Terms and conditions of use: www.rhb.ch


Please read the following conditions carefully before proceeding. Anyone accessing www.rhb.ch (hereinafter: the website), declares their unconditional agreement with the following conditions.

www.rhb.ch is operated by Rhaetian Railway Inc.

General points
All information and services provided on the website are intended exclusively for private use and for information purposes. Rhaetian Railway Inc reserves the right to limit the operating times of the website, and to block access temporarily, without advance notice, if there are technical grounds for doing so. In addition, all website content may be subject, in part or in whole and at any time, to amendment, addition or removal. Furthermore, Rhaetian Railway Inc reserves the right to amend these conditions of use at any time. Should any of the individual provisions of these terms and conditions of use be ineffective, this shall have no effect on the validity of the remaining provisions. Each user shall be personally responsible for consulting these terms and conditions of use, in order to be aware of any amendments that might have been made.

Unless otherwise stated, the property rights (in particular copyrights and trademarks) to all elements of this website belong exclusively and entirely to Rhaetian Railway Inc. The complete or partial use or reproduction of elements of the website for public or commercial purposes requires the prior written consent of Rhaetian Railway Inc, which must then be identified as the copyright-holder. The downloading or copying, in part or in whole, of elements from the website does not constitute any transfer whatsoever of rights to those elements or the associated software.

Limitation on liability
Rhaetian Railway Inc makes every effort to ensure that all content on this website is complete, up to date and error-free. It cannot however accept any liability whatsoever for the accuracy, completeness or current nature of the information provided on the website (with particular reference but not limited to special offers, fares and price lists, or similar). Inaccuracies, omissions and typographical errors cannot be ruled out. Rhaetian Railway Inc can accept no liability whatsoever for loss or damage (including subsequent or secondary loss or damage) arising from access to elements on the website and/or the use of information contained in them. No liability will be accepted for failures of any kind (defects, outages, viruses, etc.) relating to Internet usage. The visit to the website and the use of the information and services contained therein take place at the user’s own risk and under his or her responsibility.

Privacy policy

These websites were created and published by Rhaetian Railway Inc (hereinafter referred to as “RhB” or “we”) with head offices in Switzerland, Bahnhofstrasse 25, 7001 Chur, and registered in the commercial register of the Swiss Canton of Graubünden under the number CHE-105.956.490. 

Accordingly, it is our responsibility to collect, process and use your personal data in accordance with the law.

We treat your data confidentially.  Protecting your personal data and privacy is very important to us. We guarantee that your personal data will be processed in compliance with the law and in accordance with the applicable provisions of data protection legislation.

In short, we adhere strictly to the following principles when processing your personal data:

  • You decide how your personal data will be processed.
    You are within your legal rights to refuse to have your data processed at any time, to revoke your consent or to have your data deleted.
  • We offer you added value when it comes to processing your data.
    We use your data exclusively to provide you with a service and to offer you added value (such as personalised offers, information and support). We will therefore use your data only to help us develop, deliver, optimise and evaluate our services or to maintain customer relations.
  • We will not sell your data.
    Your data will only be disclosed to the carefully selected third parties listed in this privacy statement and only for the purposes explicitly identified. If we commission third parties to process data, they are obliged to comply with our data protection standards.
  • We guarantee the security and protection of your data.
    We promise to handle your data with care and to keep it safe and secure. We have put in place appropriate organisational and technical measures to safeguard your data.

Please see below for more detailed information on how we handle your data.

Please be aware that the following information may be reviewed and amended from time to time. We therefore recommend that you consult this privacy policy on a regular basis. 

1. Data processing on the website

1.1 Scope and purpose of the collection, processing and use of personal data

1.1.1  When visiting our website

When you visit our website, our servers temporarily store each access in a log file.

The following data is collected and stored, without any action on your part, until it is automatically deleted:

  • the IP address of the requesting computer,
  • the date and time of access,
  • the name and URL of the data retrieved,
  • the website from which our domain was accessed, and
  • the operating system of your computer and the browser used. 

This data is collected and processed for the purpose of allowing the use of our website (establishing a connection), ensuring system security and stability in the long term, and allowing our Internet offering to be optimised, as well as for internal statistical purposes. The aforementioned information is not linked to or stored with personal data. 

Only in the event of an attack on the website's network infrastructure or where unauthorised or abusive use of the website is suspected will the IP address be evaluated for clarification and defensive purposes and, where necessary, used to identify the perpetrators in civil and criminal proceedings.

The purposes described above constitute our legitimate interest in data processing within the meaning of Art. 6 para. 1 lit. f of the GDPR.

1.1.2 When using the contact form

If you contact us using the form on the website, we will collect the following personal information:

  • Title
  • First name*
  • Last name*
  • Street
  • Postcode
  • Town/city
  • Country
  • Telephone
  • E-mail address*
  • Subject*
  • Your opinion / requests / questions / suggestions*

The fields marked with a * are mandatory. 

We use this data to answer your questions or provide the required services and, if necessary, to contact you by e-mail or telephone. Processing your contact request is our legitimate interest within the meaning of Art. 6 para. 1 lit. f of the GDPR. You can object at any time to our processing this data (see below for contact details). 

1.1.3 When booking services 

Our website offers various options for booking or ordering services online. For example, you can book and pay for rail tickets and other services online. During the booking process, we explain clearly which personal data we need to collect from you. This includes, for example, your title, your first and last names, your e-mail address and your date of birth. Other data may, however, also be required (e.g. postcode, town/city, country of residence, etc.). If the product or service can be purchased immediately online, we will also collect data required for handling the payment process (depending on your chosen payment method). In the input mask, we will indicate which items of data are mandatory (usually marked with *). 

Unless otherwise stated in this privacy policy or unless you have given your separate consent, we will use the aforementioned data only to process the contract, i.e. we will process the data in order to record your booking as requested, to render the services as booked, and to ensure correct payment.

Please note that some of the services bookable via our website are not provided by us. For example, if you book an overnight stay, the corresponding service will be provided by the relevant service provider. It is one of our contractual partners. In order to process the order, we forward the personal data you entered on the order form to the relevant service provider for processing the booking.

We use the following third-party booking systems on our website: 

  • TrekkSoft AG, 3800 Interlaken
  • Alturos Destinations AG, 8808 Pfäffikon
  • E-GUMA, Idea Creation GmbH, 8006 Zurich

Various displayed offers can be booked using the booking systems listed above. When booking via one of the above booking systems, the personal data you provide as per the input mask will be passed on to the relevant booking platform for the purpose of processing the booking.

Certain services offered on our website can be booked using contact forms. In order to process the order, we pass on the personal data you enter in the order form to the relevant service provider.

The legal basis of data processing for the above purposes is the performance of a contract pursuant to Art. 6 para. 1 lit. b of the GDPR.

1.1.4 When opening a customer account

Customers can order products on our website as a guest, or they can open a customer account before making purchases.

When you open a customer account, we collect the following data from you in order to process your orders or provide you with the required services:

  • Title
  • First name*
  • Last name*
  • Address*
  • Postcode*
  • Town/city*
  • Country*
  • Telephone
  • E-mail*
  • Password*

The fields marked with a * are mandatory. 

You may inspect and amend the data in your customer account at any time. You may also instruct us to delete the account in its entirety. If you want to delete the customer account, please submit an appropriate request to us (see below under “Contact”).

The legal basis for processing the data in the above cases is the administration of a customer relationship and, thus, the performance of a contract pursuant to Art. 6 para. 1 lit. b of the GDPR, as well as an overriding legitimate interest pursuant to Art. 6 para. 1 lit. f of the GDPR. You may at any time revoke your consent to the processing of this data, whereupon we will delete your customer account (see below under “Contact”).

1.2 E-mail marketing

On our website, we give you the opportunity to subscribe to our newsletter. To do this, you will need to register and provide us with the following details:

  • E-mail address
  • First name and last name

This data is needed for data processing purposes. We process this data for the sole purpose of personalising the information and offers we send out and to better tailor the information to your individual interests. 

Furthermore, we are authorised to entrust the technical development of marketing campaigns to third parties and are thus entitled to share your personal data with third parties to that end. We use the e-mail marketing service Braze, 330 West 34th Street, 18th Floor, New York, NY 10001, USA, to send our newsletters.

At the end of every newsletter, you will find a link that allows you to unsubscribe from the newsletter at any time. Once unsubscribed, your personal data will be deleted. Further processing of this data takes place in anonymised form only with the aim of optimising our newsletter.

Our newsletter may contain a “web beacon” or similar technical means. A web beacon is a 1x1-pixel, invisible graphic that is associated with the user ID of the respective newsletter subscriber.

For each newsletter sent, we collect information on the address file used, the subject and the number of newsletters sent so far. In addition, we can see which addresses have not yet received a newsletter, to which address the newsletter was sent, and at which addresses the dispatch failed. In addition, there is the “opening rate”, i.e. information on which addresses have already opened the newsletter. Finally, there is information on which addresses have unsubscribed. We use this data for statistical purposes and to optimise the newsletter in terms of content and structure. This allows us to better tailor the information and offers in our newsletter to the individual interests of the recipients. The web beacon is deleted when you delete the newsletter.

To prevent the use of the web beacon in our newsletter, the mail program must be set such that HTML is not displayed in messages, if this is not already the case by default. The following pages explain how to adjust these settings in the most common e-mail programs.

Microsoft Outlook 

Mail for Mac 

By registering, you give your consent for us to process the data you have provided for the purposes of regularly sending the newsletter to the address you have indicated, statistically analysing your user behaviour, and optimising the newsletter. This consent constitutes the legal basis of data processing for the purpose of our newsletter pursuant to Art. 6 para. 1 lit. a of the GDPR.

1.3 Cookies

Among other things, cookies help us to make your visit to our website easier, more pleasant and more meaningful. Cookies are information files that your web browser automatically stores on your computer's hard drive when you visit our website. 

For example, we use cookies to temporarily store the details you enter when filling in a form on our website (on required services, etc.) so that you do not need to re-enter this information when you access another subpage. Where applicable, cookies may also be used to identify you as a registered user once you have registered on the website to avoid you having to log in again when you access another subpage.

Most Internet browsers automatically accept cookies. However, you can configure your browser to block cookies or issue a warning message whenever a new cookie arrives. The following pages explain how to configure cookies on most of the popular web browsers:

Deactivating cookies may mean that some of the functions on our website will not work properly. 

1.4 Tracking tools

1.4.1 Google Analytics

For the purposes of needs-based design and the continuous optimisation of our pages, we use the web analysis service Google Analytics provided by Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. In this respect, pseudonymised user profiles are created and small text files (“cookies”) stored on your computer and used. Information generated by the cookie about your use of this website, such as 

  • the browser type/version
  • the operating system used
  • the referrer URL (previous page visited)
  • the host name of the accessing computer (IP address)
  • the time of the server request, and
  • the device

is sent to the servers of Google Inc., a company of the holding company Alphabet Inc., in the US and stored there. Before this data is transmitted to locations within the member states of the European Union or other states that are party to the agreement on the European Economic Area and Switzerland, the IP address is truncated through this website’s IP anonymisation process (“anonymizeIP”). Google will not associate the anonymised IP address transmitted by your browser through Google Analytics with any other data held by Google. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. In cases such as these, we use contractual guarantees to ensure that Google Inc. maintains an adequate level of data privacy. 

The information is used to analyse use of the website, to compile reports about website activities and to provide us with further services relating to website and Internet use for the purposes of market research and needs-based design for these websites. This information too may be forwarded to third parties where required by law or if third parties have been commissioned to process this data. Under the terms of Google Inc., under no circumstances will the IP address be used in connection with other data relating to the user. 

Users can prevent Google from collecting and processing the data generated by the cookie relating to their use of the website (including their IP address) by downloading and installing the browser plug-in from the following link: 


For the sake of completeness, we must point out that as part of their legislation, the US authorities are able to undertake surveillance measures under which the universal storage of all data sent from the European Union to the US is possible. This takes place without distinction, limitation or exception, on the basis of the objective pursued and without objective criteria that would allow it to limit access by US authorities to personal data and its subsequent use to specific, strictly limited purposes that justify access to this data. 

For users residing in EU member states, please note that, from the point of view of the European Union, the US does not have sufficient data protection levels due to, amongst other things, the issues mentioned in this section. Insofar as we have explained in this privacy policy that recipients of data (such as Google) are based in the US, we will use contractual arrangements with these companies to ensure that your data is afforded an appropriate level of protection by our partners.

This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above. 

1.4.2 Capture Media

The tracking solution fusedeck from Capture Media AG, Löwenstrasse 3, CH-8001 Zurich (hereinafter referred to as “Capture”) is integrated into our websites. Capture Media is a Swiss company having its registered office in Zurich which, on behalf of its customers, measures website usage in the context of engagements and events. Tracking is anonymous so that it is impossible to attribute any information gained to any identified or identifiable persons. Capture’s tracking script measures and analyses anonymous user interactions on the website. These user interactions include sessions, visit durations, clicks, hovers, scroll depths, element visibilities and other engagements. The integration of Capture meets the economic interest of optimising the website and media purchasing in advertising campaigns. Capture stores all interaction data anonymously. This means that Capture cannot assign the collected data to a specific person.

The data collected by Capture is stored on the servers of Amazon Web Services Ireland Limited, One Burlington Plaza, Burlington Road, Dublin 4, Ireland. 

Further information on data protection and the rights of data subjects in connection with fusedeck, including the “opt-out” option (objection option), can be found in the privacy policy and objection policy. Link

This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above.

1.4.3 Facebook Pixel

On our website we use the Facebook pixel provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”).

This allows us to monitor a user's actions after the user has clicked on or viewed a Facebook promotion or advertisement. The bounce rate and the duration of the visit, for example, are measured. This allows us to assess the effectiveness of Facebook publicity for statistical and marketing purposes. The data gathered is anonymous to us, so we cannot link the data to an individual user. However, we do point out that Facebook does save and process the data. Facebook can associate this data with your Facebook account and use it for its own publicity purposes in accordance with the Facebook privacy policy. The data can permit Facebook and its partners to activate marketing communications both within and outside of Facebook. Furthermore, a cookie may be saved on your computer for these purposes.

You can prevent this tracking at any time by blocking or deactivating the relevant cookies in the menu bar of your web browser (see section 1.3 above).

This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above.

1.5 Re-targeting and other marketing processes

1.5.1 Google Retargeting

We use retargeting technologies on our website. Your user behaviour on our website is analysed to enable partner websites to offer you advertising individually tailored to your preferences. Your user behaviour will be recorded under a pseudonym. 

Most retargeting technologies use cookies (see section 1.3 above).

This website uses Doubleclick by Google, services provided by Google Inc. (“Google”) to display ads based on your use of previously visited websites. For this purpose, Google uses the so-called double-click cookie, which allows your browser to be recognised when you visit other websites. The information generated by the cookie about your visit to these websites (including your IP address) is transmitted to a Google server in the United States and stored there (more information on transfers of personal data to the USA can be found in section 1.4.1 above).

Google will use this information for the purpose of evaluating your use of the website in terms of the advertisements to be displayed, to compile reports for the website operator on website activities and ads, and to perform other services associated with website and Internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. However, Google will never associate your IP address with other Google data.

You can prevent this retargeting at any time by rejecting or deactivating the relevant cookies in the menu bar of your web browser (see section 1.3 above).

This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above.

1.5.2 Google Tag Manager

We also use Google Tag Manager to manage the usage-based advertising services. The tool Tag Manager itself is a cookie-less domain and does not collect any personal data. Instead, the tool is responsible for triggering other tags that may themselves collect data in some circumstances. If you have opted out at the domain or cookie level, it will remain in effect for all tracking tags implemented with Google Tag Manager.

1.5.3 Facebook Custom Audience

To promote interest-based advertisements to visitors to our website while visiting Facebook, we use “Custom Audiences Pixel” provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”). We have implemented a Facebook pixel on our website, which connects directly to the Facebook servers when you visit our website. The information that you have visited our website is transmitted to the Facebook server and Facebook assigns this information to your personal Facebook user account. For more information on the collection and use of data by Facebook, your rights in this regard and how you can protect your privacy, please see Facebook’s privacy policy here.

If you wish to reject the connection with Facebook described above, simply block or deactivate the relevant pixels in your browser (see section 1.3 above). 

This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above.

1.5.4 Campaign-related pixels and cookies

In some marketing campaigns, which each run for a few weeks only, we use pixels or cookies of various providers such as Adello or Tradedoubler. We use these pixels or cookies for retargeting purposes, i.e. we install a cookie that helps us to display on your computer advertising communications on the respective campaign on partner websites. You can prevent this retargeting at any time by deactivating the relevant pixels and cookies (see section 1.3 above).

This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above.

1.6 Social media functions 

1.6.1 Links to our social media pages

Our website contains links to our social media profiles on the following social media networks:

  • Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA,
  • Twitter Inc.,1355 Market Street, Suite 900, San Francisco, CA 94103, USA
  • Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025
  • YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA

If you click on icons of the respective social networks, you are automatically forwarded to our profile page on the respective network. To be able to use the functions of the respective network, you may have to log in to your user account there. 

If you click on a link to one of our social media profiles, a direct connection is established between your browser and the server of the respective social network. By doing so, the network will be notified that you visited our website with your IP address, and clicked on the link. If you click on a link to a network while being logged in to your account on the respective network, the content of our site can be linked to your profile on the network, which means that the network can directly link your visit to our website with your user account. If you want to prevent this, you will need to log out of your account before clicking on the respective links. Linking of the information will definitely occur if you log in to the respective network after clicking on the link.

1.6.2 Yawave share buttons

We have integrated social media share buttons provided by yawave, Sälihügel 1, CH-6005 Lucerne in our website. You will recognise the button in the form of a Facebook, Twitter, Whatsapp or e-mail icon. When you click on one of the corresponding buttons, an input mask will appear in which you can enter a message. The moment you click on the “Share” button, you will be relayed to the login page of the corresponding social media platform (Facebook and Twitter). You will then need to log in to your account in order to share your message. You can prevent this flow of information to the relevant social media network by not logging in (and not clicking on “Share”). If you visit our website while already logged in to a social media account, the data will be exchanged the moment you click on “Share”. 

The personal data you enter will be processed by yawave. You will find more information on this subject here.

Data processing for the above purpose is founded on the consent – within the meaning of Art. 6 para. 1 lit. a of the GDPR – you give us when you click on the button, enter your message in the mask, and log in to your social media account after clicking on “Share”. 

Please note that sharing information by e-mail and Whatsapp is permissible only if you have received the consent of the message recipient to process his/her e-mail address or Whatsapp identification number for this purpose. By entering the e-mail address or sharing via Whatsapp, you ensure that this is the case. 

1.7 E-Recruiting

By submitting your personal data, you agree to the processing and storage of this data in accordance with the conditions set out below. Your data will only be disclosed to third parties with your express permission. Our company accepts no liability for damages arising from data transmission via the Internet.

Within the scope of e-recruiting, we use smahrt consulting AG’s “Talentsoft” tool/applicant portal. Smahrt consulting AG is a company based in Zurich. 

1.7.1 Applying for a job vacancy / speculative application

By applying for a job vacancy or submitting a speculative application, you consent to us collecting your personal data and using it for application/recruitment purposes.

We collect and process the following data: title, first name and surname, postal address, mobile number, e-mail address, date of birth (hereinafter referred to as “data”).

The data transmitted to us during the job application process will be permanently deleted as soon as it is clear that the position advertised has been filled. 

The data transmitted to us upon submitting a speculative application will be stored for a period of six months. At the end of this period, you will receive an e-mail requesting you to confirm your data. If you do not respond to this request within ten days, your data will be permanently deleted.

1.7.2 Job subscription

By registering for the job subscription, you consent to us storing your e-mail address and using it to send you regular notifications.

At the end of every job subscription notification, you will find a link for unsubscribing at any time. Once unsubscribed, your personal data will be permanently deleted.

2. Data processing outside the website

2.1 Processing customer details

We also collect customer data outside our website environment, e.g. when you make a purchase at one of our sales desks. The following data, in particular, is collected:

• Title

• First name

• Last name

• Date of birth

• Address

• Postal code

• Town/city

• Country

• Telephone

• E-mail

• Details in connection with the payment (depending on the chosen payment method).

The legal basis for processing the data in the above case is the performance of a contract pursuant to Art. 6 para. 1 lit. b of the GDPR. 

2.2 Processing the data of business partners / suppliers 

In the context of our relations with business partners / suppliers, we collect the details of the relevant contact persons at these companies. We collect the following data, in particular, on each of our business partners / suppliers:  

• Company name

• Company address, postal code, town/city

• First and last name of the contact

• Business phone number of the contact

• E-mail address of the contact

• Function and title of the contact (where available)

• Terms and conditions of contract

• History of the customer relationship

• E-mail for customer information bulletins

• Preferred means of payment

• Preferred currencies

The legal basis for processing the data in the above case is the performance of a contract pursuant to Art. 6 para. 1 lit. b of the GDPR. 

3. Shared responsibility in general and in public transport in particular

Rhätische Bahn AG is responsible for processing your data. As a public transport service provider/partner, we have a legal obligation to collaborate with other transport operators and partners in the provision of certain passenger transport services ("Direct Service"). 

For this purpose, and for other purposes described in this data privacy statement, we share data at national level within the "National Direct Service" (NDS), an association of over 240 transport operators and public transport partner companies. The individual TSPs and partners are listed here [link: https://www.allianceswisspass.ch/de/Themen/Datenschutz/Uebersicht-Transportunternehmen-und-Verbuende]. Data acquired from customers who purchase services or supply contact details are stored in a central database which is managed by SBB on behalf of NDS and for which we are jointly responsible with the other NDS companies and partners (the DS database). 

When services are purchased by customers using the SwissPass login, the data is stored in another central database (the SwissPass database) for which we are jointly responsible with the TSP and the NDS community. This database is again managed by SBB on behalf of NDS. To improve service efficiency and streamline the working relationship between the companies involved, data from the different databases may be merged. To enable single sign-on (SSO, a system that enables SwissPass users to access multiple services with a single login), we share login details and card, customer and service data with the central SwissPass login infrastructure during the authentication process. 

Access by individual TSPs and partners to the shared databases is regulated and limited by a contractual agreement. Sharing and processing by other TSPs and NDS partners using the central database is normally limited to contract processing, ticket control, after-sales service and revenue distribution. Data collected during purchase transactions for NDS services [link: https://www.allianceswisspass.ch/de/Themen/Datenschutz/Uebersicht-Sortiment] is also used for marketing purposes in certain cases. These include analysing the data to improve and promote public transport services in line with customer needs. If your data is processed or if you are contacted for this purpose, this will normally be done only by the TSP or partner from whom you purchased the NDS service. The other TSPs and partner companies associated with NDS will only process your data or contact you in exceptional circumstances and under strict conditions, and only if an analysis of the data shows that a particular public transport service would be beneficial for you as a customer. Contact and processing by SBB is an exception to this rule. SBB undertakes the marketing for NDS services (such as GA and half-fare travelcards) on behalf of NDS and may contact you at regular intervals in connection with these services. 

Our legitimate interest forms the legal basis for processing this data.

4. General provisions

4.1 Forwarding of data to third parties

We forward your personal data only if you have explicitly consented, if there is a legal obligation to do so or if this is necessary to assert our rights, in particular to assert claims arising from the contractual relationship. 

Furthermore, we forward your data to third parties where this is necessary within the scope of the use of the website and performance of the contract, i.e. when providing you with the services you have ordered or in order to analyse your user behaviour. The use by third parties of this shared data is strictly limited to the stated purposes. 

Various third-party service providers are explicitly mentioned in this data privacy policy (for example in the sections “When booking services”, “Tracking tools”, “Retargeting”, and “Newsletter”).

A service provider to whom personal data collected on the website is forwarded, or who has or could have access to personal data, is our website hosting company Unic AG Zürich, Baslerstrasse 60, CH-8048 Zurich. The website is hosted on servers in Switzerland. The data is shared for the purpose of providing and maintaining the functions of our website. This constitutes our legitimate interest within the meaning of Art. 6 para. 1 lit. f of the GDPR.

4.2 Transfer of personal data abroad

We are permitted to forward your data to third-party companies abroad if this is necessary in connection with the processing of your requests, to provide services and for marketing campaigns. These third-party companies are obliged to respect user privacy to the same extent as we do ourselves. If, in a certain country, the level of data protection is deemed inappropriate by Swiss standards or according to the provisions of the EU General Data Protection Regulation (GDPR), we will ensure by contractual means that your personal data is protected at all times in accordance with Swiss guidelines and/or the GDPR.

Various third-party service providers and the addresses of their head offices have already been mentioned in the section above (“Forwarding of data to third parties"). Some of the third-party service providers mentioned in this privacy policy have their place of residence in the USA (see “Tracking tools”, “Re-targeting”). Further details on the transfer of data to the USA can be found in the section “Tracking tools”.

4.3 Right of access, rectification, erasure and restriction of processing; right of data portability; right to complain to a supervisory authority

You have the right to obtain information – on request and free of charge – on the personal data that we store about you. In addition, you have the right to have inaccurate data corrected and the right to have your personal data deleted, as long as there are no legal retention obligations or acts of permission allowing us to process such data. 

Persons living in the EU are also entitled to demand the release of any data submitted to us (right of data portability). On request, we will also forward the data to a third party of your choice. You are entitled to receive the released data in a common file format. This right does not apply to persons living in Switzerland.  

For the aforementioned purposes, you can contact us at the e-mail address datenschutz(at)rhb.ch. We may, at our discretion, require proof of identity to process your request.

Furthermore, you are entitled to submit a complaint to a data protection authority at any time.

4.4 Storage of data

We store personal data only for as long as necessary in order to use the above-mentioned tracking services within the scope of our legitimate interest. Contract data is stored for longer periods as this is required by statutory obligations governing data retention. Requirements obliging us to retain data arise from accounting and tax regulations. According to these regulations, business communications, concluded contracts and accounting documents must be kept for up to 10 years. As and when we no longer need this data to perform our services for you, we will block the data. This means that the data may then be used only for accounting and for tax purposes.

4.5 Data security

We take appropriate technical and organisational security measures in order to protect your stored data from being manipulated, fully or partially lost, or accessed by unauthorised third parties. Our security measures are continuously adapted in line with the latest technological developments.

We also take our own internal data privacy very seriously. Our employees and the service providers we commission are obliged to maintain secrecy and to comply with the provisions of the data protection laws. Moreover, they are granted access to personal data only insofar as this is necessary.

4.6 Contact

If you have any questions about data privacy on our website, would like to receive information, or would like to have your data erased, please contact us by sending an e-mail to datenschutz(at)rhb.ch.

Please direct any correspondence to the following address:

Rhätische Bahn AG
Data Privacy Officer 
Bahnhofstrasse 25
7001 Chur

We have a data protection representative in the EU who serves as a point of contact for supervisory authorities and data subjects in accordance with Art. 27 GDPR:

VGS Datenschutzpartner UG
Am Kaiserkai 69
20457 Hamburg

Links to other websites
Certain links on this website allow the user to access sites that are outside the control of Rhätische Bahn AG. Rhätische Bahn AG shall accept no liability whatsoever for the content, products and/or services offered by these external websites. The corresponding links are provided only for the user’s convenience and for the purposes of information. Users access the information provided via these links at their own risk and under their own responsibility.

Applicable law and place of jurisdiction
All and any disputes that might arise between visitors/users of the website and Rhätische Bahn AG with respect to the use of the website shall be subject to the exclusive jurisdiction of the courts of law of the registered place of business of Rhätische Bahn AG in Chur, Switzerland. The laws of Switzerland shall apply exclusively.

© Rhätische Bahn AG, May 2022