaningful. We use cookies for various purposes that are required for your desired use of the website, i.e. that are "technically necessary". For example, we use cookies to identify you as a registered user after you have logged in without you having to log in again each time you navigate through the various subpages. The provision of website elements such as the order function is also based on the use of cookies, which temporarily store your entries when you fill out a form on the website so that you do not have to repeat the entry when you call up another subpage. Cookies also perform other technical functions required for the operation of the website, such as load balancing, i.e. the distribution of the performance load of the site to different web servers in order to reduce the load on the servers. Cookies are also used for security purposes, e.g. to prevent the unauthorised posting of content. Finally, we also use cookies as part of the design and programming of our website, e.g. to enable the uploading of scripts or codes.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the provision of a user-friendly and up-to-date website.

Most internet browsers accept cookies automatically. However, when you access our website, we ask for your consent to the cookies we use that are not technically necessary, especially when using third-party cookies for marketing purposes. You can make your desired settings using the corresponding buttons in the cookie banner. Details on the services and data processing associated with the individual cookies can be found within the cookie banner and in the following sections of this Privacy Policy.

We use the service Cookiebot by Usersentrics, Sendlinger Strasse 7, 80331 Munich, Germany (Cookiebot) to control and consent to all cookies on the website. Cookiebot is responsible for the data processing carried out by Cookiebot and must ensure compliance with data protection laws in connection with this data processing. Information on the processing of data by third parties and any transfer abroad can be found in section 18 of this Privacy Policy. Further information about data processing by Cookiebot can be found here.

You may also be able to configure your browser so that no cookies are stored on your computer or so that a message always appears when you receive a new cookie. You can use the links below to find out how you can configure the processing of cookies in selected browsers.

If you deactivate cookies, you may not be able to use all the functions of our website.

16.3 Tracking and web analysis tools

General information about tracking

We use the web analysis services listed below for the purpose of designing and continuously optimising our website in line with requirements. In this context, pseudonymised user profiles are created and cookies are used (please also refer to section 16.2). The information generated by the cookie about your use of this website is generally transferred together with the data specified in section 16.1 to a server of the service provider, where it is stored and processed. This may also result in a transfer to servers abroad, e.g. the USA (cf., in particular, the lack of an adequate level of data protection and the guarantees provided, section 20.3 and 20.4).

By processing the data, we obtain the following information, among others:

Navigation path followed by a visitor on the site (incl. content viewed and products selected or purchased or services booked);
Time spent on the website or subpage;
Subpage on which the website is left;
Country, region or city from where access is made;
end device (type, version, colour depth, resolution, width and height of the browser window); and
Returning or new visitors.

The provider will use this information on our behalf to analyse the use of the website, in particular to compile reports on website activity and to provide other services relating to website activity and internet usage for the purposes of market research and the needs-based design of these websites. For these processing operations, we and the providers can be regarded as joint responsible entities under data protection law up to a certain extent.

The legal basis for this data processing with the following services is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. Some of the data processing may also be assessed as profiling (with or without high risk), to which your consent also extends. You can withdraw your consent or object to processing at any time by rejecting or switching off the relevant cookies in your web browser settings (cf. section 16.2) or by making use of the service-specific options described below.

For the further processing of the data by the respective provider as the (sole) responsible entity under data protection law, in particular any disclosure of this information to third parties, e.g. to authorities due to national legal regulations, please refer to the respective data protection information of the provider.

Google Analytics

We use the web analysis service Google Analytics from Google Ireland Limited (Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google).

In deviation from the description in section 16.3.1 IP addresses are not logged or stored in Google Analytics (in the "Google Analytics 4" version used here). In the case of access originating from the EU, IP address data is only used to derive location data and then deleted immediately. When collecting measurement data in Google Analytics, all IP searches are carried out on EU-based servers before the traffic is forwarded to Analytics servers for processing. Regional data centres are used in Google Analytics. If a connection is established in Google Analytics to the nearest available Google data centre, the measurement data is sent to Analytics via an encrypted HTTPS connection. In these centres, the data is further encrypted before it is forwarded to the Analytics processing servers and made available on the platform. The most suitable local data centre is determined based on the IP addresses. This may also result in data being transferred to servers abroad, e.g. in the USA (cf., in particular, the lack of an adequate level of data protection and the guarantees provided, section 20.3 and 20.4).

We also use the technical extension "Google Signals", which enables cross-device tracking. This allows an individual website visitor to be assigned to different end devices. However, this only happens if the visitor has logged into a Google service when visiting the website and has also activated the "personalised advertising" option in their Google account settings. Even then, however, no personal data or user profiles are made available to us. If you do not wish to use "Google Signals", you can deactivate the "personalised advertising" option in your Google account settings.

Users can prevent Google from collecting the data generated by the cookie and relating to the use of the website by the user concerned (including the IP address) and from processing this data by Google and revoke their consent by rejecting or switching off the relevant cookies in the cookie banner or in the settings of their web browser (cf. section 16.2) or by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en. For the further processing of data by Google, please refer to Google's Privacy Policy: https://policies.google.com/privacy?hl=en&gl=en.

16.4 Online advertising and targeting

In general

We use the services of various companies to provide you with interesting offers online. Your user behaviour on our websites and websites of other providers is analysed so that we can then display online advertising tailored to you.

Most technologies for tracking your user behaviour (tracking) and for the targeted display of advertising (targeting) use cookies (cf. also section 16.2) or similar technologies and unique identifiers (e.g. advertising ID) with which your browser can be recognised via various websites. Depending on the service provider, it may also be possible for you to be recognised online even when using different end devices (e.g. laptop and smartphone). This may be the case, for example, if you have registered with a service that you use on several devices.

For these purposes, the data collected when websites are accessed (log file data, cf. section 16.1) and the use of cookies (section 16.2) may be passed on to the companies involved in the advertising networks and processed further by them. This also results in the data being disclosed to potentially all countries worldwide (cf., in particular, the lack of an adequate level of data protection and the guarantees provided, section 20.3 and 20.4). In addition, the following data in particular is used to select the advertising that is potentially most relevant to you:

Information about you that you provided when registering or using a service from advertising partners (e.g. your gender, your age group); and
User behaviour (e.g. search queries, interactions with advertising, types of websites visited, products or services viewed and purchased, newsletters subscribed to).

We and our service providers use this data to recognise whether you belong to the target group we are addressing and take this into account when selecting advertisements. For example, after you have visited our site, you may be shown adverts for the products or services you have consulted when you visit other sites (re-targeting). Depending on the scope of the data, a user profile may also be created, which is evaluated automatically, i.e. with so-called profiling, whereby the ads are selected according to the information stored in the profile, such as membership of certain demographic segments or potential interests or behaviours. Such adverts can be displayed to you on various channels, which, in addition to our website as part of on-site marketing, also include adverts that are placed via the online advertising networks we use, such as Google.

The data may then be analysed for the purpose of billing the service provider and to assess the effectiveness of advertising measures to better understand the needs of our users and customers and to improve future campaigns. This may also include the information that the performance of an action (e.g. visiting certain sections of our websites or sending information) is attributable to a specific advertisement. We also receive aggregated reports from the service providers on advertising activities and information on how users interact with our website and our adverts.

The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. Some of the data processing can also be assessed as profiling (with or without high risk), to which your consent also extends. You can withdraw your consent at any time by rejecting or switching off the relevant cookies in the settings of your web browser (cf. section 16.2). Further options for blocking advertising can also be found in the information provided by the respective service provider, e.g. Google.

Google Ads

This website uses, as described in section 16.4.1, the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google) for online advertising. Google uses cookies (cf. the list here) and similar technologies and unique identifiers (in particular advertising IDs) that enable your browser to be recognised when you visit other websites. The information thus generated about your visit to these websites (including your IP address) is transferred to Google's servers in the USA, among others, and stored there (cf., in particular, the lack of an adequate level of data protection and the guarantees provided, section 20.3 and 20.4). Google will process the data by name in order to show you personalised advertising on Google services (e.g. the search engine). You can find more information on data protection at Google here.

The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time by rejecting or switching off the relevant cookies in the settings of your web browser (cf. section 16.2). You can find further options for blocking advertising here.

Facebook pixel / Facebook custom audience

On our website, we use the so-called "Facebook Pixel" by the social network Facebook, which is operated by Meta Platforms Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Meta). With the help of the Facebook pixel, Facebook can determine the visitors to our website as a target group for the display of adverts (so-called Facebook ads). Accordingly, we use Facebook pixels to display Facebook ads placed by us only to those Facebook users who have also shown an interest in our website or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited) that we transmit to Facebook (so-called custom audiences). With the help of the Facebook pixel, we also want to ensure that our Facebook ads correspond to the potential interest of users and are not annoying. With the help of the Facebook pixel, we can also track the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called conversion). The Facebook pixel is integrated directly by Facebook when you visit our website and can store a cookie on your device (cf. section 16.2). If you subsequently log in to Facebook or visit Facebook while logged in, the visit to our website will be noted in your profile. The data collected about you is anonymous to us, so it does not allow us to draw any conclusions about the identity of the user. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible. The data can therefore be used by Facebook for its own market research and advertising purposes. If we transmit data to Facebook for comparison purposes, it is encrypted locally on the browser and only then sent to Facebook via a secure https connection. This is done for the sole purpose of creating a comparison with the data encrypted in the same way by Facebook. Furthermore, when using the Facebook pixel, we use the additional function "extended comparison", whereby data for the creation of target groups (custom audiences or look-alike audiences) is transmitted to Facebook in encrypted form.

We also use the Facebook pixel for re-targeting purposes (cf. section 16.4.1). With the help of the Facebook pixel, we can track the Facebook adverts that you have seen when you visit our website, which subpages you visit and which products you add to your shopping cart. This information is used to offer you customised advertising on partner websites.

The processing of data by Facebook takes place within the framework of Facebook's Privacy Policy (https://www.facebook.com/about/privacy/update). You can also find specific information and details about the Facebook pixel and how it works in the Facebook help section. You can object to the collection by the Facebook pixel and use of your data to display Facebook ads or withdraw your consent. To set which types of adverts are displayed to you within Facebook, you can go to the page set up by Facebook and follow the instructions on the settings for usage-based advertising.

Based on your prior consent, we may also use data as part of a so-called customer match in the "advanced matching" function of Facebook custom audience. We transmit encrypted data (such as an e-mail address, phone number or other identification features) to Facebook, which compares this data with your existing data. If the comparison results in a match, this means that the user is also active on this third-party platform. Based on the matched customer data, a target group is created that enables us to target advertising campaigns to this target group, which leads to greater relevance and effectiveness of the advertising.

The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time for the future.

Teads

Our website uses the services of Teads S.A. (“Teads”), 5, rue de la Boucherie L-1247 Luxembourg,

a digital advertising company. Teads collects and processes certain information, including technical information such as IP addresses and device data, as well as usage data that includes clicks and interactions with ads. This information is used by Teads to deliver personalised advertisements that meet individual interests and to measure and optimise advertising campaigns. You can find more information about data protection at Teads here: https://privacy-policy.teads.com/

The legal basis for this data processing is your consent within the meaning of Art. 6 (1) (a) GDPR. You can revoke your consent at any time by rejecting or deactivating the relevant cookies in your browser settings (see section 16.2).

17. Embedding videos

You can access videos and webcams in various places on our websites. The videos are displayed by means of embedding (iFrame) or directly by linking to the websites of the following providers:

Google Ireland Limited Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (YouTube)

Seitz Phototechnik AG, Frauenfelderstrasse 26, 8512 Lustdorf, Switzerland (Seitz Phototechnik)

By clicking on the video, a connection is established with the servers of YouTube or Seitz Phototechnik. In the process, your browser may display the information described in section 16.1 (incl. IP address) to YouTube or Seitz Phototechnik. This may also result in data being transferred to servers abroad, e.g. in the USA (cf., in particular, the lack of an adequate level of data protection and the guarantees provided, section 20.3 and 20.4).

For the further processing of data by YouTube and Seitz Phototechnik, please note the following data protection provisions of the respective company:

18. Social media profiles

We have included links to our profiles in the social networks of the following providers on our website:

Meta Platforms Ireland Limited (Facebook, Instagram & WhatsApp), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, Privacy Policy;

Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland, Privacy Policy;

Google Ireland Limited (YouTube) Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, Privacy Policy;

If you click on the social network icons, you will automatically be redirected to our profile in the respective network. This establishes a direct connection between your browser and the server of the respective social network. As a result, the network receives in particular the data described in the section on log files (section 16.1), i.e. in particular the information that you have visited our website with your IP address and clicked on the link. This may also result in data being transferred to servers abroad, e.g. in the USA (cf., in particular, the lack of an adequate level of data protection and the guarantees provided, section 20.3 and 20.4).

If you click on a link to a network while you are logged into your user account with the network in question, the content of our website can be linked to your profile so that the network can assign your visit to our website directly to your account. If you want to prevent this, you should log out before clicking on the relevant links. A connection between your access to our website and your user account takes place in any case if you log in to the respective network after clicking on the link. The respective provider is responsible under data protection law for the associated data processing. Therefore, please note the data protection information on the network's website.

The legal basis for any data processing attributed to us is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the use and advertising of our social media profiles.

19. Data Storage Location

Your data is generally stored in databases within Switzerland. However, in some cases listed in this privacy policy, the data will also be passed on to third parties based outside Switzerland. If the country in question does not have an adequate level of data protection, we ensure through contractual arrangements with these companies that your data is adequately protected by these companies.

20. Centralised data storage and analysis

If a clear assignment to your person is possible, we will store and link the data described in this Privacy Policy, i.e. in particular your personal details, your contacts, your contract data and your surfing behaviour on our websites, in a central database. This serves to efficient manage customer data, allows us to adequately process your requests and enables us to efficiently provide the services you require and process the associated contracts.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the efficient management of user data.

We also analyse this data to further develop our products and services in line with your needs and to provide you with information and offers that are as relevant as possible (cf. section 10) or to display them (cf. section 16.4.1). We also use methods that predict possible interests and future orders based on your use of our website. Some of these analyses can also be assessed as profiling (with or without high risk).

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in carrying out marketing activities.

21. Disclosure to third parties and transfer abroad

21.1 Shared responsibility in public transport

Unless otherwise stated, we are responsible for the data listed in this Privacy Policy. However, as a public transport company, we are obliged by law to provide certain transport services with other transport companies and associations (direct transport). For this purpose and for other purposes described in this data protection declaration, data is passed on at a national level within the so-called National Direct Transport (NDV), an association of over 240 transport companies (TU) and public transport associations. The individual TUs and networks are listed here.

The data is stored in the central database NOVA (network-wide public transport connection), which is managed by SBB on behalf of the NDV and for which we are responsible together with the other companies and associations of the NDV. NOVA is a technical platform for the sale of public transport services. It contains all the central elements for the sale of public transport services, such as the customer database. The scope of access to the shared databases by the individual transport companies and associations is governed by a joint agreement. The forwarding of data and its processing by the transport companies and associations in connection with centralised storage is limited to the following purposes:

Provision of transport service: To ensure that your journey runs smoothly, your travel and purchase details are forwarded within the NDV.
Contract processing: We process this data for the establishment, administration and processing of contractual relationships.
Maintaining customer relations and support: We process your data for purposes related to communication with you, in particular to respond to enquiries and assert your rights and to identify and provide you with the best possible support in the event of concerns or difficulties across public transport, as well as to process any claims for compensation.
Ticket control and revenue protection: Customer and season ticket data is required and processed to protect revenue (checking the validity of tickets or discount cards, debt collection, combating abuse). Incidents of travelling without a valid or partially valid ticket can be recorded via the national fare evasion register.
Revenue distribution: The Alliance SwissPass office, managed by ch-integral, fulfils the legal mandate defined in the Swiss Passenger Transport Act to collect travel data for the correct distribution of revenue (surveys on the use of public transport tickets). The office acts as the mandate holder for revenue distribution in national direct transport on behalf of the companies that are members of the NDV.
Identification as part of the authentication of the SwissPass login (SSO): For services that you purchase using the SwissPass login, the data is then stored in the central NOVA database. To enable single sign-on (SSO) (one login for all applications that offer use of your services with the SwissPass login), the login, card, customer and service data mentioned above are also exchanged between the central SwissPass login infrastructure and our company as part of the authentication process.
Joint marketing and market research activities: Furthermore, the data collected when purchasing public transport services is also processed for marketing purposes in certain cases. If you have given your consent and processing or contact is made with you for this purpose, this will generally only be carried out by the transport company or association from which you purchased the corresponding public transport service. Processing or contact by the other transport companies and networks participating in the NDV will only take place in exceptional cases and under strict conditions, and only if the evaluation of the data shows that a particular public transport service could provide added value for you as a customer. An exception to this is processing and contacting by SBB. SBB manages the marketing mandate for NDV services (e.g. GA card and half-fare card) on behalf of NDV and can contact you regularly in this role. We also process your data for market research, to improve our services and for product development.
Further development of public transport systems with anonymous data: We analyse your data anonymously to further develop the overall public transport system in line with your needs.
Customer information: For group trips, we will notify you via SMS about your group reservation and any delays or cancellations. You can decide for yourself whether you would like to receive these notifications when you book a group tour.

The legal basis for the data processing mentioned here is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

21.2 Disclosure to third parties and access by third parties

Without the support of other companies, we would not be able to provide our products and services in the desired form. For us to be able to use the services of these companies, it is also necessary to pass on your personal data to these companies to a certain extent. Your data will be passed on to selected third-party service providers and only to the extent necessary to optimise the provision of our services. Other third parties outside of public transport (cf. section 20.1), your personal data will only be passed on to SwissPass partners and companies that have been authorised by the public transport companies to broker public transport services based on a contractual agreement. These intermediaries will only have access to your personal data if you wish to obtain a public transport service through them and have given them your consent for access. Even in this case, they will only have access to your data to the extent necessary to determine whether you already have tickets or cards for the planned travel period that are relevant to your journey and the service you require from the third party. The legal basis for this data processing is therefore your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future (cf. section 23).

If you use offers from a SwissPass partner using your SwissPass, data about any services you have purchased from us (e.g. a GA card, half-fare card or regional travelcard) may be transmitted to the SwissPass partners in order to check whether you can benefit from a specific offer from the SwissPass partner (e.g. discount for GA card holders). In the event of loss, theft, misuse, counterfeiting or card replacement after the purchase of a service, the partner concerned will be informed. This data processing is necessary for the performance of the contract for the use of SwissPass within the meaning of Art. 6 para. 1 lit. b GDPR and is therefore based on this legal basis. Further information can be found in the privacy policy at www.swisspass.ch and in the privacy policy of the respective SwissPass partner.

Various third-party service providers are already explicitly mentioned in this Privacy Policy. These are the following service providers:

Skidata (Schweiz) GmbH, Soodstrasse 52, 8134 Adliswil, Switzerland (ticketing system for Shuttle Täsch - Zermatt). Further information about data processing in connection with Skidata (Schweiz) GmbH can be found here.
Datatrans AG, Kreuzbühlstrasse.26, 8008 Zurich, Switzerland (payment processing). Further information about data processing in connection with Datatrans AG can be found here.

The legal basis for these transfers is the necessity for the fulfilment of a contract within the meaning of Art. 6 para. 1 lit. b GDPR.

Your data will also be passed on if this is necessary to fulfil the services you have requested, e.g. to restaurants or providers of other services for which you have made a reservation through us. The legal basis for these transfers is the necessity for the fulfilment of a contract within the meaning of Art. 6 para. 1 lit. b GDPR. The third-party service providers are responsible for this data processing within the meaning of the Data Protection Act and not us. It is the responsibility of these third-party service providers to inform you about their own data processing – beyond the transfer of data for the provision of services – and to comply with data protection laws.

In addition, your data may be passed on to authorities, legal advisors or debt collection agencies, in particular if we are legally obliged to do so or if this is necessary to protect our rights, in particular to enforce claims arising from the relationship with you. Data may also be disclosed if another company intends to acquire our company or parts thereof and such disclosure is required to carry out a due diligence review or to complete the transaction.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the protection of our rights and fulfilment of our obligations or the sale of our company or parts thereof.

21.3 Transfer of personal data abroad

We are authorised to transfer your personal data to third parties abroad if this is necessary to carry out the data processing mentioned in this Privacy Policy. Individual data transfers have been mentioned above (cf. in particular para. 16 and 17). It is self-understood that we strictly comply with the statutory provisions on the disclosure of personal data to third parties. The countries to which data is transferred include those that the Federal Council and the EU Commission have decided have an adequate level of data protection (such as the member states of the EEA or, from the EU's point of view, Switzerland), but also countries (such as the USA) whose level of data protection is not considered adequate (cf. Annex 1 of the General Data Protection Regulation (GDPR) and the EU Commission's website). If the country in question does not have an adequate level of data protection, we ensure that your data is adequately protected by these companies through appropriate guarantees, unless an exception is specified for individual data processing (cf. Art. 49 GDPR). Unless otherwise stated, these are the choice of companies that are certified under the Privacy Framework Agreement or standard contractual clauses within the meaning of Art. 46 para. 2 lit. c GDPR, which can be found on the websites of the Federal Data Protection and Information Commissioner (FDPIC) and the EU Commission. If you have any questions regarding the measures taken, please get in touch with our contact person for data protection (cf. section 3).

21.4 Information on data transfers to the USA

Some of the third-party service providers mentioned in this Privacy Policy are based in the USA. For the sake of completeness, we would like to point out to users residing or domiciled in Switzerland or the EU that there are surveillance measures in place in the USA by US authorities that generally allow the storage of all personal data of all persons whose data has been transferred from Switzerland or the EU to the USA. This is done without differentiation, restriction or exception based on the objective pursued and without an objective criterion that makes it possible to restrict the US authorities' access to the data and its subsequent use to very specific, strictly limited purposes that justify the interference associated with both access to this data and its use. Furthermore, we would like to point out that in the USA there are no legal remedies or effective legal protection for data subjects from Switzerland or the EU against general access rights of US authorities that allow them to obtain access to the data concerning them and to obtain its correction or deletion. We explicitly draw your attention to this legal and factual situation to enable you to make an appropriately informed decision to consent to or object to the use of your data.

We would also like to point out to users residing in Switzerland or a member state of the EU that the USA does not have an adequate level of data protection from the perspective of the European Union and Switzerland – partly due to the explanations in this section. Insofar as we have explained in this Privacy Policy that recipients of data (such as Google) are based in the USA, we will ensure that your data is adequately protected by our third-party service providers by selecting companies that are certified under the Privacy Framework Agreement or by contractual arrangements with these companies and, if required, additional appropriate safeguards.

22. Retention periods

We only store personal data for as long as is necessary to carry out the processing described in this Privacy Policy within the scope of our legitimate interest. For contractual data, storage is prescribed by statutory retention obligations. Requirements that oblige us to retain data result from accounting and tax regulations. According to these regulations, business communication, concluded contracts and accounting documents must be stored for up to 10 years. Once we no longer require this data to provide the services, the data will be blocked. This means that the data may then only be used for the fulfilment of retention obligations or for the defence and enforcement of our legal interests. The data will be deleted as soon as there is no longer an obligation to retain it and there is no longer a legitimate interest in retaining it.

23. Data security

We use suitable technical and organisational security measures to protect your personal data stored by us against loss and unlawful processing, in particular unauthorised access by third parties. Our employees and the service companies commissioned by us are obliged by us to maintain confidentiality and to comply with data protection regulations. Furthermore, these persons are only granted access to personal data to the extent necessary to fulfil their tasks.

Our security measures are continuously adapted in line with technological developments. However, the transmission of information via the internet and electronic means of communication always harbours certain security risks and therefore we provide no absolute guarantee for the security of information transmitted in this way.

24. Your rights

Provided that the legal requirements are met, you have the following rights as a data subject affected by data processing:

Right to information: You have the right to request access to your personal data stored by us at any time free of charge when we process it. This gives you the opportunity to check what personal data we process about you and whether we process it pursuant to the applicable data protection regulations.

Right to rectification: You have the right to have incorrect or incomplete personal data rectified and to be informed of the rectification. In this case, we will also inform the recipients of the data concerned about the adjustments we have made, unless this is impossible or involves disproportionate effort.
Right to deletion: You have the right to have your personal data deleted under certain circumstances. In individual cases, particularly in the case of statutory retention obligations, the right to deletion may be excluded. In this case, the data may be blocked instead of deleted if the conditions are met.
Right to restriction of processing: You have the right to request that the processing of your personal data be restricted.
Right to data portability: You have the right to receive from us, free of charge, the personal data that you have provided to us in a readable format.
Right to object: You can object to data processing at any time, particularly in the case of data processing in connection with direct marketing (e.g. marketing e-mails).
Right of revocation: In principle, you have the right to revoke your consent at any time. However, processing activities based on your consent in the past are not rendered unlawful by your revocation.

To exercise these rights, please send us an e-mail to the following address: datenschutz@mgbahn.ch

If you would like information regarding or deletion of your personal data under public transport data protection law, you can contact SBB in writing. The request for information or deletion should be sent to the following address: SBB AG, Legal & Compliance, Data Protection Office, Hilfikerstrasse 1, 3000 Bern 65.

Right to lodge a complaint: You have the right to lodge a complaint with a competent supervisory authority, e.g. against the way in which we process your personal data.

Status 10.02.2025