We process general personal data about you, such as your name and contact details.

Example: We send you a ticket that you have ordered online to your email address. 

We process your location data.

Example: Our app uses your current location for a route suggestion provided you have switched on this functionality on your smartphone. 

We process personal data that you provide to us.

Example: You enter your email address when ordering tickets in our webshop. 

We process personal data that we collect about you.

Example: We check the language setting of your browser when you visit our webshop.  

We process personal data about you that we receive from third parties.

Example: You buy a Half Fare Travelcard at the point of sale of your regional public transport company, which you also use when traveling with us. 

We use your personal data for marketing and advertising.

Example: We send you our newsletter to which you have subscribed. 

We use your personal data for the development and improvement of products and services.

Example: Based on an online survey, we identify the need for a new service/offer. 

We analyse your behaviour and make assumptions about your interests and preferences.

Example: Unless you choose to opt out, we analyse your ticket purchases to tailor offers in our newsletter to your needs. 

We transfer your personal data to other companies that decide themselves how to use the data.

Example: We hand over an unpaid invoice to a collection agency. 

We also process your personal data outside of Switzerland and the EU.

Example: An IT expert in the U.S. supports us in the event of problems at night and accesses a data storage facility in Switzerland for this purpose. 

Protecting your personality and privacy is a major concern for us as public transport companies. We guarantee to you that we will process your personal data in accordance with the applicable provisions of data protection law. By adhering to the following principles, public transport companies give a clear signal that your data will be handled confidentially.

Public transport companiesLink opens in new window.

You decide yourself how your personal data are to be processed.  

Where permitted by law, you can at any time object to data processing, withdraw your consent or require that your data be erased. You always have the option of travelling anonymously without your personal data being recorded.

We offer you added value by processing your data.

Public transport companies use your personal data to offer you added value throughout the mobility chain (e.g. bespoke offers and information, support or compensation in the event of disruption). Your data are therefore used only in relation to the development, provision, optimisation and assessment of our services or for customer support purposes.

Your data are not sold.

Your data are only disclosed to selected third parties specified in this Privacy Policy and only for the purposes specifically indicated. If we commission third parties to carry out data processing, they will be contractually required to comply with our data protection standards.

We guarantee the security of your data and ensure that they are protected.

Public transport companies undertake to handle customer data with care and to guarantee their security and protection. We ensure this by adopting the necessary technical and organisational precautions. 

You have the following rights with regard to your data. You can make use of them at any time. 

• Information about your stored personal data 
• Rectification, supplementation, blocking or erasure of your personal data (if due to legal storage obligations we can only erase your data at a later date, they will be blocked in the meantime)
• Delete your customer account or have it deleted
• Object to the use of your data for marketing purposes
• Withdraw your consent for future data processing
• Transmission of your data 

You can send us your request for access to data or erasure of data via the web form.

In addition, you have the right to put any questions or concerns you may have at any time to the Federal Data Protection and Information Commissioner.

Data protection advisors
Federal Data Protection and Information CommissionerLink opens in new window.

SBB is responsible for processing your data. As public transport companies, we are obligated by law to provide the National Direct Service (NDS). For this purpose as well as for additional purposes described in this Privacy Policy, certain data is exchanged within the transport companies and public transport networks as well as with third parties that provide a range of public transport products. This data is stored centrally in databases jointly operated by all public transport companies and networks. Therefore, we – together with these transport companies and networks – are responsible for individual data processing operations. You will find more information about the individual data processing operations in the section “Data exchange within Direct Service”.

There are clear legal regulations for the use of personal data, to which we refer again and again in this Privacy Policy. They refer to the applicable law in Switzerland and the EU General Data Protection Regulation (EU-GDPR).

The applicable law requires us to retain certain data concerning you. At the request of law enforcement or other authorities, we are required to disclose some of this data. 

Example:

• When connecting to SBB WiFi, we must retain and, if necessary, disclose connection and identification data in accordance with the Swiss Federal Act on the Surveillance of Postal and Telecommunications Traffic (BÜPF) and the associated ordinance (VÜPF).
• The Federal Act on Combating Money Laundering and Terrorist Financing (Money Laundering Act, AMLA) requires us to retain customer and transaction data for a specific period of time. 

If you have any questions regarding data protection, please contact our data protection advisors (this will be kept confidential). 

SBB AG 
Data Protection Office 
Hilfikerstrasse 1
3000 Bern 65
datenschutz@sbb.chLink opens in new window.

This is how to reach our data protection representative in the EU 

MLL Brussels SPRL
222, Av. Louise
1050 Bruxelles [Brussels]
Belgium 
sbb@mll-gdpr.comLink opens in new window.

When purchasing services and products, such as subscriptions or tickets, we require personal data - depending on the product and purchase channel: 

• The gender, name and date of birth of the passenger or person buying the service or product
• A personal photo
• Contact details  (e-mail address, address, telephone number)
• Customer number
• Subscriptions
• Payment method
• Consent to the General Terms and Conditions
• Product details:
  • The type of product or service being purchased 
  • The price 
  • The place, date and time of purchase
  • Purchase channel (online, mobile, ticket machine, counter, etc.)
  • Date of travel or period of validity and departure time
  • Starting point and destination

To ensure that we can always reach you by post, we check your address – provided you have consented to this at SwissPost – with Swiss Post and update it if necessary.

We use this data to provide you with information that is necessary regarding your contract with us (e.g. renewal information, etc.). In addition, the data is stored in a central database and can be used for marketing and market research purposes if you have consented to this.

The data is used to properly distribute revenues earned from the purchase of tickets among the companies and networks of the National Direct Service.

Furthermore, the data is used in the context of ticket inspection in order to identify the holder of a personalised ticket and to prevent improper use (for more information in this regard, please refer to the section “When inspecting services” and the section on shared responsibility in public transport).

The data is also used for providing our after-sales service in order to identify you and support you in case of issues or problems, as well as to process any compensation claims.

Finally, we evaluate your data in order to further develop the overall public transport system as needed.

For cross-border journeys, we will notify you by e-mail or SMS about your upcoming journey and any delays or cancellations. You can unsubscribe from these notifications.

For group journeys we need additional information about the group. We will notify you via SMS about your group reservation and any delays or cancellations. When you book a group journey, you can decide whether you want to receive these notifications.

When checking in baggage, the bag must be labelled with name, address and mobile phone number. For online orders, we also need your e-mail address. We need this information so that the baggage can be identified in the event of loss and so that we can contact you about delivery or collection.

As far as the EU-GDPR applies, our legitimate interest and the contractual performance requirement form the legal basis for this processing of personal data.

Customer and subscription data is needed and processed for revenue protection (checking the validity of tickets or reduced-fare tickets, collections and combatting misuse). Therefore, for the purpose of carrying out the entire inspection and collection procedure, the transport companies and networks are authorised to process all data pertaining to travellers or contracting parties (ticket and inspection data, as well as any sensitive data related to all types of travel without a valid ticket, e.g. travellers with invalid tickets or travellers with forgotten tickets or forgotten reduced-fare tickets, and any misuse) and to store this data for the periods specified by data protection law and to exchange this data with other transport companies and networks (including across borders in the case of international tickets and international reduced-fare tickets).

The following provisions apply to individual services or data carriers:

SwissPass card.
When the physical SwissPass card is used as a data carrier, no inspection data is stored (exception: see SwissPass Mobile).

SwissPass Mobile.
When the SwissPass Mobile application is used, the provisions acknowledged when activating SwissPass Mobile are applicable. The following data is processed in this regard: Registration, activation, and inspection data generated when SwissPass Mobile is used. As soon as SwissPass Mobile is used, this data is also collected from the SwissPass card.

Registration data is kept for up to 18 months after either the SwissPass Mobile application is deactivated or the SwissPass card expires. The activation and inspection data from SwissPass Mobile and the SwissPass card is stored on the inspection devices for one day and in the inspection database for 30 days. If misuse is suspected, the maximum storage period for activation and inspection data is 90 days. Travellers who engage in misuse with SwissPass Mobile are suspended from SwissPass Mobile for 12 months. After that period, SwissPass Mobile may be used once again. After another 12 months, the traveller’s suspension file is deleted.

Electronic tickets.
When electronic tickets (e-tickets) are used, inspection data is stored on the central inspection data server at SBB. Tor the purpose of combatting misuse and for measures to prevent misuse and improper refunds, this data is retained for 360 days.

Where the EU GDPR applies, our legitimate interest and our need to process the Agreement form the legal basis for this processing of personal data.

In case of travel without a valid ticket, the data is stored in our own database as well as in a jointly operated register. Travellers or contracting parties acknowledge that if any misuse or forgery is detected, the transport companies are authorised to provide the internal departments affected by the misuse and other transport companies with the relevant personal data so that any misuse can be ruled out or confirmed and any further misuse can be prevented. Pursuant to the Swiss Passenger Transport Act (PBG), different deadlines apply for processing the aforementioned data. The data is deleted as soon as it is established that the person concerned has not caused a loss of revenue, and after two years if the person concerned has paid the surcharges and has demonstrably no longer travelled without a valid ticket during this period. The data may be retained for up to 10 years if it is needed for the purpose of enforcing claims against this person.

Where the EU GDPR applies, Article 20a PBG and Article 58a of the Swiss Passenger Transport Ordinance (VPB) form the legal basis for this processing of personal data.

The following information is recorded in connection with orders in the SBB Shop (for guest purchases or with SwissPass login):

• Name, date of birth and e-mail address of the purchaser
• Address (billing and delivery address)
• Telephone number
• Product ordered
• Reference number
• Order date
• Method of payment
• Shipping costs 

This information is also stored if the order is cancelled.

The required personal data will be passed on to the respective suppliers for the purpose of contract performance and delivery.

Insofar as the EU-GDPR applies, our legitimate interest and the fact that it is required for the performance of a contract constitutes the legal basis for the processing of these personal data.

Debit/credit cards.

When you pay by credit card, we forward your card details to your card issuer via our payment service provider (acquirer). This sending of data is solely for the purpose of authorization and transaction processing and takes place in encrypted form. If you decide to make a card payment, you will be asked to enter all mandatory information (payment card type, payment card number, CVC2/CVV2, expiry date, first name, last name). Under certain circumstances, it may be necessary to authenticate yourself as an authorised cardholder, e.g. using the 3DSecure procedure. 

Wallet solutions (Twint, Apple Pay, PayPal).

With wallet payment solutions, your card details are securely stored in the wallet beforehand. If you choose to pay with a wallet solution, usually you do not have to enter any further payment card information. Only the data required for authorization and transaction processing are transferred via the wallet. 

Monthly invoice.

If you choose the ‘Monthly Invoice’ option, you will need access to a Swiss or Liechtenstein mobile phone number to register. Name, date of birth, e-mail address, address, mobile phone number and IP address are forwarded to our partner Byjuno AG. Byjuno AG will handle the entire billing process and will perform an identity and credit check. 

Invoice in SBB Shop.

If you choose the ‘Invoice in SBB Shop’ option, we need your mobile phone number and date of birth will also be recorded. Name, date of birth, e-mail address, address, mobile phone number, IP address and device ID will be forwarded to our partner Byjuno AG. Byjuno AG will handle the entire billing process and will perform an identity and credit check. 

Lodge Cards (corporate credit cards).

When you pay by Lodge Card, we forward your credit card information to your credit card issuer and also to the credit card acquirer. If you choose to pay by credit card, you will be asked to enter all mandatory information (payment card type, payment card number, CVC2/CVV2 (based on option), expiration date, first name, last name). In addition, information on the purchased service, last name, first name and date of birth of the person purchasing or travelling and information on the credit card holder (company) are forwarded to the credit card issuer for billing purposes in accordance with the agreement with the credit card holder (company).

Insofar as the EU GDPR applies, the legal basis for the processing of personal data is the contractual performance requirement. With regard to processing of your payment method information by these third parties, please also read the relevant General Terms and Conditions and Data Protection Declaration of the payment method used.

You do not have to reveal any data to surf on our website pages. What happens automatically is that our servers record every access, store the following data for seven months and then automatically delete it again.

• IP address of the computer requesting access 
• date and time of access 
• the website from which our website was accessed, including the search term where applicable
• the name and URL of the file being requested 
• searches performed (timetable, products, etc.) 
• the computer’s operating system  
• the browser being used  
• device type of the mobile phone, if used
• the transmission protocol being used 

Good performance.

These data are used to ensure system security and stability, to facilitate error and performance analysis, and to help to optimise our range of products and services so they meet your wishes and needs. 

Protection against hackers.

The IP address provides intelligence if there are attacks on the network infrastructure or other misuse or abuse. It may be used in criminal proceedings for identification purposes and for civil and criminal proceedings against the users concerned. 

As far as the EU-GDPR applies, our legitimate interest forms the legal basis for this processing of personal data.

We cannot guarantee that non-SBB websites that are linked to our web pages comply with the relevant data protection regulations.

We offer you a range of apps that support your mobility and make travelling easier. You can identify which data is processed in the privacy policy of the respective app.

These apps are available to you:

• SBB Mobile 
• SBB Preview
• P+Rail
• SBB FreeSurf
• SBB Inclusive

Your SwissPass customer account allows you to use our websites and apps to their full extent. For this we need at least the following data from you:

• Form od address
• Full name
• Date of birth 
• Customer number (if you have a public transport subscription)
• Email address and password (login data)

With your SwissPass login, you can access the online services of public transport companies and networks without having to additionally register. This is practical and makes many things easier for you. 

Services purchased using the SwissPass login (in particular public transport tickets/subscriptions) are recorded in a central database (National Direct Service database, “NDS-database”).

Data exchange via Single Sign-On (SSO).

During authentication, login, customer and performance data are exchanged between the central login infrastructure of the Public Transport Network, the partner platform and ourselves. This applies to the name, date of birth, address, email address and performance data.

Use of partner services.

Whenever you register with a partner (e.g. Mobility, PubliBike, etc.) and whenever you purchase or use partner services, your card and customer data (card ID, customer number, title, form of address, surname, first name, address, date of birth, subscription information and photo) are transmitted to SwissPass partners for the purpose of processing transactions. Whenever any partner services are acquired, data concerning the service are stored by us. We inform SwissPass partners in the event of the loss, theft, misuse, forgery or replacement of your card.

In order to enable you to take advantage of discounted services, SwissPass partners are entitled to retrieve any subscription data that are directly required.

Insofar as the EU-GDPR applies, the legal basis for the processing of personal data is the contractual performance requirement.

Further information regarding this can be found Data Exchange within Direct Service in the privacy policy at swisspass.chLink opens in new window..

About the SBB Contact Centre.

Calls made when making contact by telephone are recorded for training and quality assurance purposes and are kept for 3 months, along with your telephone number and the time of the call. After 3 months, the recording is deleted. At the beginning of your call, you will be made aware that the conversation is to be recorded. To decline the recording of the conversation, please ask our employee to stop recording at the start of the conversation.

We store all e-mails we receive via the contact forms and these are linked to your customer account.

If you contact us via the chat window, we save the entire text of the chat history, as well as your first name, surname and customer number, if you provide us with these. The text of the chat history may contain other personal data, if you mention such data in your chat with our staff. We also use the stored data to improve the chat function.

If you avail yourself of the video consultation service and contact us in this way, we will store the entire conversation (video and audio) as well as your first name, surname, e-mail address and telephone number. Video consultations may contain further personal data if you mention or show such data when communicating with our staff (screen sharing). We use the stored data for the further development of our services and as a safeguard against misuse. The data is deleted after 7 days.

Where possible based on the information provided, we will link these communications to your customer account.

After you have contacted the SBB Contact Center we may contact you by SMS or e-mail to perform a customer satisfaction survey. At any time, you can opt out of receiving the customer satisfaction survey.

As far as the EU-GDPR applies, our legitimate interest and the contractual performance requirement form the legal basis for this processing of personal data..

About forums and chats.

You can participate in forums and chats on SBB.ch and other SBB websites. Please remember that any information you disclose online will be made public.

About the SBB Lost and Found Service.

If you use the form to report a loss, we need the following details from you: Title, first name, last name, language, communication method, address, email address, type and place of return. We need this data in order to process your request. To carry out the lost and found service, we may disclose your data to the transport companies, cantons, cities and municipalities involved.

About SBB Customer Say.

Your voice counts: By participating in SBB Customer Say, you can have a say in the development of new processes and products. The aim is to design products and services according to customer needs. Certain data is required from you for this.

You can find out which data is processed at kundenstimme.sbb.chLink opens in new window..

After you purchase a ticket (national or international), order a travelcard (e.g. Half Fare Travelcard, GA Travelcard, Night GA Travelcard etc.), apply for a refund or compensation, request an offer at the counter etc. you will receive a confirmation e-mail. This is required by law so that you have proof. The associated data will not be passed on and will be deleted according to the legal deadlines.

Using SBB WiFi is easy: Register and surf away. Your access is valid for 12 months.

If you register, your mobile phone number or customer number, the MAC address of your device, and data regarding the station area visited will be recorded, along with the time, date and device.

Our statutory obligations.

As a telecommunications service provider, we are registered with the Federal Office of Communications and must therefore comply with the statutory obligations of the Federal Act of 18 March 2016 on the Surveillance of Postal and Telecommunications Traffic and its associated ordinance.

For us, this means.

Provided the legal conditions are met, we are required, on behalf of the competent authority, to monitor, either directly or through a third party, the use of the Internet and data traffic between the customer and the Internet. Furthermore, we may be required to disclose the customer’s contact, usage and peripheral data to the authorised administrative bodies. 

For your data, this means.

The usage data and peripheral data generated when establishing and ending electronic connections will be stored in personally identifiable form for six months. After that the usage data will be anonymised and the peripheral data will be destroyed.

From the time participation in the WiFi service is cancelled or 12 months after registration, the contact data will be stored for another six months and then destroyed. 

If you reserve a car from a car sharing provider through us, we will carry out an electronic driver's licence check when you register for the first time. For this purpose, you provide us with a photo of your driver's licence and a selfie. We store the following data from your driving licence with us: Identification number, first name, last name, date of birth, date of issue, expiry date if available, country of issue, driving categories.

If you give consent, your customer data will be forwarded to the car sharing provider to create an account. To ensure that the reservation, usage and billing processes can be carried out, the car sharing provider stores the following data:

• card ID 
• client numbers
• title,
• surname, first name
• address
• date of birth
• telephone numbers
• e-mail address
• driver's licence details
• correspondence
• language
• date of last data change
• IP address of the client
• role of the user
• newsletter subscribed to

We use the data we receive from you - by e-mail, letter, SMS or personally at the counter - together with publicly available statistical data to offer you products and services consistent with your purchasing habits. To do this, we may, e.g. use models to calculate how high we estimate your interest in a particular offering (e.g. leisure). These processing operations are also referred to as profiling to make you offers that correspond to your buying behaviour. Provided we know your age, we will only send marketing material to you by email or letter if you are at least 16 years old.

The following data can be used for this purpose: 

• Name
• Gender
• Date of birth
• Address
• Customer number
• E-mail address
• Information on services purchased (e.g. subscriptions or single tickets)
• Interactions at the counter or by phone
• Clicking behaviour on our websites or in e-mails that we have sent you
  
• Click-through rate on displays / banners with SBB advertising
• Information concerning interests, affinities and user behaviour

We use e-mail marketing services that use tracking tools when sending e-mails. We collect the data for statistical purposes and subsequent dispatch as well as to optimise the content of our messages. 

The following data is used:

• Information about the address file used
• Subject and number of newsletters sent
• Addresses to which the newsletter has not yet been sent
• Addresses to which the newsletter has been sent
• Addresses with failed dispatch 
• Opening rate 
• Addresses that have opened the newsletter
• Addresses that have unsubscribed from the newsletter distribution list
• Clicking behaviour 

We use the Google ad server service (Google Ad Manager) for advertisements on our websites and in our apps if you consent to this. Ad servers are automated ad management systems that are used to store, deliver and measure the success of Internet advertisements. These allow you to see only those ads that interest you. 

The ad server uses the following information when you visit our websites and apps:

• Profile data (age, place of residence and gender) 
• Contextual travel information (place, time, date and day of departure, destination, arrival time, date and day, class of travel, article number, zone and subscription type)
• Website accessed, including search performed, if applicable
• Rough GPS coordinates 
• User ID (Unique User ID), advertising ID (Ad ID), IP address  
• Information on the browser and operating system 
• Device manufacturer and model 

On the basis of this information, for each request, the ad server checks whether a suitable campaign is running and then delivers specific, non-specific or no advertising at all at random and depending on capacity.

If you have a Google account and have agreed to personalised ads, the ad server may also take account of your Google account settings when displaying the ads. We do not obtain any access to the data used.

Your data are never disclosed to the advertiser and are not stored for further use, but are used exclusively for the one-time display of advertising. We do not create profiles that identify any specific individuals or process names, telephone numbers, addresses or e-mail addresses in connection with advertising. 

On SBB.ch, Adobe Target is used for website optimisation and the display of personalised content if you consent to this. 

The following data will be processed:

• Anonymised IP address
• Tracking data on how you use the site, such as your preferred topics

You can request that your data will not be processed by Adobe Target.

To continuously improve the quality of our services and offerings, we conduct market research. With your consent, we may use your contact details for customer surveys (e.g. online surveys). If you do not wish to participate in such surveys, you can control in your profile which “Information and offers” you would like to receive. 

You can reject offers and information from us or public transport companies at any time. 

• One click is all you need: Unsubscribe link for e-mails
• Manage which information and offers you would like to receive on SBB.ch in your profile under “Notifications”.
• Manage your settings under “Offers & Advertising” when you log in to SBB Mobile
• Register or deregister at any counter or by calling the SBB Contact Centre (0848 44 66 88 / CHF 0.08/min.)
• Configure cookies in cookie settings.

The use of the device-specific advertising ID, which is used for interest-based advertising, can be blocked on your smart phone as follows:

• Android: Open “Settings”, tap on the menu item “Privacy” and within the sub-menu “Ads” select “Opt out of Ads Personalization”.
• iOS: Open “Settings”, tap on the menu item “Privacy” and within the sub-menu “Advertising” select “Limit ad tracking”.

In order to disable Google's personalised advertising, please consult the following link: policies.google.com/technologies/partner-sitesLink opens in new window.

We store personal data only for as long as necessary to provide services that you have requested or with respect to which you have granted your consent, and to the extent indicated in this Privacy Policy.

We retain contract data for as long as required by the relevant legal retention obligations. Retention obligations that require us to retain data arise from accounting and tax regulations.

Support access is possible worldwide. Transfers outside the EU/EEA are secured by using the authorised standard data protection clauses.

Your data is normally stored in databases within Switzerland. However, in some of the cases listed in this Privacy Policy, the data is also processed by service providers whose head offices are located outside Switzerland. If the country in question does not offer an adequate level of data protection, we use contractual arrangements with these companies to guarantee that your data is adequately protected by these companies. In addition, transfers outside the EEA/EU are secured by using the authorised standard data protection clauses.

Support access is possible worldwide. Transfers outside the EU/EEA are secured by using the authorised standard data protection clauses.

Your personal data will only be passed on to selected service providers - and only to the extent necessary to provide the service. 

These include: 

• IT support service providers 
• Issuers of subscription tickets 
• Shipping service providers (e.g. Swiss Post) 
• Service providers charged with allocating traffic revenues to the transport companies involved (in particular in the course of drawing up so-called distribution keys within the meaning of the Federal Passenger Transport Act of 20 March 2009 (Personenbeförderungsgesetz, PBG))
• Our Hosting Provider

External service providers who process data on our behalf are contractually obliged to comply with the relevant data protection regulations and are not considered third parties under data protection law.

We may be legally required to pass on such information or it may be necessary to pass it on in order to safeguard our rights.

As far as the EU-GDPR applies, our legitimate interest and legal requirements form the legal basis for this processing of personal data.

On our website we use various services provided by Google (Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland). Google already stores information (e.g. your IP address) concerning your use of the website whenever you access any website into which Google services have been integrated. This may also result in the transfer of data to the servers of Google LLC. in the USA. If you are logged in to Google, your information will be directly associated with your account. If you do not wish any such data to be associated with your Google profile, you must first sign out of your Google account. Google stores your data (including those relating to users who are not logged in) as user profiles and evaluates them. Collection, storage and evaluation occur on the basis of Google’s legitimate interest in the incorporation of personalised advertising, market research and/or the design of Google websites in order to meet with user requirements. You have the right to object to the creation of these user profiles, and must contact Google in order to exercise this right.

Your personal data will not be disclosed to other parties outside Public Transport. SwissPass partners and companies that have been granted approval to facilitate public transport services based on a contractual agreement are the sole exceptions (as described below). These intermediaries only receive access to your personal data if you wish to purchase a Public Transport service through them and have granted them your consent to access your personal data. Even in this case, they only receive access to your data to the extent necessary to determine if you already have tickets or subscriptions for the planned travel period and they relate to your travel and the third party’s service you have requested. Therefore, your consent forms the legal basis for these data processing operations. You can prospectively revoke your consent at any time (see Section 2.8).

If you take advantage of offers from a SwissPass partner by using your SwissPass, data about any services purchased from us (e.g. a GA, Half Fare or Regional Point-to-Point Travelcard) may be sent to the SwissPass partners to verify whether you can benefit from a specific offer provided by the SwissPass partner (e.g. a discount for GA Travelcard holders). The relevant partner is informed in case of the loss, theft, misuse, forgery or replacement of a card after the purchase of a service. These data processing operations are necessary for implementing the agreement on the use of the SwissPass and are therefore based on this legal ground. For more information, please see the Privacy Policy at swisspass.ch and the privacy policy of the relevant SwissPass partner.

As a Public Transport company, we are required by law to provide transport services (“Direct Service” as per Articles 16 and 17 of the Swiss Passenger Transport Act) together with other transport companies and networks. To facilitate this, your data, such as your login, card, customer and service data is shared within the National Direct Service (NDS), an association of over 240 public transport companies and networks, at the national level and stored in central databases. 

The data are stored, e.g. in the central NOVA (network-wide public transport connection) database, which is administered by SBB on behalf of the NDS and for which we, together with the other NDS companies and networks, are responsible. NOVA is a technical platform for distributing public transport offerings. It contains all key elements for the sale of public transport services, such as the customer database. The extent to which the individual transport companies and networks can access the shared databased is determined by means of a joint agreement. The disclosure of the data occurring upon their central storage as well as their processing by the transport companies and networks are limited to the following purposes:

Provision of the transport service.
Your travel and purchase data are transmitted within the NDS so that your travel can go smoothly.

Contract implementation.
We process this data for the purposes of commencing, administering, and processing contractual relationships.

Administration of customer relationship and support.
We process your data for purposes related to communicating with you, particularly for answering enquiries, the assertion of your rights and to identify you and assist you as best as possible across the public transport system in case of issues or problems, as well as to process compensation claims.

Ticket inspection and revenue protection.
Customer and subscription data is needed and processed for revenue protection (checking the validity of tickets or reduced-fare tickets, collections and combatting misuse).

Occurrences of travel without a valid (or with a partially valid) ticket can be recorded via the national register of fare dodgers.

Revenue distribution.
The service centre of Alliance SwissPass, which is managed by ch-integral, carries out the legal mandate defined in the Swiss Passenger Transport Act to collect travel data for the purpose of proper revenue distribution. At the same time, the service centre acts as an agent for the distribution of revenues in the National Direct Service on behalf of the member companies of the NDS.

Identification in the context of authenticating your SwissPass login (SSO).
For services that you purchase by using your SwissPass login, the data is then stored in the central customer database (NOVA). To provide you with single sign-on (SSO) access (one login for all applications that enable you to use their services with the SwissPass login), the aforementioned login, card, customer and service data are also exchanged between the central login infrastructure of the SwissPass and us in the course of authentication.

Joint marketing and market research activities.
Furthermore, data collected in connection with the purchase of public transport services are also used for marketing purposes in certain cases. As long as your consent has been obtained and a processing operation is performed or you are contacted for this purpose, it will normally be carried out only by the transport company or network from which you purchased the relevant public transport service. Any processing of data or initiation of contact by the other transport companies or networks that participate in the NDS will only take place in exceptional cases and under stringent requirements and only when the analysis indicates that a particular public transport offering could bring you added value as a customer. One exception in this case is the processing of data and initiation of contact by SBB. SBB carries out the marketing mandate for the services of the NDS on its behalf (e.g. GA and Half Fare) and may contact you regularly in this role. We also process your data for conducting market research, improving our services and developing products.

Further development of public transport systems with anonymous data.
We evaluate your data anonymously in order to further develop the entire public transport service as needed.

Customer information.
For cross-border journeys, we will notify you by email or SMS about your upcoming journey and any delays or cancellations. You can unsubscribe from these notifications. For group journeys, we will notify you via SMS about your group reservation and any delays or cancellations. When reserving a group journey, you yourself can decide if you wish to receive these notifications.

If you book a cross-border journey, your data will be transferred to foreign public transport providers so that descriptions of available services can be provided, to allow checking of and prevent misuse of tickets, and to notify you in the event of a delay or cancellation.

We employ suitable technical and organisational security measures to protect the personal data we store against manipulation, partial or total loss and unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.

We also take data protection within SBB very seriously. Our staff and the external service providers working on our behalf are committed to maintaining confidentiality and to complying with data protection provisions.

We will take appropriate precautionary measures to protect your data. However, transferring information over the Internet and other electronic media always entails certain risks, and we cannot guarantee the security of information transferred in this manner.

Cookies are small files that are stored on your computer or mobile device when you visit our websites or use apps. Some cookies are necessary for the website or app to function, while others extend the range of functions and improve user comfort for you. You can adjust the cookie settings here at any time. If you accept certain cookies, you also consent to the transfer of your data to third countries. These third countries may not have a level of data protection comparable to Switzerland. There may be a risk, for example, of your data being collected and processed by local authorities and that your rights as a data subject cannot be enforced.

Together with tracking tools, cookies can analyse the usage behaviour when online offers are made.

We use cookies in order to

• ensure you do not have to re-enter your information and data every time.
• ensure you can stay logged in and no information will be lost.
• remember your personal settings and preferences.
• ensure you receive content that is as relevant as possible.