1.4 Tracking tools

1.4.1 Google Analytics

For the purposes of needs-based design and the continuous optimisation of our pages, we use the web analysis service Google Analytics provided by Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. In this respect, pseudonymised user profiles are created and small text files (“cookies”) stored on your computer and used. Information generated by the cookie about your use of this website, such as 

• the browser type/version
• the operating system used
• the referrer URL (previous page visited)
• the host name of the accessing computer (IP address)
• the time of the server request, and
• the device

is sent to the servers of Google Inc., a company of the holding company Alphabet Inc., in the US and stored there. Before this data is transmitted to locations within the member states of the European Union or other states that are party to the agreement on the European Economic Area and Switzerland, the IP address is truncated through this website’s IP anonymisation process (“anonymizeIP”). Google will not associate the anonymised IP address transmitted by your browser through Google Analytics with any other data held by Google. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. In cases such as these, we use contractual guarantees to ensure that Google Inc. maintains an adequate level of data privacy. 

The information is used to analyse use of the website, to compile reports about website activities and to provide us with further services relating to website and Internet use for the purposes of market research and needs-based design for these websites. This information too may be forwarded to third parties where required by law or if third parties have been commissioned to process this data. Under the terms of Google Inc., under no circumstances will the IP address be used in connection with other data relating to the user. 

Users can prevent Google from collecting and processing the data generated by the cookie relating to their use of the website (including their IP address) by downloading and installing the browser plug-in from the following link: 

https://tools.google.com/dlpage/gaoptout?hl=en& 

For the sake of completeness, we must point out that as part of their legislation, the US authorities are able to undertake surveillance measures under which the universal storage of all data sent from the European Union to the US is possible. This takes place without distinction, limitation or exception, on the basis of the objective pursued and without objective criteria that would allow it to limit access by US authorities to personal data and its subsequent use to specific, strictly limited purposes that justify access to this data. 

For users residing in EU member states, please note that, from the point of view of the European Union, the US does not have sufficient data protection levels due to, amongst other things, the issues mentioned in this section. Insofar as we have explained in this privacy policy that recipients of data (such as Google) are based in the US, we will use contractual arrangements with these companies to ensure that your data is afforded an appropriate level of protection by our partners.

This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above. 

1.5 Re-targeting and other marketing processes

1.5.1 Google Retargeting

We use retargeting technologies on our website. Your user behaviour on our website is analysed to enable partner websites to offer you advertising individually tailored to your preferences. Your user behaviour will be recorded under a pseudonym. 

Most retargeting technologies use cookies (see section 1.3 above).

This website uses Doubleclick by Google, services provided by Google Inc. (“Google”) to display ads based on your use of previously visited websites. For this purpose, Google uses the so-called double-click cookie, which allows your browser to be recognised when you visit other websites. The information generated by the cookie about your visit to these websites (including your IP address) is transmitted to a Google server in the United States and stored there (more information on transfers of personal data to the USA can be found in section 1.4.1 above).

Google will use this information for the purpose of evaluating your use of the website in terms of the advertisements to be displayed, to compile reports for the website operator on website activities and ads, and to perform other services associated with website and Internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. However, Google will never associate your IP address with other Google data.

You can prevent this retargeting at any time by rejecting or deactivating the relevant cookies in the menu bar of your web browser (see section 1.3 above).

This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above.

1.5.3 Facebook Custom Audience

To promote interest-based advertisements to visitors to our website while visiting Facebook, we use “Custom Audiences Pixel” provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”). We have implemented a Facebook pixel on our website, which connects directly to the Facebook servers when you visit our website. The information that you have visited our website is transmitted to the Facebook server and Facebook assigns this information to your personal Facebook user account. For more information on the collection and use of data by Facebook, your rights in this regard and how you can protect your privacy, please see Facebook’s privacy policy here.

If you wish to reject the connection with Facebook described above, simply block or deactivate the relevant pixels in your browser (see section 1.3 above). 

This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above.

1.5.4 Campaign-related pixels and cookies

In some marketing campaigns, which each run for a few weeks only, we use pixels or cookies of various providers such as Adello or Tradedoubler. We use these pixels or cookies for retargeting purposes, i.e. we install a cookie that helps us to display on your computer advertising communications on the respective campaign on partner websites. You can prevent this retargeting at any time by deactivating the relevant pixels and cookies (see section 1.3 above).

This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above.

1.6 Social media functions 

1.6.1 Links to our social media pages

Our website contains links to our social media profiles on the following social media networks:

• Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA,
• Twitter Inc.,1355 Market Street, Suite 900, San Francisco, CA 94103, USA
• Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025
• YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA

If you click on icons of the respective social networks, you are automatically forwarded to our profile page on the respective network. To be able to use the functions of the respective network, you may have to log in to your user account there. 

If you click on a link to one of our social media profiles, a direct connection is established between your browser and the server of the respective social network. By doing so, the network will be notified that you visited our website with your IP address, and clicked on the link. If you click on a link to a network while being logged in to your account on the respective network, the content of our site can be linked to your profile on the network, which means that the network can directly link your visit to our website with your user account. If you want to prevent this, you will need to log out of your account before clicking on the respective links. Linking of the information will definitely occur if you log in to the respective network after clicking on the link.

1.6.2 Yawave share buttons (only www.rhb.ch)

We have integrated social media share buttons provided by yawave, Sälihügel 1, CH-6005 Lucerne in our website. You will recognise the button in the form of a Facebook, Twitter, Whatsapp or e-mail icon. When you click on one of the corresponding buttons, an input mask will appear in which you can enter a message. The moment you click on the “Share” button, you will be relayed to the login page of the corresponding social media platform (Facebook and Twitter). You will then need to log in to your account in order to share your message. You can prevent this flow of information to the relevant social media network by not logging in (and not clicking on “Share”). If you visit our website while already logged in to a social media account, the data will be exchanged the moment you click on “Share”. 

The personal data you enter will be processed by yawave. You will find more information on this subject here.

Data processing for the above purpose is founded on the consent – within the meaning of Art. 6 para. 1 lit. a of the GDPR – you give us when you click on the button, enter your message in the mask, and log in to your social media account after clicking on “Share”. 

Please note that sharing information by e-mail and Whatsapp is permissible only if you have received the consent of the message recipient to process his/her e-mail address or Whatsapp identification number for this purpose. By entering the e-mail address or sharing via Whatsapp, you ensure that this is the case. 

1.7 E-Recruiting (only www.rhb.ch)

By submitting your personal data, you agree to the processing and storage of this data in accordance with the conditions set out below. Your data will only be disclosed to third parties with your express permission. Our company accepts no liability for damages arising from data transmission via the Internet.

Within the scope of e-recruiting, we use smahrt consulting AG’s “Talentsoft” tool/applicant portal. Smahrt consulting AG is a company based in Zurich. 

1.7.1 Applying for a job vacancy / speculative application

By applying for a job vacancy or submitting a speculative application, you consent to us collecting your personal data and using it for application/recruitment purposes.

We collect and process the following data: title, first name and surname, postal address, mobile number, e-mail address, date of birth (hereinafter referred to as “data”).

The data transmitted to us during the job application process will be permanently deleted as soon as it is clear that the position advertised has been filled. 

The data transmitted to us upon submitting a speculative application will be stored for a period of six months. At the end of this period, you will receive an e-mail requesting you to confirm your data. If you do not respond to this request within ten days, your data will be permanently deleted.

2. Data processing outside the website

2.1 Processing customer details

We also collect customer data outside our website environment, e.g. when you make a purchase at one of our sales desks. The following data, in particular, is collected:

• Title

• First name

• Last name

• Date of birth

• Address

• Postal code

• Town/city

• Country

• Telephone

• E-mail

• Details in connection with the payment (depending on the chosen payment method).

The legal basis for processing the data in the above case is the performance of a contract pursuant to Art. 6 para. 1 lit. b of the GDPR. 

2.2 Processing the data of business partners / suppliers 

In the context of our relations with business partners / suppliers, we collect the details of the relevant contact persons at these companies. We collect the following data, in particular, on each of our business partners / suppliers:  

• Company name

• Company address, postal code, town/city

• First and last name of the contact

• Business phone number of the contact

• E-mail address of the contact

• Function and title of the contact (where available)

• Terms and conditions of contract

• History of the customer relationship

• E-mail for customer information bulletins

• Preferred means of payment

• Preferred currencies

The legal basis for processing the data in the above case is the performance of a contract pursuant to Art. 6 para. 1 lit. b of the GDPR. 

3. Shared responsibility in general and in public transport in particular

Rhätische Bahn AG is responsible for processing your data. As a public transport service provider/partner, we have a legal obligation to collaborate with other transport operators and partners in the provision of certain passenger transport services ("Direct Service"). 

For this purpose, and for other purposes described in this data privacy statement, we share data at national level within the "National Direct Service" (NDS), an association of over 240 transport operators and public transport partner companies. The individual TSPs and partners are listed here [link: https://www.allianceswisspass.ch/de/Themen/Datenschutz/Uebersicht-Transportunternehmen-und-Verbuende]. Data acquired from customers who purchase services or supply contact details are stored in a central database which is managed by SBB on behalf of NDS and for which we are jointly responsible with the other NDS companies and partners (the DS database). 

When services are purchased by customers using the SwissPass login, the data is stored in another central database (the SwissPass database) for which we are jointly responsible with the TSP and the NDS community. This database is again managed by SBB on behalf of NDS. To improve service efficiency and streamline the working relationship between the companies involved, data from the different databases may be merged. To enable single sign-on (SSO, a system that enables SwissPass users to access multiple services with a single login), we share login details and card, customer and service data with the central SwissPass login infrastructure during the authentication process. 

Access by individual TSPs and partners to the shared databases is regulated and limited by a contractual agreement. Sharing and processing by other TSPs and NDS partners using the central database is normally limited to contract processing, ticket control, after-sales service and revenue distribution. Data collected during purchase transactions for NDS services [link: https://www.allianceswisspass.ch/de/Themen/Datenschutz/Uebersicht-Sortiment] is also used for marketing purposes in certain cases. These include analysing the data to improve and promote public transport services in line with customer needs. If your data is processed or if you are contacted for this purpose, this will normally be done only by the TSP or partner from whom you purchased the NDS service. The other TSPs and partner companies associated with NDS will only process your data or contact you in exceptional circumstances and under strict conditions, and only if an analysis of the data shows that a particular public transport service would be beneficial for you as a customer. Contact and processing by SBB is an exception to this rule. SBB undertakes the marketing for NDS services (such as GA and half-fare travelcards) on behalf of NDS and may contact you at regular intervals in connection with these services. 

Our legitimate interest forms the legal basis for processing this data.

4. General provisions

4.1 Forwarding of data to third parties

We forward your personal data only if you have explicitly consented, if there is a legal obligation to do so or if this is necessary to assert our rights, in particular to assert claims arising from the contractual relationship. 

Furthermore, we forward your data to third parties where this is necessary within the scope of the use of the website and performance of the contract, i.e. when providing you with the services you have ordered or in order to analyse your user behaviour. The use by third parties of this shared data is strictly limited to the stated purposes. 

Various third-party service providers are explicitly mentioned in this data privacy policy (for example in the sections “When booking services”, “Tracking tools”, “Retargeting”, and “Newsletter”).

A service provider to whom personal data collected on the website is forwarded, or who has or could have access to personal data, is our website hosting company Unic AG Zürich, Baslerstrasse 60, CH-8048 Zurich. The website is hosted on servers in Switzerland. The data is shared for the purpose of providing and maintaining the functions of our website. This constitutes our legitimate interest within the meaning of Art. 6 para. 1 lit. f of the GDPR.

4.2 Transfer of personal data abroad

We are permitted to forward your data to third-party companies abroad if this is necessary in connection with the processing of your requests, to provide services and for marketing campaigns. These third-party companies are obliged to respect user privacy to the same extent as we do ourselves. If, in a certain country, the level of data protection is deemed inappropriate by Swiss standards or according to the provisions of the EU General Data Protection Regulation (GDPR), we will ensure by contractual means that your personal data is protected at all times in accordance with Swiss guidelines and/or the GDPR.

Various third-party service providers and the addresses of their head offices have already been mentioned in the section above (“Forwarding of data to third parties"). Some of the third-party service providers mentioned in this privacy policy have their place of residence in the USA (see “Tracking tools”, “Re-targeting”). Further details on the transfer of data to the USA can be found in the section “Tracking tools”.

4.3 Right of access, rectification, erasure and restriction of processing; right of data portability; right to complain to a supervisory authority

You have the right to obtain information – on request and free of charge – on the personal data that we store about you. In addition, you have the right to have inaccurate data corrected and the right to have your personal data deleted, as long as there are no legal retention obligations or acts of permission allowing us to process such data. 

Persons living in the EU are also entitled to demand the release of any data submitted to us (right of data portability). On request, we will also forward the data to a third party of your choice. You are entitled to receive the released data in a common file format. This right does not apply to persons living in Switzerland.  

For the aforementioned purposes, you can contact us at the e-mail address datenschutz(at)rhb.ch. We may, at our discretion, require proof of identity to process your request.

Furthermore, you are entitled to submit a complaint to a data protection authority at any time.

4.4 Storage of data

We store personal data only for as long as necessary in order to use the above-mentioned tracking services within the scope of our legitimate interest. Contract data is stored for longer periods as this is required by statutory obligations governing data retention. Requirements obliging us to retain data arise from accounting and tax regulations. According to these regulations, business communications, concluded contracts and accounting documents must be kept for up to 10 years. As and when we no longer need this data to perform our services for you, we will block the data. This means that the data may then be used only for accounting and for tax purposes.

4.5 Data security

We take appropriate technical and organisational security measures in order to protect your stored data from being manipulated, fully or partially lost, or accessed by unauthorised third parties. Our security measures are continuously adapted in line with the latest technological developments.

We also take our own internal data privacy very seriously. Our employees and the service providers we commission are obliged to maintain secrecy and to comply with the provisions of the data protection laws. Moreover, they are granted access to personal data only insofar as this is necessary.

4.6 Contact

If you have any questions about data privacy on our website, would like to receive information, or would like to have your data erased, please contact us by sending an e-mail to datenschutz(at)rhb.ch.

Please direct any correspondence to the following address:

Rhätische Bahn AG
Data Privacy Officer 
Bahnhofstrasse 25
7001 Chur

We have a data protection representative in the EU who serves as a point of contact for supervisory authorities and data subjects in accordance with Art. 27 GDPR:

VGS Datenschutzpartner UG
Am Kaiserkai 69
20457 Hamburg
Deutschland
info(at)datenschutzpartner.eu