RhB Club | Privacy policy

Article - Privacy policy

This website was created and published by Rhätische Bahn AG (hereinafter referred to as “RhB” or “we”) with head offices in Switzerland, Bahnhofstrasse 25, 7001 Chur, and registered in the commercial register of the Swiss Canton of Graubünden under the number CHE-105.956.490. 

Accordingly, it is our responsibility to collect, process and use your personal data in accordance with the law. 

We are committed to handling your personal data in a responsible manner. We therefore consider it a matter of course to comply with the legal requirements of the Swiss Federal Act on Data Protection (FADP), the Ordinance to the Federal Act on Data Protection (OFADP) and the EU General Data Protection Regulation (GDPR).

In the following we would like to inform you how we process your personal data.

Please be aware that the following information may be reviewed and amended from time to time. We therefore recommend that you consult this privacy policy on a regular basis. 


1. Data processing on the website
1.1 Scope and purpose of the collection, processing and use of personal data
1.1.1 When visiting our website


When you visit our website, our servers temporarily store each access in a log file.

The following data is collected and stored, without any action on your part, until it is automatically deleted:

•    the IP address of the requesting computer,
•    the date and time of access,
•    the name and URL of the data retrieved,
•    the website from which our domain was accessed, and
•    the operating system of your computer and the browser used. 

This data is collected and processed for the purpose of allowing the use of our website (establishing a connection), ensuring system security and stability in the long term, and allowing our Internet offering to be optimised, as well as for internal statistical purposes. The aforementioned information is not linked to or stored with personal data. 

Only in the event of an attack on the website's network infrastructure or where unauthorised or abusive use of the website is suspected will the IP address be evaluated for clarification and defensive purposes and, where necessary, used to identify the perpetrators in civil and criminal proceedings.

The purposes described above constitute our legitimate interest in data processing within the meaning of Art. 6 para. 1 lit. f of the GDPR.


1.1.2 When using the contact form

If you contact us using the registration form, we will collect the following personal information:

•    Language*
•    Title*
•    First name*
•    Last name*
•    Street*
•    Postal code*
•    Town/city*
•    Country*
•    E-mail address*
•    Telephone 
•    Password

The fields marked with a * are mandatory. 

We use this data to answer your questions or provide the required services and, if necessary, to contact you by e-mail or telephone. Processing your contact request is our legitimate interest within the meaning of Art. 6 para. 1 lit. f of the GDPR. You can object at any time to our processing this data (see below for contact details). 


1.1.3 When using the contact form

If you contact us using the contact form, we will collect the following personal information:

•    Member Number*
•    E-mail address*
•    Your opinion / requests / questions / suggestions*

The fields marked with a * are mandatory. 

We use this data to answer your questions or provide the required services and, if necessary, to contact you by e-mail or telephone. Processing your contact request is our legitimate interest within the meaning of Art. 6 para. 1 lit. f of the GDPR. You can object at any time to our processing this data (see below for contact details). 


1.1.4 When booking services 

Our website offers various options for booking or ordering services online. For example, you can book and pay for rail tickets and other services online. During the booking process, we explain clearly which personal data we need to collect from you; for example, your title, your first and last names, and your date of birth. Other data may, however, also be required, e.g. your postal code, town/city, country of residence, e-mail address, etc. If the product or service can be purchased immediately online, we will also collect data required for handling the payment process (depending on your chosen payment method). In the input mask, we will indicate which items of data are mandatory (usually marked with *). 

Unless otherwise stated in this privacy policy or unless you have given your separate consent, we will use the aforementioned data only to process the contract, i.e. we will process the data in order to record your booking as requested, to render the services as booked, and to ensure correct payment.

Our website also uses the “Ticketpark” ticket portal on which various featured trips can be booked . Ticketpark GmbH is a company with head offices in Bern. Bookings made via the “Ticketpark” ticket portal are subject to the privacy policy of Ticketpark GmbH. 

Finally, when you buy a voucher on our website we use the E-GUMA voucher system of Idea Creation GmbH, Zurich. In order for E-GUMA to manage the purchase, the personal data you disclosed in the input mask is processed by Idea Creation GmbH. E-GUMA’s specific data privacy policy applies in this case.
(https://shop.e-guma.ch/rhaetische-bahn/de/privacypolicy).

 The legal basis of data processing for the above purposes is the performance of a contract pursuant to Art. 6 para. 1 lit. b of the GDPR.


1.1.5 When opening a customer account

Customers can order products on our website as a guest, or they can open a customer account before making purchases.

When you open a customer account, we collect the following data from you in order to process your orders or provide you with the required services:

•    Title*
•    First name*
•    Last name*
•    Address*
•    Postal code*
•    Town/city*
•    Country*
•    Telephone
•    E-mail*
•    Password*

The fields marked with a * are mandatory. 

You may inspect and amend the data in your customer account at any time. You may also instruct us to delete the account in its entirety. If you want to delete the customer account, please submit an appropriate request to us (see below under “Contact”).

The legal basis for processing the data in the above cases is the administration of a customer relationship and, thus, the performance of a contract pursuant to Art. 6 para. 1 lit. b of the GDPR, as well as an overriding legitimate interest pursuant to Art. 6 para. 1 lit. f of the GDPR. You may at any time revoke your consent to the processing of this data, whereupon we will delete your customer account (see below under “Contact”).


1.2 E-mail marketing

On our website, we give you the opportunity to subscribe to our newsletter. The following data will be used out of your profile as a member: 

•    E-mail address
•    First name and last name

This data is needed for data processing purposes. We process this data for the sole purpose of personalising the information and offers we send out and to better tailor the information to your individual interests. 

Furthermore, we are authorised to entrust the technical development of marketing campaigns to third parties and are thus entitled to share your personal data with third parties to that end. We use the Evalanche e-mail marketing service of SC-Networks GmbH, Enzianstrasse 2, DE-82319 Starnberg to distribute our newsletter.

At the end of every newsletter, you will find a link that allows you to unsubscribe from the newsletter at any time. Once unsubscribed, your personal data will be deleted. Further processing of this data takes place in anonymised form only with the aim of optimising our newsletter.

Our newsletter may contain a “web beacon” or similar technical means. A web beacon is a 1x1-pixel, invisible graphic that is associated with the user ID of the respective newsletter subscriber.

For each newsletter sent, we collect information on the address file used, the subject and the number of newsletters sent so far. In addition, we can see which addresses have not yet received a newsletter, to which address the newsletter was sent, and at which addresses the dispatch failed. In addition, there is the “opening rate”, i.e. information on which addresses have already opened the newsletter. Finally, there is information on which addresses have unsubscribed. We use this data for statistical purposes and to optimise the newsletter in terms of content and structure. This allows us to better tailor the information and offers in our newsletter to the individual interests of the recipients. The web beacon is deleted when you delete the newsletter.

To prevent the use of the web beacon in our newsletter, the mail program must be set such that HTML is not displayed in messages, if this is not already the case by default. The following pages explain how to adjust these settings in the most common e-mail programs.

Microsoft Outlook
Mail for Mac

By registering for the newsletter, you give your consent for us to process the data you have provided for the purposes of regularly sending the newsletter to the address you have indicated, statistically analysing your user behaviour, and optimising the newsletter. This consent constitutes the legal basis of data processing for the purpose of our newsletter pursuant to Art. 6 para. 1 lit. a of the GDPR.


1.3 Cookies

Among other things, cookies help us to make your visit to our website easier, more pleasant and more meaningful. Cookies are information files that your web browser automatically stores on your computer's hard drive when you visit our website. 

For example, we use cookies to temporarily store the details you enter when filling in a form on our website (on required services, etc.) so that you do not need to re-enter this information when you access another subpage. Where applicable, cookies may also be used to identify you as a registered user once you have registered on the website to avoid you having to log in again when you access another subpage.

Most Internet browsers automatically accept cookies. However, you can configure your browser to block cookies or issue a warning message whenever a new cookie arrives. The following pages explain how to configure cookies on most of the popular web browsers:

•    Microsoft Windows Internet Explorer 
•    Microsoft Windows Internet Explorer Mobile
•    Mozilla Firefox
•    Google Chrome for Desktop
•    Google Chrome for Mobile
•    Apple Safari for Desktop
•    Apple Safari for Mobile

Deactivating cookies may mean that some of the functions on our website will not work properly. 


1.4 Tracking tools
1.4.1 Google Analytics


For the purposes of needs-based design and the continuous optimisation of our pages, we use the web analysis service Google Analytics provided by Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. In this respect, pseudonymised user profiles are created and small text files (“cookies”) stored on your computer and used. Information generated by the cookie about your use of this website, such as 

•    the browser type/version
•    the operating system used
•    the referrer URL (previous page visited)
•    the host name of the accessing computer (IP address)
•    the time of the server request, and
•    the device

is sent to the servers of Google Inc., a company of the holding company Alphabet Inc., in the US and stored there. Before this data is transmitted to locations within the member states of the European Union or other states that are party to the agreement on the European Economic Area and Switzerland, the IP address is truncated through this website’s IP anonymisation process (“anonymizeIP”). Google will not associate the anonymised IP address transmitted by your browser through Google Analytics with any other data held by Google. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. In cases such as these, we use contractual guarantees to ensure that Google Inc. maintains an adequate level of data privacy. 

The information is used to analyse use of the website, to compile reports about website activities and to provide us with further services relating to website and Internet use for the purposes of market research and needs-based design for these websites. This information too may be forwarded to third parties where required by law or if third parties have been commissioned to process this data. Under the terms of Google Inc., under no circumstances will the IP address be used in connection with other data relating to the user. 

Users can prevent Google from collecting and processing the data generated by the cookie relating to their use of the website (including their IP address) by downloading and installing the browser plug-in from the following link: 
http://tools.google.com/dlpage/gaoptout?hl=de

For the sake of completeness, we must point out that as part of their legislation, the US authorities are able to undertake surveillance measures under which the universal storage of all data sent from the European Union to the US is possible. This takes place without distinction, limitation or exception, on the basis of the objective pursued and without objective criteria that would allow it to limit access by US authorities to personal data and its subsequent use to specific, strictly limited purposes that justify access to this data. 

For users residing in EU member states, please note that, from the point of view of the European Union, the US does not have sufficient data protection levels due to, amongst other things, the issues mentioned in this section. Insofar as we have declared in this privacy policy that recipients of data (such as Google) are located in the US, we will ensure that your data is afforded an appropriate level of protection by our partners, either by agreeing contractual terms with them or by securing the certification of these companies under the EU-US Privacy Shield.

This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above. 


1.4.2 Facebook Pixel

On our website we use the Facebook pixel provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”). 

This allows us to monitor a user's actions after the user has clicked on or viewed a Facebook promotion or advertisement. The bounce rate and the duration of the visit, for example, are measured. This allows us to assess the effectiveness of Facebook publicity for statistical and marketing purposes. The data gathered is anonymous to us, so we cannot link the data to an individual user. However, we do point out that Facebook does save and process the data. Facebook can associate this data with your Facebook account and use it for its own publicity purposes in accordance with the Facebook privacy policy https://www.facebook.com/about/privacy/. The data can permit Facebook and its partners to activate marketing communications both within and outside of Facebook. Furthermore, a cookie may be saved on your computer for these purposes.

You can prevent this tracking at any time by blocking or deactivating the relevant cookies in the menu bar of your web browser (see section 1.3 above).

This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above.


1.5 Re-targeting and other marketing processes
1.5.1 Google Retargeting


We use re-targeting technologies on our website. Your user behaviour on our website is analysed to enable partner websites to offer you advertising individually tailored to your preferences. Your user behaviour will be recorded under a pseudonym. 

Most re-targeting technologies use cookies (see section 1.3 above).

This website uses Doubleclick by Google, services provided by Google Inc. (“Google”) to display ads based on your use of previously visited websites. For this purpose, Google uses the so-called double-click cookie, which allows your browser to be recognised when you visit other websites. The information generated by the cookie about your visit to these websites (including your IP address) is transmitted to a Google server in the United States and stored there (more information on transfers of personal data to the USA can be found in section 1.4.1 above).

Google will use this information for the purpose of evaluating your use of the website in terms of the advertisements to be displayed, to compile reports for the website operator on website activities and ads, and to perform other services associated with website and Internet usage. Google may also pass this information on to third parties insofar as this is stipulated by law or insofar as third parties are processing this information on Google’s behalf. However, Google will never associate your IP address with other Google data.

You can prevent this re-targeting at any time by rejecting or deactivating the relevant cookies in the menu bar of your web browser (see section 1.3 above).

This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above.


1.5.2 Google Tag Manager

We also use Google Tag Manager to manage the usage-based advertising services. The tool Tag Manager itself is a cookie-less domain and does not collect any personal data. Instead, the tool is responsible for triggering other tags that may themselves collect data in some circumstances. If you have opted out at the domain or cookie level, it will remain in effect for all tracking tags implemented with Google Tag Manager.


1.5.3 Facebook Custom Audience

To promote interest-based advertisements to visitors to our website while visiting Facebook, we use “Custom Audiences Pixel” provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”). We have implemented a Facebook pixel on our website, which connects directly to the Facebook servers when you visit our website. The information that you have visited our website is transmitted to the Facebook server and Facebook assigns this information to your personal Facebook user account. For more information on the collection and use of data by Facebook and your rights in this regard and ways to protect your privacy, see the privacy policy of Facebook at https://www.facebook.com/about/privacy/.

If you wish to reject the connection with Facebook described above, simply block or deactivate the relevant pixels in your browser (see section 1.3 above). 

This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above.


1.5.4 Campaign-related pixels and cookies

In some marketing campaigns, which each run for a few weeks only, we use pixels or cookies of various providers such as Adello or Tradedoubler. We use these pixels or cookies for re-targeting purposes, i.e. we install a cookie that helps us to display on your computer advertising communications on the respective campaign on partner websites. You can prevent this re-targeting at any time by deactivating the relevant pixels and cookies (see section 1.3 above). 

This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above.


1.6 Social media functions 
1.6.1 Links to our social media pages


Our website contains links to our social media profiles on the following social media networks:

•    Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, 
•    Twitter Inc.,1355 Market Street, Suite 900, San Francisco, CA 94103, USA 
•    Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025
•    YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA

If you click on icons of the respective social networks, you are automatically forwarded to our profile page on the respective network. To be able to use the functions of the respective network, you may have to log in to your user account there. 

If you click on a link to one of our social media profiles, a direct connection is established between your browser and the server of the respective social network. By doing so, the network will be notified that you visited our website with your IP address, and clicked on the link. If you click on a link to a network while being logged in to your account on the respective network, the content of our site can be linked to your profile on the network, which means that the network can directly link your visit to our website with your user account. If you want to prevent this, you will need to log out of your account before clicking on the respective links. Linking of the information will definitely occur if you log in to the respective network after clicking on the link.


2.    Data processing outside the website
2.1 Processing customer details


We also collect customer data outside our website environment, e.g. when you make a purchase at one of our sales desks. The following data, in particular, is collected:

•    Title
•    First name
•    Last name
•    Date of birth
•    Address
•    Postal code
•    Town/city
•    Country
•    Telephone
•    E-mail
•    Details in connection with the payment (depending on the chosen payment method).

The legal basis for processing the data in the above case is the performance of a contract pursuant to Art. 6 para. 1 lit. b of the GDPR. 


2.2    Processing the data of business partners / suppliers 

In the context of our relations with business partners / suppliers, we collect the details of the relevant contact persons at these companies. We collect the following data, in particular, on each of our business partners / suppliers:  
•    Company name
•    Company address, postal code, town/city
•    First and last name of the contact
•    Business phone number of the contact
•    E-mail address of the contact
•    Function and title of the contact (where available)
•    Terms and conditions of contract
•    History of the customer relationship
•    E-mail for customer information bulletins
•    Preferred means of payment
•    Preferred currencies

The legal basis for processing the data in the above case is the performance of a contract pursuant to Art. 6 para. 1 lit. b of the GDPR. 


3. General provisions
3.1 Forwarding of data to third parties


We forward your personal data only if you have explicitly consented, if there is a legal obligation to do so or if this is necessary to assert our rights, in particular to assert claims arising from the contractual relationship. 

Furthermore, we forward your data to third parties where this is necessary within the scope of the use of the website and performance of the contract, i.e. when providing you with the services you have ordered or in order to analyse your user behaviour. The use by third parties of this shared data is strictly limited to the stated purposes. 

Various third-party service providers are explicitly mentioned in this data privacy policy (for example in the sections “When booking services”, “Tracking tools”, “Re-targeting”, and “Newsletter”).

A service provider to whom personal data collected on the website is forwarded, or who has or could have access to personal data, is our partner for technical conception and implementation soul.media, Buchen im Prättigau and in Chur. The website is hosted on servers in Switzerland. The data is shared for the purpose of providing and maintaining the functions of our website. This constitutes our legitimate interest within the meaning of Art. 6 para. 1 lit. f of the GDPR.


3.2 Transfer of personal data abroad

We are permitted to forward your data to third-party companies abroad if this is necessary in connection with the processing of your requests, to provide services and for marketing campaigns. These third-party companies are obliged to respect user privacy to the same extent as we do ourselves. If, in a certain country, the level of data protection is deemed inappropriate by Swiss standards or according to the provisions of the EU General Data Protection Regulation (GDPR), we will ensure by contractual means that your personal data is protected at all times in accordance with Swiss guidelines and/or the GDPR.

Various third-party service providers and the addresses of their head offices have already been mentioned in the section above (“Forwarding of data to third parties"). Some of the third-party service providers mentioned in this privacy policy have their place of residence in the USA (see “Tracking tools”, “Re-targeting”). Further details on the transfer of data to the USA can be found in the section “Tracking tools”.


3.3    Right of access, rectification, erasure and restriction of processing; right of data portability; right to complain to a supervisory authority

You have the right to obtain information – on request and free of charge – on the personal data that we store about you. In addition, you have the right to have inaccurate data corrected and the right to have your personal data deleted, as long as there are no legal retention obligations or acts of permission allowing us to process such data. 

Persons living in the EU are also entitled to demand the release of any data submitted to us (right of data portability). On request, we will also forward the data to a third party of your choice. You are entitled to receive the released data in a common file format. This right does not apply to persons living in Switzerland.  

For the aforementioned purposes, you can contact us at the e-mail address datenschutz@rhb.ch. We may, at our discretion, require proof of identity to process your request.

Furthermore, you are entitled to submit a complaint to a data protection authority at any time.


3.4    Storage of data

We store personal data only for as long as necessary in order to use the above-mentioned tracking services within the scope of our legitimate interest. Contract data is stored for longer periods as this is required by statutory obligations governing data retention. Requirements obliging us to retain data arise from accounting and tax regulations. According to these regulations, business communications, concluded contracts and accounting documents must be kept for up to 10 years. As and when we no longer need this data to perform our services for you, we will block the data. This means that the data may then be used only for accounting and for tax purposes.


3.5    Data security

We take appropriate technical and organisational security measures in order to protect your stored data from being manipulated, fully or partially lost, or accessed by unauthorised third parties. Our security measures are continuously adapted in line with the latest technological developments.

We also take our own internal data privacy very seriously. Our employees and the service providers we commission are obliged to maintain secrecy and to comply with the provisions of the data protection laws. Moreover, they are granted access to personal data only insofar as this is necessary.


3.6    Contact

If you have any questions about data privacy on our website, would like to receive information, or would like to have your data erased, please contact us by sending an e-mail to datenschutz@rhb.ch.

Please direct any correspondence to the following address:

Rhätische Bahn AG
Data Privacy Officer 
Bahnhofstrasse 25
7001 Chur
 

Last updated: June 2018