Data privacy

 

DATA PRIVACY STATEMENT


This privacy statement applies to www.cgn.ch.

 

It explains what type of data we collect from you, why we need this data and how you can object to it being processed.

 

 

PUBLIC TRANSPORT OPERATORS TREAT CUSTOMER DATA CONFIDENTIALLY

 

As a public transport operator, protecting your personal data and personal privacy is important to us. We guarantee to process your personal data in compliance with the requirements of data protection legislation.

 

Public transport operators show that they take responsibility for the protection and confidential handling of your data by applying the following principles :

 

You decide how your personal data will be processed.

The law says that you can refuse at any time to allow your data to be processed, withdraw your consent to its collection and processing or ask for your data to be deleted. You always have the option to travel anonymously, in other words without your personal data being collected.

 

We offer you added value when we process your data.

Public transport operators use your data exclusively to provide you with a service and to offer you added value throughout the mobility chain (such as personalised offers and information, support, or compensation for disruptions in service). We will therefore use your data only to help us develop, deliver, optimise and evaluate our services or to improve customer relations.

 

We will not sell your data.

Your data will only be disclosed to the carefully selected third parties listed in this privacy statement and only for the purposes explicitly identified. If we ask third parties to process your data, they will be required to comply with our data privacy standards.

 

We guarantee the security and protection of your data.

Public transport operators guarantee to handle customer data with care and to keep it safe and secure. We have put in place appropriate organisational and technical measures to safeguard your data.

 

Please see below for more detailed information on how we handle your data :

 

WHO IS RESPONSIBLE FOR DATA PROCESSING?

 

CGN SA is responsible for processing your data. As a public transport, we are obliged by law to provide what is known as Direct Services (DS). To do this, the transport service providers (TSPs) and their partners, and the third parties who sell public transport products share certain data, which they store centrally in databases operated jointly by all the public transport service providers and their partners. We are therefore responsible for processing data jointly with these TSPs and partners. You will find further information on how we process your data in the section "What does shared responsibility mean in public transport?".

 

If you have any questions or suggestions about data privacy, please feel free to get in touch with the following contact person à Privacy, CGN SA, Avenue Rhodanie 17, 1001 Lausanne or by Email à privacy@cgn.ch at any time

 

 

WHY DO WE COLLECT PERSONAL DATA?

 

We understand how important it is to you that we handle your personal data with care. We only process data for specific purposes. The reasons for processing your data may be, for example, technical, contractual, legal, or there may be overriding interests – that is, legitimate reasons – or you have given us your express consent to do so. We collect, store and process personal data when necessary, for example, to manage customer relations; to sell our products and provide our services; to process orders, contracts, sales and invoices; to respond to questions and requests; to supply information on and to market our products and services; to provide support on technical issues; and to evaluate and improve our products and services. For more detailed information on the data we collect and what we use if for, please read the sections below.

 

 

WHAT DATA DO WE STORE AND WHAT DO WE USE IT FOR?

 

  • 1. When selling our services

For contractual reasons, when you place an online order or purchase certain products and services, we need your personal information so that we can provide our services and manage our contractual relationship with you.  When you buy a season ticket, for example, or one-way ticket.

 

Depending on the product or service, when you purchase personalised services we collect the following data (the mandatory information in the order form is marked with an asterisk (*)).

  • Personal photo
  • Gender, name, email address of the purchaser/passenger
  • Other information such as postal address, date of birth
  • Phone number
  • Means/method of payment
  • Consent to our general terms and conditions

To help us administer the contractual relationship, we also collect data on the services you have purchased ("service data"). This includes – depending on the product or service – the following information.

  • Type of product or service purchased
  • Price
  • Place, date and time of purchase
  • Sales channel (internet, vending machine, ticket counter, etc.)
  • Date of travel or period of validity and time of departure
  • Place of departure and destination

The legal basis for processing this data is that it is necessary for the performance of the contract.

 

The data generated when services are purchased is stored in a central database (see the section on shared responsibility in public transport). It is also processed for other purposes, including marketing and market research (please refer to the relevant sections of this privacy statement for further information). The data is also used for ticket control, to identify the bearer of a personalised ticket, and to prevent misuse. The information is also used to help our after-sales service to identify and assist you with any problems or difficulties you may have and to process any claims for compensation. Lastly, the data is used to distribute the revenue generated by ticket purchases equitably among Direct Service companies and partners. The legal basis for processing this data is our legitimate interest.

 

 

When you visit our website, our hosting provider's servers temporarily record each access in a log file and collect the following technical information.

  • The IP address of your computer
  • The date and time of access
  • The URL of the linking web page with, if applicable, the search term used
  • The name and URL of the files accessed
  • The search queries carried out (timetable, general search on website, products, etc.)
  • Your computer's operating system (provided by the user agent)
  • The browser you are using (provided by the user agent)
  • The type of device, if access is via a mobile phone
  • The communications protocol used

This data is collected and processed to assist with system security and stability, for error and performance analysis and for internal statistical purposes, enabling us to optimise the performance of our website. It also helps us to configure our website to better meet the needs of our target group by offering specific content and information that may be of interest to them.

 

The IP address is also used to detect the user's preferred language. The information is also analysed, along with other data, for investigation and defence purposes in the event of an attack on the network infrastructure or other unauthorised or abusive use of the website. In the event of a criminal investigation into an attack, the information can identify the users involved and can be used to bring civil or criminal proceedings against them.

 

Lastly, when you visit our website we use cookies along with applications and tools that use cookies to function. For more information, please refer to the sections in this privacy statement on cookies, tracking tools, advertisements and social plug-ins.

 

The legal basis for processing this data is our legitimate interest.

 

We assume no liability for the non-compliance with data protection regulations of any third-party websites linked to our website.

 

 

  • 3. When using a contact form

You have the option of contacting us via a contact form. To use this form, you need to provide the following personal information.

  • Last name and first name
  • Email address

We use this and other freely entered information (such as your title, address, telephone number and company) solely to respond to your contact request personally and efficiently. Any additional voluntary information you provide about how you learned about our offer will be used for internal statistical purposes. Our legal basis for processing this data is our legitimate interest or, if you supply your contact details in order to enter into a contract, our legal basis is the implementation of the pre-contractual measures you have requested.

 

When you place an order with us, you have the option of registering for a customer account. For this, we collect the following personal data (when opening a customer account, the mandatory information is marked with an asterisk (*)).

  • Email address (*)
  • Password (*)
  • Consent to our general terms and conditions (*)

We collect this information to help you keep track of your orders and the contracts you have concluded. You have therefore given us your consent to carry out these data processing operations. This is our legal basis for processing your personal data. You can withdraw your consent at any time with future effect (see Section 2.8). If you link your customer account to a SwissPass account, any changes to your personal data (a change of address, for example) and the details of the services you have purchased are automatically updated and appear in both accounts. Please note also the following information about the processing of your data in connection with your SwissPass account.

 

 

You have the opportunity to create a customer account on swisspass.ch. To do this, we need the following information from you:

  • Last name and first name
  • Date of birth
  • Address (street, postcode, city and country)
  • Customer number (if you are an existing public transport season ticket holder)
  • Email address and password (login data)

When you register, we authorise you to access the numerous online services (webshops and apps) of public transport operators and partners using the login data (the "SwissPass-login") and to purchase these services without having to repeat the time-consuming registration process. Any services you purchase using your SwissPass login (especially public transport tickets/season tickets) are recorded in your customer account and in a central database ("DS database"). We need to process your data in order to fulfil the contract on the use of the SwissPass, and this is therefore the lawful basis for processing your data. You will find further information on this topic in the sections in this data privacy statement on shared responsibility in public transport and on sharing data with third parties and in the data privacy statement on swisspass.ch

 

 

HOW LONG WILL YOUR DATA BE KEPT FOR?

 

We store personal data for only as long as we need it :

  • to provide the services described in this data privacy statement that you have requested or for which you have given your consent;
  • to use the tracking services described in this data privacy statement within the scope of our legitimate interest.

We are required to retain contract data for longer to meet our legal retention obligations. We may also be under an obligation to retain your data to satisfy legal or accounting requirements. Once we are no longer required to keep this data to provide services to you, we will restrict access to the data. This means that the data may then only be used to fulfil our storage obligations.

 

 

WHERE IS THE DATA STORED?

 

As a rule, your data is stored in databases in Switzerland. However, in some cases explained in this data privacy statement, the data may also be passed on to third parties located outside Switzerland. If the country concerned does not have an adequate level of data protection, we make sure that these companies protect your data appropriately, either through contractual arrangements with these companies or by ensuring that the companies are certified under the CH/EU-US Privacy Shield.

 

 

WHAT DATA IS PROCESSED FOR MARKETING PURPOSES?

 

Unless you object, we use for marketing purposes your customer data (name, gender, date of birth, address, customer number, email address), your service data (data on services purchased such as season tickets or one-way tickets) and your click behaviour on our website or in emails you have received from us. For information on how we evaluate click behaviour, please also refer to the section on tracking tools.

 

We evaluate this data to help us provide better products and services for our customers and to help us send you or show you (via email, letter, text, push notifications in the app, personalised teasers on the web, and in person at the counter) information and offers that are relevant to you. For this, we use only data that we can explicitly associate with you, for example because you have registered or identified yourself on our website with your SwissPass login and purchased a ticket.

 

We also use methods that predict possible future purchasing behaviour based on your current purchasing behaviour. The legal basis for processing this data is our legitimate interest. In certain cases, under strict conditions SBB or another company involved in Direct Service may also contact you. Please read the information in the section "shared responsibility in public transport".

 

You can refuse to accept communications from us, SBB (in connection with your GA or half-fare travelcard, for example) or other public transport operators at any time. The following options are available to you:

  • Each email you receive from us or other public transport operators contains an unsubscribe link that you can click to unsubscribe from further messages.
  • If you have a SwissPass login, you can log on to www.swisspass.ch at any time to manage the message settings in your user account.
  • You can also subscribe or unsubscribe at any ticket counter or by email at privacy@cgn.ch.

Please also refer to the information in the section on tracking tools on your right to object in connection with the evaluation of click behaviour.

 

 

WHAT DATA IS PROCESSED FOR MARKET RESEARCH PURPOSES?

 

To continuously improve the quality of our services and offers, we regularly conduct market research. We may therefore use your contact information to invite you to participate in an online survey.

 

 

WHAT RIGHTS DO YOU HAVE OVER YOUR PERSONAL DATA?

 

You have the following rights over your personal data.

  • You can request information about your stored personal data.
  • You can request that your personal data be corrected, supplemented, blocked or deleted. Your data will be blocked rather than deleted if there are legal obstacles to its deletion (e.g. legal storage obligations).
  • If you have set up a customer account, you can delete the account or ask for it to be deleted.
  • You can object to the use of your data for marketing purposes.
  • You can withdraw your consent at any time with future effect.
  • You can ask for your data to be transferred to a third party.

To exercise your rights, you need only inform us by post to Privacy, CGN SA, Avenue de Rhodanie 17, 1001 Lausanne or by Email at: privacy@cgn.ch.

 

You also have the right to complain to a data protection authority at any time.

 

 

WHAT DOES "SHARED RESPONSIBILITY IN PUBLIC TRANSPORT MEAN"?

 

CGN SA is responsible for processing your data. As a public transport service provider/partner, we have a legal obligation to collaborate with other transport operators and partners in the provision of certain passenger transport services ("Direct Service").

 

For this purpose and other purposes described in this data privacy statement, we share data at national level within "National Direct Service" (NDS), an association of over 240 transport operators and public transport partner companies. The individual TSPs and partners are listed here. Data acquired from customers who purchase services or supply contact details are stored in a central database which is managed by SBB on behalf of NDS and for which we are jointly responsible with the other NDS companies and partners (the DS database).

 

When services are purchased by customers using their SwissPass login, the data is stored in another central database (the SwissPass database), for which we are jointly responsible with the TSP and the NDS community. The database is managed by SBB on behalf of NDS. To improve service efficiency and streamline the working relationship between the companies involved, the data from the different databases may be merged. To enable single sign-on (SSO) (a system that enables SwissPass users to access multiple services with just one login), we share login, card, customer and service data with the central SwissPass login infrastructure during the authentication process.

 

Access by individual TUs and partners to the shared databases is regulated and limited by a contractual agreement. The sharing and processing by the other TSPs and NDS partners who use the central database is normally limited to contract processing, ticket control, after-sales service and revenue distribution. In certain cases, the data collected during purchase transactions for NDS services is also used for marketing purposes. These include analysing the data to improve and promote public transport services in line with customer needs. The other TSPs and partner companies associated with NDS will contact you only in exceptional circumstances and under strict conditions, and only if an analysis of the data shows that a particular public transport service would be beneficial for you as a customer. Contact by SBB is the one exception to this rule. SBB handles the marketing of NDS services (such as GA and half-fare travelcards) on behalf of NDS and may contact you at regular intervals in connection with these services.

 

Our legitimate interest forms the legal basis for processing the data described here.

 

 

WILL YOUR DATA BE SHARED WITH THIRD PARTIES?

 

We will not sell your data. We will share your personal data only with selected service providers and only to the extent necessary to provide our service. These service providers are IT support providers, issuers of season tickets, delivery service providers (such as Swiss Post), service providers commissioned to distribute the income from fares among the transport operators involved (in particular for the purpose of calculating the distribution model in accordance with the Swiss law (PBG) governing the carriage of passengers), our hosting provider (see the section titled "Use of website") and the providers mentioned in the sections on tracking tools, social plug-ins and advertisements. Please refer to the section "Where is your data stored?" for more information on service providers domiciled abroad. Your data may also be shared if we are legally obliged to do so or if it is necessary to safeguard our rights, in particular to enforce claims arising from our relationship with you.

 

If you book a cross-border journey, your data will be shared with the foreign companies providing this service. However, the personal data shared will be limited to what is needed to check the validity of the tickets and to prevent misuse.

 

Our legitimate interest forms the legal basis for processing this data.

 

Your personal data will not be disclosed to third parties outside the public transport industry. The only exceptions to this are (to the extent described below) SwissPass partners and companies authorised by public transport operators to sell public transport services on the basis of a contractual agreement. These sellers will be given access to your personal data only if you wish to obtain a public transport service through them and you have given them your consent to use your data.

 

Even under these circumstances, they will be able to access your data only for the purpose of determining whether you already have tickets or season tickets for the period during which you intend to travel that are valid for your journey or for the service you have asked the third party to provide. The legal basis for processing this data is therefore your consent. You can withdraw your consent at any time with future effect (see Section 2.8).

 

If you use your SwissPass to obtain services from a SwissPass partner, personal data on any services you have purchased from us (such as a GA travelcard, half-fare travelcard or season ticket) may be shared with our SwissPass partners in order to ascertain whether you could benefit from a specific offer from the SwissPass partner (such as a discount for GA card holders). If your ticket is lost, stolen, misused, falsified or replaced after a service has been purchased, the partner concerned will be informed. We need to process your data so that we can fulfil the contract on the use of the SwissPass and this is therefore the lawful basis for processing. You will find further information on this in the data privacy statement on swisspass.ch and in the data privacy statement of the SwissPass partner concerned.

 

 

HOW ARE TRACKING TOOLS USED?

 

We use the web analysis services Google to help us configure and continuously optimise our website, apps and emails according to need. Our legitimate interest forms the legal basis for the data processing described below.

 

  • Website tracking

When you visit our website, we create a pseudonymised user profile and save small text files ("cookies") on your computer (see below "What are cookies and when are they used?"). The information generated by these cookies about how you use our website is sent to the servers of the companies who provide these services, where it is stored and processed for us. In addition to the data listed above (see "What data is processed when you use our website?"), through this we obtain the following information.

  • The visitor's navigation path through the website.
  • The time spent on the website or subpage.
  • The subpage from which the visitor leaves the website.
  • The user's access location (country, region or city).
  • The accessing device (type, version, colour depth, resolution, width and height of the browser window).
  • Whether the visitor is a returning or new visitor.
  • The browser type/version.
  • The operating system used.
  • The referrer URL (the previously visited website).
  • The hostname of the accessing computer (IP address).
  • The time of the server request.

This information is used to evaluate how our website is being used.

 

Tracking when sending emails

 

When sending emails, we make use of email marketing services provided by third parties. Our emails may therefore contain a web beacon (tracking pixel) or similar technology. A web beacon is an invisible 1x1-pixel image that is associated with the user ID of the particular email subscriber.

 

For each newsletter we send, we have information on the address file used, the email subject and the number of newsletters sent. In addition, we can see which addresses have not yet received the newsletter, which addresses it has been sent to, and the addresses to which delivery was unsuccessful. We can also see the open rate, including information on which addresses have opened the newsletter and which addresses have unsubscribed from the newsletter distribution list.

 

We make use of specialist services to enable us to evaluate the above information. These also allow us to also record and evaluate click behaviour. We use this data for statistical purposes and to optimise the content of our messages. This allows us to tailor our email content and our offers so that they are more likely to be of interest to the recipients. The pixel image is deleted when you delete the email.

 

If you wish to prevent the use of web beacons in our emails, please set your email program to disable display of messages in HTML format, if this is not already the default setting. You will find instructions for doing this here.

 

Below is more information about our tracking toolsi.

 

Google Analytics

Our website uses Google Analytics, a web analysis service provided by Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA and Google Ireland Limited, Gordon House Barrow St, Dublin 4, Ireland. To enable it to analyse website usage, Google Analytics uses technologies such as cookies (see below, "What are cookies and when are they used?"). The information generated by a cookie about your use of this website, as explained above, is sent to servers in the United States belonging to Google, a company of the holding company Alphabet Inc., and stored there. Because IP anonymisation has been activated on our website, your IP address will be truncated by Google if you reside in a member state of the European Union, or any country party to the Agreement on the European Economic Area, or Switzerland. Google will not associate the anonymised IP address supplied by your browser to Google Analytics with any other data held by Google. Only in exceptional cases will the full IP address will be sent to Google servers in the USA to be shortened. In these cases, Google offers a contractual guarantee that it will maintain an adequate level of privacy protection.

 

This information is used to monitor traffic on our website, compile reports on how visitors use our website and provide additional services in connection with the use of the website and the internet for purposes of market research and improving our website. The information may be shared with third parties if this is required by law or if the third parties are processing the data on our behalf. According to Google, the user's IP address will never be associated with other data relating to the user.

Selon Google, l’adresse IP n’est en aucun cas associée à d’autres données de l’utilisateur.

 

Users can prevent Google from using cookies to collect and process data relating to their use of our website (including their IP address) by downloading and installing the browser plug-in available at: http://tools.google.com/dlpage/gaoptout?hl=en

 

 

WHAT ARE COOKIES AND WHEN ARE THEY USED?

 

We make use of cookies in specific circumstances. Cookies are small files that are placed on your computer or mobile device when you visit or use one of our websites. Cookies store certain settings in your browser and information about how you use our website via your browser. When a cookie is activated, it is assigned an identification number that identifies your browser and allows it to use the information contained in the cookie. You can set your browser to display a warning before it saves a cookie. It is also possible to block personal cookies, but this can prevent certain functions from working properly.

 

We use cookies to evaluate user behaviour and thereby optimise their experience on our website. We want to make our website as user-friendly as possible, with content that can be found more intuitively. Our aim is to improve its structure and make it easier to navigate. We believe it is important to have a user-friendly website that meets our users' needs. The information we obtain from cookies enables us to optimise the performance of our website by providing you with more targeted and more personalised content and information.

 

Most web browsers accept cookies by default. You can, however, configure your browser to prevent cookies from being stored on your computer or to display a message whenever you receive a new cookie. The following pages explain how to change your cookie settings.

Deactivating cookies may prevent you from taking advantage of all the functions of our website. The legal basis for processing this data is our legitimate interest.

 

 

WHAT ARE SOCIAL PLUG-INS AND HOW ARE THEY USED?

 

You can use the following social plug-ins on our website.

  • Facebook; Facebook Inc. (1601 S. California Ave, Palo Alto, CA 94304, USA)
  • Twitter; Twitter Inc. (795 Folsom St., Suite 600, San Francisco, CA 94107, USA)

We use social plug-ins to make our website more personal. The plug-ins on our website are deactivated by default and therefore do not send any data to social media platforms.

You can however activate all plug-ins (the "2-click solution") by clicking on the "Activate social media" button. Of course, you can also deactivate the plug-ins simply by clicking on the button again.

 

When the plug-ins are activated, your browser establishes a direct connection with the servers of the particular social media platform as soon as you access our website. The content of the plug-in is sent directly from the social media platform to your browser, which then integrates it into the website.

 

By integrating the plug-ins, the provider receives the information that your browser has requested from a particular page of our website, even if you do not have an account on that social media platform or are not logged in to it. This information (including your IP address) is sent by your browser directly to one of the provider's servers (usually in the USA) and stored there. We therefore have no influence over the amount of data the provider collects via the plug-in.

 

If you are logged in to the social media platform, it can associate your visit to our website directly with your user account. If you interact with the plug-ins, this information is also sent directly to one of the provider's servers and stored there. This information may also be published on the social media platform and may be shown to other social media platform users.

 

The provider of the social media platform may use this information for advertising, market research and to personalise their service. To do this, they may create usage, interest and relationship profiles to evaluate, for example, how you use our website as a result of advertisements you have seen on the social media platform, or to inform other users of your activities on our website, or to provide further services associated with social media platform use.

 

For information on the purpose and scope of collecting, processing and using this data by the social media platform provider and on your rights and the settings options for protecting your privacy, please refer to the privacy statement of the service provider concerned.

 

If you do not want the social media platform provider to link to your user account the data collected via our website, you should log out of the social media platform before activating these plug-ins.

 

The legal basis for processing this data is our legitimate interest.

 

 

ADVERTISEMENTS ON OUR WEBSITE AND IN OUR APPS.

 

We use third parties (ad servers) to place advertisements on our website and in our apps. When a user visits our website or uses our apps, a request is sent to the ad server whenever a page is viewed. To enable the placement of advertisements for products and services that are of interest to you or are more relevant to you, we supply the following information to the ad server when you load a page.

  • Profile data (age, place of residence and gender).
  • Travel data (departure place, departure time, departure date, departure day of the week, place of arrival, arrival time, arrival date, arrival day of the week, travel class).
  • Approximate GPS coordinates.
  • Unique User ID (for advertising frequency capping, post-click tracking and cookie targeting).
  • IP address.
  • Details of browser and operating system.
  • Device manufacturer and device model.

The ad server checks each ad-hoc query to see if there is a suitable campaign and then randomly delivers, depending on the available capacity, specific, non-specific or no advertising. No historical data is collected and no names, telephone numbers or emails are shared. The above information is never shared with the advertiser; it is used exclusively for the one-off delivery of advertising and is not stored for further use. In the app settings, you can control what advertisements you see under "Advanced settings". The legal basis for processing this data is our legitimate interest.

 

 

DATA SECURITY.

 

We use appropriate technical and organisational security measures to protect your personal data stored by us from manipulation, partial or complete loss and unauthorised access by third parties. Our security measures are continually improved to keep pace with technological developments.

 

We also take internal data protection very seriously. Our staff and external service providers are themselves required to observe secrecy and to comply with data protection regulations.

 

We take all necessary steps to ensure the safekeeping of your data. Sending information via the internet and other electronic means, however, always involves a degree of risk and we cannot guarantee the security of sent information in this way.

 

 

CHANGES TO THIS PRIVACY STATEMENT.

 

Last updated : February 2020