This privacy policy applies to Rhaetian Railway Inc (RhB) (hereinafter “RhB” or “we”) with its registered office in Switzerland, Bahnhofstrasse 25, 7001 Chur, registered in the commercial register of the canton of Graubünden under the number CHE-105.956.490.
This privacy policy informs you about what data we process about you, why we need this data and how you can object to the collection of data.
Public transport companies handle your data confidentially.
Protecting your identity and privacy is important to us, the public transport companies. We guarantee that your personal data will be processed in compliance with the law and in accordance with the applicable provisions of data protection legislation.
Public transport companies set an example for the trustworthy handling of your data by adhering to the following principles:
You decide how your personal data will be processed You are within your legal rights to refuse to have your data processed at any time, to revoke your consent or to have your data deleted. You always have the option of travelling anonymously, i.e. without a company collecting your personal data.
We offer you added value when it comes to processing your data Public transport companies use your personal data to offer you added value along the mobility chain (e.g. tailor-made offers and information, support or compensation in the event of a malfunction). Your data will therefore only be used to help us develop, deliver, optimise and evaluate our services or to maintain customer relations.
We will not sell your data Your data will only be disclosed to the carefully selected third parties listed in this privacy statement and only for the purposes explicitly identified. If we commission third parties to process data, they are obliged by contract to comply with our data protection standards.
We guarantee the security and protection of your data Public transport companies guarantee the careful handling of customer data as well as the security and protection of your data. We have put in place appropriate organisational and technical measures to safeguard your data.
Please see below for more detailed information on how we handle your data.
Information
RhB is responsible for processing your data. As a public transport company, we are obliged by law to carry out direct services (NDS). To this end, certain data is exchanged among transport companies (TCs) and public transport associations and with third parties who broker public transport products and is stored centrally in databases jointly operated by all public transport companies and associations. We are therefore responsible for individual data processing together with these transport companies and associations. Further information on individual data processing operations can be found in the section “What does ‘joint responsibility in public transport’ mean?”.
If you have any questions or suggestions regarding data protection, please do not hesitate to contact us at any time:
Either by post to:
Rhaetian Railway Inc Data privacy Bahnhofstrasse 25 CH-7001 Chur
or by e-mail to: datenschutz@rhb.ch
Customers based in or with a registered office in an EU member state can also contact our EU representative:
VGS Datenschutzpartner GmbH Am Kaiserkai 69 20457 Hamburg Germany info@datenschutzpartner.eu
We are aware of how important it is to you that your personal data is handled carefully. All data processing takes place only for specific purposes. These may arise, for example, from technical necessity, contractual requirements, statutory regulations, overriding interest, i.e. legitimate reasons, or from your express consent. We do not collect any personal data aimed at automated decision-making.
We collect, store and process personal data where necessary, such as for managing the customer relationship, distributing our products and providing our services, processing orders and contracts, selling and invoicing, responding to questions and concerns, providing information about our products and services and marketing them, providing technical assistance, evaluating and developing services and products, as well as for recruiting.
For more detailed information on which data is processed for which purposes, please read the following sections.
For contractual reasons, we require personal information for the purchase of certain services and products in order to provide our services and process the contractual relationship, for example, when customers buy a season ticket or a single ticket. When purchasing personalised services, we collect – depending on the product or service – data such as:
Personal photo
Gender, name, e-mail address of the person buying or travelling
Other information such as postal address, date of birth
Phone number
Means/method of payment
Mandatory information is marked with an asterisk (*) in the corresponding forms. Failure to provide information will result in the contractual relationship not being concluded.
In order to fulfil contractual obligations, we also collect data on the services you have purchased (“service data”). Depending on the product or service, this includes the following information:
Type of product or service purchased
Price
Place, date and time of purchase
Purchase channel (internet, ticket machine, counter, etc.)
Travel date/period of validity and departure time
Place of departure and destination
Data generated when purchasing services is stored in a central database and also processed for other purposes, including marketing and market research purposes (more details can be found in the respective sections of this Privacy Policy).
In addition, the data is used as part of ticket inspection to identify the holder of a personalised ticket and to prevent misuse (for more information, please refer to the section “When checking services” and the section on joint responsibility in public transport).
The data is also used to provide our after-sales service in order to identify and support you in the event of concerns or difficulties and to process any claims for compensation.
The data is also used to distribute the revenue generated by the purchase of tickets fairly among the companies and associations of the National Direct Service.
Certain services offered on our website can be booked using contact forms. In order to process the order, we pass on the personal data you enter in the order form to the relevant service provider. For example, if you book an overnight stay, the corresponding service will be provided by the relevant service provider.
We use the following third-party booking systems on our website:
TrekkSoft AG, 3800 Interlaken, Switzerland
Infosystem AG, 9500 Wil, Schweiz
Alturos Destinations AG, 8808 Pfäffikon, Switzerland
Adega GmbH, 8304 Wallisellen, Switzerland
SBB Swiss Mobility API, 3000 Bern, Switzerland
Various displayed offers can be booked via these booking systems. When booking, the personal data you provide in the input form will be passed on to the relevant booking platform for the purpose of processing the booking.
Finally, we evaluate your data anonymously in order to be able to further develop the overall public transport system in line with needs.
Insofar as the EU GDPR is applicable, our legitimate interest and the necessity to perform the contract form the legal basis for this processing of personal data.
Customer and travelcard data is required and processed for the purposes of securing revenue (checking the validity of tickets or discount passes, collection, countering misuse). The transport companies and public transport associations are therefore entitled to process all data (ticket and control data and possibly particularly sensitive data in connection with all types of travel without a valid ticket, such as passengers with a partially valid ticket, passengers with an invalid ticket or passengers with forgotten tickets and discounts and any misuse) of the passengers or contract partners for the entire inspection and debt collection process, and to store it for the periods defined by data protection law and share it with other transport companies and public transport associations (also cross-border in the case of international tickets or discounted tickets).
The following provisions apply to individual data media:
SwissPass card No control data is stored when the SwissPass card is used as a data medium (see SwissPass Mobile below for an exception).
SwissPass Mobile When using the SwissPass Mobile application, the provisions that are acknowledged when activating SwissPass Mobile apply (see separate Privacy Policy). The following data is processed in this regard: registration, activation and control data generated when using SwissPass Mobile. As soon as SwissPass Mobile is used, this data is also collected from the SwissPass card. The storage period for registration data is up to 18 months after deactivation of SwissPass Mobile or after expiry of the SwissPass card. The activation and control data for SwissPass Mobile and the SwissPass card is stored on inspection devices for one day and in the control database for 30 days. If there is evidence of misuse, the maximum retention period for activation and control data is 90 days. Passengers who misuse SwissPass Mobile will be banned from using the app for 12 months. Users will be able to access SwissPass Mobile again after this time. The passenger file containing details of this ban will be deleted after a further 12 months.
Electronic tickets When using electronic tickets (e-tickets), control data is stored in the central control data server at SBB. This data is stored for 360 days in order to combat misuse and to take measures to prevent misuse and fraudulent refunds.
Insofar as the EU GDPR is applicable, our legitimate interest and the necessity to perform the contract form the legal basis for this processing of personal data.
In the event of travel without a valid ticket, the data is stored in a jointly operated register. The passenger or contractual partner acknowledges that if any misuse or falsifications are discovered, the transport companies are authorised to provide all internal departments affected by the misuse and other transport companies with the relevant personal data so that misuse can be ruled out or confirmed and further misuse prevented.
According to the Federal Act on Passenger Transport (PBG), different time limits apply to the processing of the aforementioned data. The data is deleted as soon as it is established that the data subject has not caused any loss of income, and after two years if the data subject has paid the supplements and has not demonstrably travelled without a valid ticket during this period. The data may be retained for a maximum of ten years if it is necessary for the enforcement of claims against that person.
Insofar as the EU GDPR is applicable, Art. 20a of the Federal Act on Passenger Transport (PBG) and Art. 58a of the Ordinance on Passenger Transport (VPB) form the legal basis for this processing of personal data.
When you visit our website, we temporarily store each access in a log file. The following technical data is collected:
IP address of the requesting computer
Date and time of access
Website from which access was made, possibly with the search word used
Name and URL of the retrieved file
Performed searches (timetable, general search function on website, products, etc.)
The operating system of your computer (provided by the user agent)
The browser you are using (provided by the user agent)
Device type in the case of mobile phone access
Transmission protocol used
This data is collected and processed for the security and stability of the system and for error and performance analysis as well as for internal statistical purposes and enables us to optimise our website. In addition, this allows us to design our website to be target-group-specific, i.e. to provide targeted content or information that may be of interest to you. The aforementioned information is not linked to or stored with personal data.
The IP address is also used to preset the language of the website. In addition, it is evaluated, together with other data, in the event of attacks on the network infrastructure or other unauthorised or improper use of the website for clarification and defence purposes, and, where necessary, is used in criminal proceedings to identify the perpetrators and in civil and criminal proceedings against the users concerned.
Finally, we use cookies and other tracking technologies when you visit our website. Further details can be found in the section on tracking tools below.
In the case of third-party websites that are linked to our website, no guarantee is given for compliance with the RhB privacy policy.
Insofar as the EU GDPR is applicable, our legitimate interest forms the legal basis for this processing of personal data.
You have the option of using a contact form to get in touch with us. The following personal data must be entered in the relevant main form:
Category of request
First Name
Family Name
E-Mail
Message
In the case of group enquiries, the following must also be entered: Travel Date, Travel Route, Traveler Count. For refund requests, these are the fields Travel Date and Refund.
We use this and other data entered voluntarily (such as Salutation, Phone Number and Travel Route) only in order to be able to respond to your enquiries in the best possible way and in a personalised manner. Any voluntary information about how you became aware of our offer will also be used for statistical purposes internally.
In addition to the main form, there are also regular contact forms for various other matters. We manage forms with form.io, an app from 500apps, 99 Wall Street, New York, NY 10005, USA. As a rule, the data flows directly into SAP Service Cloud or directly to the responsible team. The data therefore remains within Switzerland or the EU/EEA (in RhB environments).
Insofar as the EU GDPR is applicable, our legitimate interest and the necessity to perform the contract form the legal basis for this processing of personal data.
You can use the Clà Ferrovia app to collect Clà points and win prizes (see Clà Ferrovia Schnitzeljagd). We manage the resulting customer data with Zoho, Trinkausstrasse 7, 40213 Düsseldorf, Germany.
Insofar as the EU GDPR is applicable, our legitimate interest and the necessity to perform the contract form the legal basis for this processing of personal data.
Conversations are not recorded when you contact our Railservice by telephone. The RhB employee conducting the conversation can only activate the recording (even without prior notice) if there are specific indications that a criminal/security-related incident has occurred. In this case, the call together with your phone number and the time of the call will be stored for 30 days. If no further action is taken, the data will be irrevocably deleted after this period has expired. If further clarifications or proceedings are initiated, the relevant data remains stored until the proceedings are concluded. Recordings are stored exclusively on RhB’s IT infrastructure in databases within Switzerland.
Insofar as the EU GDPR is applicable, our legitimate interest forms the legal basis for this processing of personal data.
Some trains, stations, level crossings and other RhB premises are monitored by CCTV. CCTV systems are used to protect passengers, operations and infrastructure.
The video data is stored for 30 days at railway stations and up to a maximum of 120 hours in vehicles, depending on the vehicle type. Once these periods have expired, the data is overwritten and thus automatically deleted (loop memory). Data relevant to a specific event is backed up for further processing after a corresponding event has occurred. The video data from CCTV on the trains is stored on the trains themselves. Other video data is stored exclusively on RhB’s IT infrastructure in databases within Switzerland.
More information on CCTV can be found in the CCTV privacy policy.
Insofar as the EU GDPR is applicable, Art. 55 of the Federal Act on Passenger Transport (PBG) forms the legal basis for this processing of personal data.
We operate an online shop for our merchandise items (https://www.rhb-shop.ch/en/). For this purpose, we use an external service provider, PANDINAVIA AG, Industriestrasse 30, 8302 Kloten, Switzerland. They process your data on our behalf or receive user data from us as a separate controller. The handling of your personal data is governed by a data processing agreement (DPA). Further information can be found in German in the privacy policy at https://www.pandinavia.ch/de/datenschutzerklarung/
Service providers are used to process payments. These process the user data as part of the ordering processes in the online shop in order to enable users to select and order the desired products and services, as well as to pay for and have the products delivered or the services performed. The processed data includes master data (inventory data), communication data, contract data and payment data. The persons affected by the processing include customers, interested parties and other business partners. In this context, we use session cookies, e.g. to store the contents of the shopping cart, and permanent cookies, e.g. to store the login status.
Credit card payments made via the website are processed via Saferpay (Worldline AG) and are encrypted using SSL technology. Worldline processes the user data on behalf of and in connection with the payments made by the user. The user data is only used to process the user’s payment instructions and will not be made available to any third party other than the financial institutions responsible for the respective payment method. The user is likely to see “Worldline” or “Saferpay” on their credit card or account statement in connection with their order.
Payment transactions are subject to the terms and conditions and privacy policy of the respective payment service providers. These can be accessed on the respective website or in transaction applications. We also refer to these terms and conditions as well as the privacy policy for the purpose of further information and to assert the rights of revocation, information and other rights of data subjects. Further information can be found in the Saferpay/Worldline Privacy Notice (https://worldline.com/en/compliancy/privacy).
In the context of the fulfilment of contracts, we use payment service providers on the basis of the Swiss Data Protection Ordinance and, where necessary, Art. 6 (1) (b) EU GDPR. We also use external payment service providers on the basis of our legitimate interests in accordance with the Swiss Data Protection Ordinance and, where necessary, in accordance with Art. 6 (1) (f) of the EU GDPR in order to offer our users effective and secure payment options.
We operate an online shop for our vouchers (https://shop.e-guma.ch/rhaetische-bahn/en/gift-vouchers). For this purpose, we use an external service provider, Idea Creation GmbH, Walchestrasse 15, 8006 Zurich, Switzerland. They process your data on our behalf or receive user data from us as a separate controller. The handling of your personal data is governed by a data processing agreement (DPA). Further information can be found in the privacy policy at https://shop.e-guma.ch/rhaetische-bahn/en/privacypolicy
Payment transactions are subject to the terms and conditions and privacy policy of the respective payment service providers. These can be accessed on the respective website or in transaction applications. We also refer to these terms and conditions as well as the privacy policy for the purpose of further information and to assert the rights of revocation, information and other rights of data subjects.
In the context of the fulfilment of contracts, we use payment service providers on the basis of the Swiss Data Protection Ordinance and, where necessary, Art. 6 (1) (b) EU GDPR. We also use external payment service providers on the basis of our legitimate interests in accordance with the Swiss Data Protection Ordinance and, where necessary, in accordance with Art. 6 (1) (f) of the EU GDPR in order to offer our users effective and secure payment options.
You can create a customer account at swisspass.ch. We require the following data from you:
Last name and first name
Date of birth
Address (street, postcode, town/city and country)
Customer number (if you already have a public transport travelcard)
E-mail address and password (login data)
Registering enables you to use your login details (SwissPass login) to access the numerous online services (web shops and apps) of public transport companies and associations and to obtain services from them without having to complete the entire registration process again. Services that you purchase using the SwissPass login (in particular public transport tickets/season tickets/travelcards) are recorded in your customer account and in a central database (“NDS database”). This data processing is necessary for the performance of the contract on the use of the SwissPass and therefore has this as its legal basis. You can find more information about this in the sections on joint responsibility in public transport and on disclosure to third parties in this privacy policy as well as in the privacy policy at swisspass.ch
For the purposes of e-recruiting, we use the tool/applicant portal “Talentsoft” from Cegid, 52 quai Paul Sédallian, 69009 Lyon, France.
Applying for a job vacancy / speculative application When you apply for a job vacancy or submit a speculative application, your personal data will be collected and used in the context of the application/employment process. The data we collect and process includes: salutation, first name and last name, postal address, mobile phone number, e-mail address, date of birth.
If no employment relationship is established, the data you provide to us as part of your application will be stored for a maximum of six months. Once this period has expired, your data will be deleted irrevocably.
If an employment relationship is established, your data will be stored in your personnel file. The privacy policy for employees applies to this, which will then be available to you on RhB’s own intranet.
Job subscription By registering for the job subscription, you consent to us storing your e-mail address and using it to send you regular notifications. At the end of every job subscription notification, you will find a link for unsubscribing at any time. Once unsubscribed, your personal data will be permanently deleted.
In the context of our relations with business partners / suppliers, we collect the details of the relevant contact persons at these companies. We collect the following data, in particular, on each of our business partners / suppliers:
Company name
Company address, postcode, town/city
First and last name of the contact
Business phone number of the contact
E-mail address of the contact
Function and title of the contact (where available)
History of the customer relationship
E-mail for customer information bulletins
Preferred means of payment
Preferred currencies
Insofar as the EU GDPR is applicable, the legal basis for processing your data is the fulfilment of a contract pursuant to Art. 6 (1) (b) EU GDPR.
The list of storage periods and locations of the databases in public transport applies for data processed when purchasing a season ticket or individual ticket or in the database relating to travel without a valid or partially valid ticket.
Other contractual data is stored by us for as long as required by statutory retention obligations (retention obligations that oblige us to retain data result from accounting regulations and tax regulations). For example, the data for orders placed for merchandise in the online shop is kept for ten years.
The storage period for cookies can be seen in your browser under the respective cookie.
Recordings of calls made to Railservice are deleted after 30 days.
Video recordings are deleted at stations after 30 days and in vehicles after 120 hours, depending on the vehicle generation.
Applicant data is deleted in the case of e-recruiting after six months if no employment relationship is established.
Various third-party service providers and their registered offices are mentioned in this privacy policy. Your data is generally stored in databases within Switzerland or within the EU/EEA.
However, in some of the cases listed in this privacy policy, the data will also be shared with third parties who have their registered office outside Switzerland and the EU/EEA. These companies are obliged to respect user privacy to the same extent as we do ourselves. If, in a certain country, the level of data protection is deemed inappropriate by Swiss standards or according to the provisions of the EU General Data Protection Regulation (GDPR), we will ensure by contractual means that your personal data is protected at all times in accordance with Swiss guidelines and/or the GDPR.
Some of the third-party service providers named in this privacy policy are based in the USA (see in particular “Tracking tools”). With providers from the USA, the Data Privacy Framework is authoritative (i.e. the providers we use are listed in this framework – https://www.dataprivacyframework.gov/).
The list of storage periods and locations of the databases in public transport applies for data processed when purchasing a season ticket or individual ticket or in the database relating to travel without a valid or partially valid ticket.
If you agree, we use your customer data (name, gender, date of birth, address, customer number, e-mail address), your service data (data about purchased services such as season tickets/travelcards or single tickets) and your click behaviour on our websites or in e-mails you have received from us for marketing purposes. With regard to evaluating click behaviour, please also refer to the section on tracking tools.
We evaluate this data in order to further develop our offerings in line with your needs and to send or show you the most relevant information and offers (via e-mail, letter, personalised teasers on the web, in person at the counter). For this purpose, we only use the data that we can clearly assign to you, for example because you have logged in or identified yourself on our website with your SwissPass login and purchased a ticket.
The legal basis for this processing is our legitimate interest. In certain cases, SBB or another company involved in direct transport may also contact you under strict conditions. Please note the information in the section on joint responsibility in public transport.
You can refuse to be contacted by SBB (e.g. in connection with your GA travelcard or Half-Fare travelcard) or other public transport companies (including RhB) at any time. The following options are available:
Every e-mail you receive from us or other public transport companies contains an unsubscribe link that allows you to unsubscribe from further messages.
If you have a SwissPass login, you can log in at
and manage your settings for receiving messages in your user account at any time.
You can also subscribe or unsubscribe at any counter or by telephone or e-mail.
Please also note the information on the right to object with regard to the evaluation of click behaviour in the section on tracking tools.
In order to continuously improve the quality of our services and offers, we conduct market research. If you agree, we may use your contact details for customer surveys (e.g. online surveys). If you do not wish to be invited to take part in such surveys, you have the following options:
Every e-mail you receive from us or other public transport companies contains an unsubscribe link that allows you to unsubscribe from further messages.
If you have a SwissPass login, you can log in at
and manage your settings for receiving messages in your user account at any time.
You can also subscribe or unsubscribe at any counter or by telephone or e-mail.
We may also use technical means to evaluate your personal customer data for market research purposes. In this case, the data will be anonymised as soon as the purpose of processing allows this.
With regard to your personal data, you have the following rights:
You can request information about the personal data stored about you.
You may request that your personal data be corrected, supplemented, blocked or deleted. The deletion shall be replaced by blocking if there are legal obstacles to the deletion (e.g. statutory retention obligations).
If you have set up a customer account, you can delete it or have it deleted.
You may object to the use of your data for marketing purposes.
You may revoke your consent at any time with effect for the future.
You may request the transmission of your data.
In order to exercise your rights, you can contact us in writing:
Rhaetian Railway Inc Data privacy Bahnhofstrasse 25 CH-7001 Chur
or by e-mail to: datenschutz@rhb.ch
If you would like to request data protection information or the deletion of your personal data on the entire public transport system, you can contact SBB in writing. Requests for information and/or deletion must be made to the following address:
SBB AG Legal & Compliance Data Protection Office Hilfikerstrasse 1 CH-3000 Bern 65
Furthermore, you have the right to lodge a complaint with a data protection authority at any time.
RhB is responsible for processing your data. As a public transport company, we are obliged by law to provide transport services together with other transport companies and public transport associations (“Direct Service”, Art. 16 and 17 of the Federal Act on Passenger Transport). To make this possible, for example, data that comes from contacting you or from your purchased services is passed on nationally within the National Direct Service (NDS), an association of more than 240 public transport companies (TCs) and associations. The individual transport companies and associations are listed here.
The data is stored in the central database NOVA, which is managed by SBB on behalf of the NDS and for which we are responsible together with the other transport companies and associations of the NDS. NOVA is a technical platform for the distribution of public transport services. It contains all the key elements for the sale of public transport services, such as the customer database. The scope of access to the shared databases by the individual public transport companies and associations is governed by a joint agreement. The forwarding of the data and its processing by the public transport companies and associations that takes place with the central storage is limited to the following purposes:
Provision of the transport service To ensure that your journey runs smoothly, your travel and purchase data is forwarded within the NDS.
Contract performance We process this data in order to draft, manage and perform the contract.
Customer relations management and support We process your data for the purposes of communicating with you, in particular to answer enquiries and assert your rights, to identify you across public transport in the event of concerns or difficulties and to provide you with the best possible support, as well as to process any claims for compensation.
Ticket inspection and revenue protection Customer and travelcard data is required and processed for the purposes of securing revenue (checking the validity of tickets or discount passes, collection, countering misuse). The database on journeys without a valid or partially valid ticket can be used to record incidents of journeys without a valid or partially valid ticket.
Distribution of revenue The office of the Alliance SwissPass, managed by ch-integral, fulfils the statutory mandate defined in the Swiss Federal Act on Passenger Transport to collect travel data for the correct distribution of revenue. The office acts as the mandate holder for the distribution of revenue in the National Direct Service on behalf of the companies that are members of the NDS.
Identification as part of the authentication of the SwissPass login (SSO) For services that you purchase using the SwissPass login, the data is then stored in the central customer database (NOVA). In order to enable you to use single sign-on (SSO) (one login for all applications that offer the use of their services with the SwissPass login), the aforementioned login, card, customer and service data are also exchanged between the central SwissPass login infrastructure and us as part of the authentication process.
Joint marketing and market research activities In addition, the data collected when purchasing public transport services is also processed for marketing purposes in certain cases. If your consent has been obtained and your data has been processed or you have been contacted for this purpose, this will only be carried out by the public transport company or association from which you purchased the corresponding public transport service. The other public transport companies and associations associated with the NDS will only process your data or contact you in exceptional circumstances and under strict conditions, and only if an analysis of the data shows that a particular public transport service would be beneficial for you as a customer. Contact and processing by SBB is an exception to this rule. SBB undertakes the marketing for NDS services (such as GA and Half-Fare travelcards) on behalf of NDS and may contact you at regular intervals in connection with these services. We also process your data for market research, to improve our services and for product development.
Further development of public transport systems with anonymous data We evaluate your data anonymously in order to be able to further develop the overall public transport system in line with needs.
Support for people with reduced mobility Public transport companies process personal data in the context of supporting people with reduced mobility. In order to provide the transport service, we also collect information on the type of disability, the aids required and information about your journey in addition to your personal details and contact details.
The required data will be passed on to the transport companies in Switzerland or selected service providers involved in the journey – and only to the extent necessary for the provision of the service. These include, for example, SOS station assistance and taxi service providers for substitute shuttle transport.
If your journey takes you to other European countries, we only transmit the necessary information to those transport companies that require this information for your support. The disclosure of personal data abroad is permissible in particular if it is directly related to the conclusion or performance of a contract. Before transferring data abroad, public transport companies and associations must ensure that an appropriate level of data protection is in place in the recipient country.
Your data will not be resold by us.
Your personal data will then only be passed on to selected service providers (usually service providers from Switzerland or the EU/EEA) and only to the extent necessary for the provision of the service.
These include, but are not limited to, IT support service providers, issuers of season tickets/travelcards, shipping service providers (such as Swiss Post), service providers tasked with allocating traffic revenue to the transport companies involved (in particular in the course of creating distribution keys within the meaning of the Swiss Federal Act on Passenger Transport) and the providers mentioned in the sections on tracking tools. With regard to service providers based abroad, please also note the information in the section “Where is the data stored?”.
In addition, your data may be passed on if we are legally obliged to do so or if this is necessary to safeguard our rights, in particular to enforce claims arising from the relationship with you.
If you book cross-border journeys, the data will also be forwarded to the respective foreign providers. However, this only takes place to the extent necessary to check the validity of the tickets and to prevent misuse.
Insofar as the EU GDPR is applicable, our legitimate interest forms the legal basis for the above-mentioned data processing (within the meaning of Article 6 (1) (f) GDPR).
Your personal data will not be disclosed to other third parties outside of public transport. The only exceptions are SwissPass partners (to the extent described below) and companies approved by the public transport companies for the purpose of arranging public transport services on the basis of a contractual agreement. These intermediaries will only have access to your personal data if you wish to obtain a public transport service from them and have given them your consent for access (you can revoke your consent at any time with effect for the future). Even so, they will only have access to your data to the extent necessary to determine whether you already have tickets or season tickets for the planned travel period that are relevant to your trip and the third-party service you have requested.
If you use offers from a SwissPass partner while using your SwissPass, data about any services you may have purchased from us (e.g. a GA travelcard, Half-Fare travelcard or point-to-point travelcard) may be transmitted to the SwissPass partners in order to check whether you can benefit from a specific offer from the SwissPass partner (e.g. discount for GA travelcard holders). The relevant partner will be informed in the event of loss, theft, misuse, forgery or replacement of a card after the purchase of a service. This data processing is necessary for the performance of the contract on the use of the SwissPass and therefore has this as its legal basis. Further information can be found in the privacy policy at swisspass.ch and in the privacy policy of the respective SwissPass partner.
We use web analytics services for the purpose of tailoring and continuously optimising our websites and e-mails. Insofar as the EU GDPR is applicable, our legitimate interest (pursuant to Article 6 (1) (f) GDPR) forms the legal basis for the data processing described below. The right to object or opt out is referred to below.
What are cookies and when are they used? Cookies are small files that are stored on your computer or mobile device when you visit or use one of our websites. Cookies store certain settings via your browser and data about the exchange with the website via your browser. When a cookie is activated, it can be assigned an identification number that identifies your browser and uses the information contained in the cookie. You can define a setting in your browser so that a warning appears on the screen before a cookie is stored. You can also opt out of the advantages of personal cookies by rejecting them. Certain services cannot be used in this case.
We use cookies to evaluate general user behaviour. The aim is to optimise our digital presence, which should be made easier to use and the content more intuitive to find. The digital presence should be able to be set up and structured in a more comprehensible way. It is important to us to make our digital presence user-friendly according to your needs. This allows us to optimise the website with targeted content or information on the website that may be of interest to you.
What are web beacons and when are they used? A web beacon is typically a 1x1 pixel image that is invisible to the human eye. When a user visits a website or opens an e-mail containing a web beacon, the user’s browser sends a request to the server where the image is stored. During this request, various pieces of information are transmitted to the server without data being stored on the user’s device (as opposed to cookies).
This allows us to count the number of visitors, see which pages are visited most often and how users move around the website. This data is used to optimise the user experience.
We also use it to measure the effectiveness of our e-mail campaigns. This pixel tells us whether an e-mail was opened, when it was opened and which links were clicked.
What is local storage and when is it used? Local storage enables websites to permanently store data in a user’s browser. Unlike cookies, it does not have an expiry date and the data is retained even after the browser is closed.
We primarily use local storage for users’ consent decisions.
What are social plug-ins and how are they used? Social plug-ins are small software elements provided by social networks such as Facebook and integrated into other websites. They allow users to interact directly with content from the social network on external websites without having to leave the site.
We do not use such plug-ins.
What are other plug-ins and how are they used? Other plug-ins are small software elements that expand the functions of rhb.ch. They enable users to use features such as playing videos directly on rhb.ch without having to leave the site.
We use the Google Maps plug-in, which allows us to display an interactive map from Google Maps directly on rhb.ch.
We use the YouTube Viewer plug-in, which allows us to display YouTube videos directly on rhb.ch.
What is technically necessary? Some cookies are technically necessary. These include the language settings cookie (this stores the preferred language that the user has actively selected) or a shopping cart cookie (this stores the items that a user places in their online shopping cart during the purchase).
Technically necessary cookies cannot be de-selected.
What are technically unnecessary tracking tools and how are they used? Tracking tools that are not technically necessary are used to track user behaviour beyond what is absolutely necessary for the provision of the service. They are mainly used for marketing, analytics and the creation of detailed user profiles.
If you are from the EU/EEA area, you can opt out of web beacons and technically unnecessary cookies (such as those from Google) after accessing the website via the cookies consent banner.
If you are from outside the EU/EEA, you can unsubscribe by clicking on “Privacy Policy” in the notice banner.
Below you can find out more about our tracking on websites: Pseudonymised usage profiles are created in connection with our websites (pseudonymised, because we do not know who is behind your IP address, etc.) and cookies stored on your computer and other tracking technologies (e.g. web beacons) are used. The information generated by tracking about your use of this website is transmitted to the servers of the providers of these services, stored there and prepared for us. Please note that the providers of these services may know who you are (e.g. if you have a Google account and are permanently logged in to it).
In addition to the pseudonymised usage profile, we receive the following information:
Navigation path taken by a visitor to the website
Time spent on the website or subsite
Subsite from which the website is left
Country, region or city from which access is made
Device (type, version, colour depth, resolution, width and height of the browser window)
Recurring or new visitor
Browser type/version
Operating system used
Referrer URL (previous page visited)
Host name of the accessing computer (IP address)
Time of the server request
This information is used to evaluate the use of the website and to optimise the user experience.
Below you can find out more about our tracking when sending e-mails: On our website, we give you the opportunity to subscribe to our newsletter. To do this, you will need to register and provide us with the following details:
Title
First name and last name
E-mail address
We process this data exclusively in order to personalise the information and offers sent to you.
We commission third parties for the technical processing of marketing campaigns / sending e-mails. For this purpose, we provide your personal data to Braze, 330 West 34th Street, 18th Floor, New York, NY 10001, USA. However, the server for the dispatch is operated in Germany. Or Campaign Monitor Pty Ltd, L 37, 201 Elizabeth Street, Sydney, Australia. However, the server for the dispatch is operated in the EU.
Our e-mails contain a web beacon (tracking pixel) or similar technical means. The pixel is linked to the user ID of the respective e-mail subscriber.
For each newsletter sent, we collect information on the address file used, the subject and the number of newsletters sent so far. In addition, we can see which addresses have not yet received a newsletter, to which address the newsletter was sent, and for which addresses the dispatch failed. It is usually also possible to ascertain the opening rate, including information on which addresses have opened the newsletter and which addresses have unsubscribed from the newsletter mailing list.
The use of corresponding services enables the evaluation of the information listed above. Furthermore, click behaviour can also be recorded and evaluated. We use this data for statistical purposes and to optimise the content of our messages. This enables us to better align the information and offers in our e-mails with the interests of the recipients.
If you wish to prevent the use of the web beacon in our e-mails, please set your e-mail program so that no HTML is displayed in messages – if this is not already the case by default. You can find instructions on how to do this here, for example.
Find out more about our tracking tools below:
fusedeck The fusedeck tracking solution from cptr AG (hereinafter referred to as “cptr”) is integrated into this website. cptr is a Swiss company based in Zurich that measures the use of this website in the context of engagements and events on our behalf.
The fusedeck cookies are technically necessary and cannot be de-selected. Tracking is anonymous so that it is impossible to attribute any information gained to any identified or identifiable persons.
The tracking script measures and analyses anonymous user interactions on the website. These user interactions include
Meetings
Dwell times
Clicks
Hovers
Scroll depths
Element visibility and other engagements.
The integration of Capture meets the economic interest of optimising the website and media purchasing in advertising campaigns.
Google Analytics Google Analytics is a web analysis service provided by Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA and Google Ireland Limited, Gordon House Barrow St, Dublin 4, Ireland.
Google Analytics uses methods that enable an analysis of the use of a website. The information about your use of the RhB website is transmitted to a Google Ireland server and stored there. As a rule, the IP address is truncated by activating IP anonymisation (“anonymizeIP”). Only in exceptional cases will the full IP address be transmitted to a Google server (possibly also in the USA) and truncated there.
The information is used to analyse the use of the website, to compile reports on the activities on the website and to provide other services related to the use of the website and the use of the internet for the purposes of market research and tailored design of the website. This information may also be forwarded to third parties where required by law or if third parties have been commissioned to process this data. Under the terms of Google, under no circumstances will the IP address be used in connection with other data relating to the user.
Users can prevent Google from collecting the data generated by the cookie and relating to the use of the website by the user in question (including the IP address) and processing this data by simply clicking “Reject” in the cookies consent banner as an EU/EEA user or clicking “Privacy Policy” in the notice banner as a non-EU/EEA user. Or download and install the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en-GB
Google Retargeting We use retargeting technologies on our website. Your user behaviour on our website is analysed to enable partner websites to offer you advertising individually tailored to your preferences. Your user behaviour will be recorded under a pseudonym.
We use Doubleclick (by Google) to display advertisements based on the use of previously visited websites. For this purpose, Google uses the so-called double-click cookie, which allows your browser to be recognised when you visit other websites. The information generated by the cookie about your visit to this website (including your IP address) is transmitted to a Google server and stored there.
Google will use this information for the purpose of evaluating your use of the website in terms of the advertisements to be displayed, to compile reports for the website operator on website activities and ads, and to perform other services associated with website and internet usage.
Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. However, Google will never associate your IP address with other Google data.
You can prevent re-targeting at any time by simply clicking on “Reject” in the cookies consent banner as an EU/EEA user or on “Privacy Policy” in the notice banner as a non-EU/EEA user.
Google Tag Manager We also use Google Tag Manager to manage the usage-based advertising services. The tool Tag Manager itself is a cookie-less domain and does not collect any personal data. Instead, the tool is responsible for triggering other tags that may themselves collect data in some circumstances. If you have opted out at the domain or cookie level, it will remain in effect for all tracking tags implemented with Google Tag Manager.
Campaign-related pixels and cookies We also use pixels or cookies from Adform, Rosenborggade 15, 1130 Copenhagen, Denmark for certain campaigns. We use these pixels or cookies for retargeting purposes, i.e. we install a cookie that helps us to display on your computer advertising communications on the respective campaign on partner websites.
You can prevent re-targeting at any time by simply clicking on “Reject” in the cookies consent banner as an EU/EEA user or on “Privacy Policy” in the notice banner as a non-EU/EEA user.
Facebook Custom Audience To promote interest-based advertisements to visitors to our website while visiting Facebook, we use “Custom Audiences Pixel” provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”). We have implemented a Facebook pixel on our website, which connects directly to the Facebook servers when you visit our website. The information that you have visited our website is transmitted to the Facebook server and Facebook assigns this information to your personal Facebook user account. For more information on the collection and use of data by Facebook, your rights in this regard and how you can protect your privacy, please see Facebook’s privacy policy here.
If you wish to object to the described connection to Facebook, you can do so by simply clicking on “Reject” in the cookies consent banner as an EU/EEA user or on by clicking “Privacy Policy” in the notice banner as a non-EU/EEA user.
We use suitable technical and organisational security measures to protect your personal data stored by us against manipulation, partial or complete loss, and unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.
We also take internal company data protection very seriously. Our employees and the external service providers commissioned by us have undertaken to maintain confidentiality and to comply with data protection regulations.
We take reasonable precautions to protect your data. However, the transmission of information via the internet and other electronic means always entails certain security risks and we cannot guarantee the security of information transmitted in this way.
We reserve the right to amend and supplement this policy at any time and at our discretion. The version published on this website is the current version. Last update: December 2025