Data protection declaration (DPD) OSTWIND fare network
Data protection declaration (DPD) OSTWIND fare network
This data protection declaration applies to the OSTWIND fare network (hereinafter referred to as OSTWIND), the "OSTWIND Tickets" app and the websites ostwind.ch, entdeckungsreise.ostwind.ch, shop.ostwind.ch and firmenabo.ostwind.ch. Please check this statement regularly for changes. It is valid in the current version.
With this data protection declaration, we inform you about which data we process from you, what we need this data for and how you can object to the data collection.
"Customer promise" of the public transport companies:
Public transport ies treat customer data with confidence.
The protection of your personality and your privacy is an important concern for us, the public transport companies. We guarantee that your personal data will be processed in accordance with the applicable provisions of data protection law.
The public transport companies set an example for the trustful handling of your data with the following principles:
Public transport companies treat customer data with confidence.
The protection of your personality and your privacy is an important concern for us, the public transport companies. We guarantee that your personal data will be processed in accordance with the applicable provisions of data protection law.
The public transport companies set an example for the trustful handling of your data with the following principles:
You decide yourself about the processing of your personal data
You decide yourself about the processing of your personal data
Within the legal framework, you can refuse to allow your data to be processed at any time, revoke your consent or have your data deleted. You always have the option of travelling anonymously, i.e. without having your personal data recorded.
When processing your data, we offer you added value
Public transport companies use your personal data exclusively in the context of service provision and to offer you added value along the mobility chain (e.g. tailor-made offers and information, support or compensation in the event of disruption). Your data will therefore only be used for the development, provision, optimisation and evaluation of our services or for the maintenance of the customer relationship.
Your data will not be sold.
Your data will only be disclosed to selected third parties listed in this data protection declaration and only for the explicitly stated purposes. If we commission third parties with data processing, they are obliged to comply with our data protection standards.
We guarantee security and protection for your data.
The public transport companies guarantee the careful handling of customer data and the security and protection of your data. We take the necessary organisational and technical precautions to ensure this.
Below you will find detailed information on how we handle your data.
1. Who is responsible for data processing
OSTWIND is responsible for processing your data. As a public transport fare network, OSTWIND is a member of the Swiss National Direct Transport (NDV). As a result, certain data is exchanged within the transport companies (TU) and public transport associations, as well as with third parties who distribute a public transport range, and stored centrally in databases operated jointly by all TUs and public transport associations. We are therefore responsible for individual data processing jointly with these TUs and associations. You can find more information on the individual data processing in the section "What does joint responsibility in public transport mean?".
If you have any questions or suggestions regarding data protection, you can contact us at any time as follows. Either by post to:
Customers domiciled in a member state of the EU can also contact our EU representative:
or by e-mail to: ostwind@mll-gdpr.com
2. Why do we collect personal data?
We are aware of how important it is for you to handle your personal data carefully. All data processing is only carried out for specific purposes. These may result, for example, from technical necessity, contractual requirements, legal regulations, overriding interest, i.e. for legitimate reasons, or from your express consent. We collect, store and process personal data to the extent necessary, for example for the administration of the customer relationship, the distribution of our products and the provision of our services, the processing of orders and contracts, sales and invoicing, answering questions and requests, providing information on our products and services and their marketing, support with technical matters and the evaluation and further development of services and products. For more detailed information on which data is processed for which purposes, please read the following sections.
3. What data is stored and what is it used for?
3.1 When purchasing services shop.ostwind.ch:
For contractual reasons, we require personal data for online orders or the purchase of certain services and products in order to provide our services and process the contractual relationship. For example, when purchasing a subscription or a single ticket. When purchasing personalised services, we collect the following data - depending on the product or service - whereby mandatory data is marked with an asterisk (*) in the corresponding form:
- Personal photo
- Gender, name, e-mail address of the person purchasing or travelling
- Further details such as postal address, date of birth
- Telephone number
- Means/method of payment
- Agreement to the general terms and conditions
In order to process the contractual relationship, we also collect data about the services you have purchased ("service data"). This includes - depending on the product or service - the following information:
- Type of product or service purchased
- Price
- Place, date and time of purchase
- Purchase channel (Internet, vending machine, counter, etc.)
- Date of travel or duration of validity and time of departure
- Place of departure and destination
The legal basis for this data processing is the need to process the contract. Data generated during the purchase of services is stored in a central database (see the section on shared responsibility in public transport) and is also processed for other purposes, including marketing and market research purposes (for more details, see the relevant sections of this data protection declaration). In addition, the data is used in the context of ticket control to identify the holder of a personalised ticket and to prevent misuse. The data is also used to provide our Après Vente service, to identify and assist you in the event of concerns or difficulties, and to process any compensation claims. Finally, the data is used to distribute the revenue generated by the purchase of tickets fairly among the companies and associations of Direct Transport. Our legitimate interest forms the legal basis for this data processing.
3.2 When using the ostwind.ch and entdeckungsreise.ostwind.ch websites:
When you visit our Internet pages, the servers of our hosting provider temporarily store each access in a log file. The following technical data is collected:
- IP address of the requesting computer
- Date and time of access
- Internet page from which the access was made, if applicable with the search word used
- name and URL of the file accessed
- search queries carried out (timetable, general search function on website, products, etc.)
- the operating system of your computer (provided by the user agent)
- the browser you are using (provided by the user agent)
- device type in the case of access by mobile phones
- the transmission protocol used
The collection and processing of this data is used for system security and stability and for error and performance analysis as well as for internal statistical purposes and enables us to optimise our Internet offering. In addition, this enables us to design our website in a target group-specific manner, i.e. to provide you with targeted content or information that may be of interest to you.
The IP address is also used to preset the language of the website. In addition, it is evaluated together with other data in the event of attacks on the network infrastructure or other unauthorised or abusive use of the website for the purpose of clarification and defence and, if necessary, used within the framework of criminal proceedings for the purpose of identification and civil and criminal proceedings against the users concerned.
Finally, we use cookies and applications and tools based on the use of cookies when you visit our website. You will find more details on this in the sections on cookies and tracking tools of this data protection declaration.
Our legitimate interest forms the legal basis for these processing operations. In the case of third-party websites that are linked to our website, no guarantee is given for compliance with data protection regulations.
3.3 When using our app "OSTWIND Tickets":
OSTWIND collects and processes data related to the use of the App and the purchase of Mobile Tickets. This data includes the customer information that the customer discloses:
- Email address
- Means of payment/method
- Smartphone ID
- Type of product or service purchased
- Price
- Date and time of purchase
- Date of travel or period of validity
- Agreement to the general terms and conditions
- Location data
Card information is not stored on the smartphone, in the app or at OSTWIND. Registration of the credit or debit card in the app is done directly with Datatrans AG, Stadelhoferstrasse 33, CH-8001 Zurich, Tel. +41 44 256 81 91, info@datatrans.ch.
Our legitimate interest forms the legal basis for these processing operations. In the case of third-party websites that are linked to our website, no guarantee is given for compliance with data protection regulations.
3.4 When using firmenabo.ostwind.ch:
For contractual reasons, we require personal data for the online order or the purchase of certain services and products in order to provide our services and process the contractual relationship. For example, when purchasing a company subscription. When you purchase a company subscription, we collect the following data. Mandatory data is marked with an asterisk (*) in the corresponding form:
- SwissPass customer number
- Name, e-mail address of the person purchasing or travelling
- Further details such as postal address, date of birth
- Telephone number
- Name of boarding stop
- Name of place of work (company name)
- Further individual additional information determined by the company, such as personnel number, department, degree of employment, etc.
- Means/method of payment
- Agreement to the general terms and conditions
In order to process the contractual relationship, we also collect data about the services you have received ("service data"). This includes - depending on the product or service - the following information:
- Type of product or service purchased
- Price
- Place, date and time of purchase
- Purchase channel (Internet, vending machine, counter, etc.)
- Date of travel or duration of validity and time of departure
- Place of departure and destination
The legal basis for this data processing is the need to process the contract. Data generated during the purchase of services are stored in a local and a central database (see the section on shared responsibility in public transport) and are also processed for other purposes, including marketing and market research purposes (for more details, see the relevant sections of this privacy statement). In addition, the data is used in the context of ticket control to identify the holder of a personalised ticket and to prevent misuse. The data is also used to provide our Après Vente service, to identify and assist you in the event of concerns or difficulties, and to process any compensation claims. Finally, the data is used to distribute the revenue generated by the purchase of tickets fairly among the companies and associations of Direct Transport. Our legitimate interest forms the legal basis for this data processing. In the case of external websites which are linked to our website, no guarantee is given for compliance with data protection regulations.
3.5 When using forms on ostwind.ch and entdeckungsreise.ostwind.ch:
You have the option of using forms (contact form, registration forms for events, competitions, order forms), whereby mandatory details are marked with an asterisk (*) in the relevant form. The following information can be entered:
- Subject
- Surname and first name
- E-mail address
- Salutation
- Telephone number
- Street and no.
- Postcode / City
- Country
- SwissPass no.
- Attachments
- Messages
- Reply details
- Agreement to the AGB
We use this data, unless otherwise indicated in special GTC, exclusively to be able to answer your contact request in the best possible and personalised way. Any voluntary information about how you became aware of our offer will also be used for internal statistical purposes. We base this data processing on our legitimate interest as a legal basis or, if your contact is aimed at the conclusion of a contract, on the implementation of the pre-contractual measures requested by you.
3.6 When contacting our customer service by telephone:
If you contact our customer service by telephone. If provided by your provider, your telephone number and the time of the call will be stored. We use this data exclusively to be able to answer your contact request in the best possible way. We base this data processing on our legitimate interest as a legal basis or, if your contact is aimed at the conclusion of a contract, on the implementation of the pre-contractual measures requested by you.
3.7 When creating a SwissPass login/customer account at https://www.swisspass.ch/:
You have the option of creating a customer account on swisspass.ch. In doing so, we require the following data from you:
- Surname and first name
- Date of birth
- Address (street, postcode, town and country)
- Customer number (if you already have a public transport season ticket)
- E-mail address and password (login data)
By registering, we enable you to access the numerous online services (webshops and apps) of the public transport companies and associations with the login data (so-called SwissPass login) and to obtain services from them without having to carry out an additional, time-consuming registration in each case. Services that you purchase using the SwissPass login (in particular public transport tickets/subscriptions) are recorded in your customer account and in a central database ("NDV database"). This data processing is necessary for the execution of the contract for the use of the SwissPass and is therefore based on this legal basis. For more information, please refer to the sections on shared responsibility in public transport and on disclosure to third parties in this privacy statement as well as the privacy statement on swisspass.ch
4. How long is your data kept?
We only store personal data for as long as is necessary,
- to provide services you have requested or consented to, to the extent set out in this privacy notice.
- to use the tracking services mentioned in this privacy policy within the scope of our legitimate interest.
Contractual data will be retained by us for longer periods of time as required by legal retention obligations. Retention obligations that require us to retain data result from accounting regulations and tax regulations. As far as we no longer need this data to provide the services for you, the data will be blocked. This means that the data may then only be used to fulfil our retention obligations.
5. Where is the data stored?
Your data is generally stored in databases within Switzerland. However, in some cases listed in this privacy policy, the data is also passed on to third parties that are based outside Switzerland. If the country in question does not have an adequate level of data protection, we ensure that your data is adequately protected at these companies either through contractual arrangements with these companies or by ensuring that these companies are certified under the CH/EU-US Privacy Shield.
6. What data is processed in connection with marketing?
Unless you object, we use your customer data (name, gender, date of birth, address, customer number, e-mail address), your performance data (data on services purchased such as subscriptions or individual tickets) and your click behaviour on our websites or in e-mails you have received from us for marketing purposes. Please also note the section on tracking tools with regard to the evaluation of click behaviour.
We evaluate this data in order to further develop our offers in line with your needs and to send you or display information and offers that are as relevant as possible (via e-mail, letter, SMS, push messages in the app and personalised teasers on the web, in person at the ticket counter). For this purpose, we only use data that we can clearly assign to you, for example because you have registered or identified yourself on our website with your SwissPass login and purchased a ticket. We also use methods that predict possible future purchasing behaviour based on your current purchasing behaviour. The legal basis for this processing is our legitimate interest. In certain cases, under strict conditions, contact may also be made by SBB or another company involved in direct transport. Please refer to the information in the section on "joint responsibility in public transport".
You can refuse to be contacted by us, the SBB (e.g. in connection with your GA or half-fare travelcard) or by other public transport companies at any time. The following options are available to you for this purpose:
- Every e-mail with a marketing purpose that you receive from us or other public transport companies contains a link that you can use to unsubscribe from further messages with one click.
- If you have a SwissPass login, you can log on to https://www.swisspass.ch/ and manage your settings for receiving messages in your user account at any time.
- You can also subscribe or unsubscribe at any counter or by telephone (+41 71 226 88 99) or email (info@ostwind.ch).
Please also note the information on the right to object with regard to the evaluation of click behaviour in the section on tracking tools.
7. What data is processed for market research purposes?
In order to continuously improve the quality of our services and offers, we regularly conduct market research. It may therefore happen that we use your contact details to invite you to online surveys. If you do not wish to receive such invitations, you can opt out of receiving invitations to surveys here or by sending an email to mafo-unsubscribe@sbb.ch. The legal basis for these processing operations is our legitimate interest.
8. What rights do you have with regard to your personal data?
You have the following rights with regard to your personal data:
- You can request information about your stored personal data.
- You can request that your personal data be corrected, supplemented, blocked or deleted. Deletion is replaced by blocking if there are legal obstacles to deletion (e.g. legal obligations to retain data).
- If you have set up a customer account, you can delete it or have it deleted.
- You can object to the use of your data for marketing purposes.
- You can revoke your consent at any time with effect for the future.
- You can request the transfer of your data.
To exercise your rights, it is sufficient to send a letter by post to:
or by e-mail to: datenschutz@ostwind.ch
Customers domiciled in a member state of the EU can also contact our EU representative:
or by e-mail to: ostwind@mll-gdpr.com
In addition, you have the right to complain to a data protection authority at any time.
9. What does "shared responsibility in public transport" mean?
OSTWIND is responsible for the processing of your data. As a company/association of public transport, we are obliged by law to provide certain transport services with other transport companies and associations ("direct transport").
For this purpose and for other purposes described in this data protection declaration, data is shared at national level within the so-called National Direct Transport (NDV), an association of over 240 transport companies (TU) and public transport associations. The individual TUs and associations are listed here. Data from the purchase of services and the establishment of contact are stored in a central database which is managed by SBB on behalf of the NDV and for which we are jointly responsible with the other companies and associations of the NDV ("NDV database").
For services that you purchase using the SwissPass login, the data is then stored in another central database ("SwissPass database") for which we are jointly responsible with the TUs, associations and NDV, the database again being managed by SBB on behalf of NDV. For efficient service provision and cooperation among the parties involved, the data from the various databases are merged where necessary. In order to enable the so-called Single Sign-On (SSO) (one login for all applications that offer the use of their services with the SwissPass login), the aforementioned login, card, customer and service data are also exchanged between the central login infrastructure of the SwissPass and us as part of the authentication process.
The scope of access to the shared databases by the individual TUs and associations is regulated and limited by a joint agreement. The transfer and processing by the other TUs and associations of the NDV that takes place with the central storage is basically limited to contract processing, ticket control, the Après Vente service and revenue distribution. In addition, the data collected when purchasing NDV services is also processed for marketing purposes in certain cases. This includes the evaluation of the data in order to further develop and advertise the public transport services in a needs-oriented manner. If you are contacted for this purpose, we (OSTWIND) will contact you. The other TUs and associations involved in the NDV will only contact you in exceptional cases and under strict conditions, and only if the evaluation of the data shows that a certain public transport service could bring added value for you as a customer. One exception to this is contacting SBB. On behalf of the NDV, the SBB manages the marketing mandate for NDV services (e.g. GA and half-fare travelcard) and in this role may contact you on a regular basis.
Our legitimate interest forms the legal basis for the data processing mentioned here.
10. Will your data be passed on to third parties?
Your data will not be sold on by us. Your personal data will then only be passed on to selected service providers and only to the extent necessary for the provision of the service. These are IT support service providers, issuers of subscription cards, shipping service providers (such as Swiss Post), service providers commissioned to distribute traffic revenue among the transport companies involved (in particular in the course of drawing up so-called distribution keys within the meaning of the Swiss Passenger Transport Act), our hosting provider (see section "Use of website") and the providers mentioned in the sections on tracking tools, social plug-ins and advertisements. With regard to service providers based abroad, please also note the information in the section "Where is your data stored".
In addition, your data may be passed on if we are legally obliged to do so or if this is necessary to protect our rights, in particular to enforce claims arising from our relationship with you.
If you book cross-border travel, your data will then also be passed on to the respective foreign providers. However, this will only be done to the extent necessary to check the validity of the tickets and to prevent misuse.
Our legitimate interest forms the legal basis for the data processing mentioned here.
Your personal data will not be disclosed to third parties outside the public transport system. The only exceptions are SwissPass partners (to the extent described below) and companies that have been authorised by the public transport companies to broker public transport services on the basis of a contractual agreement. These intermediaries only receive access to your personal data if you wish to obtain a public transport service through them and have given them your consent for access. Even in this case, they will only have access to your data to the extent necessary to determine whether you already have tickets or season tickets for the planned travel period that are relevant to your journey and the service you want from the third party. The legal basis for this data processing is therefore your consent. You can revoke your consent at any time with effect for the future (see section 8). Payment service providers are another exception if the selected means of payment requires this information (in particular purchase on account).
If you use offers with a SwissPass partner using your SwissPass, data about any benefits you may have purchased from us (e.g. a GA, half-fare travelcard or federation/route season ticket) may be transmitted to the SwissPass partners in order to check whether you can benefit from a specific offer from the SwissPass partner (e.g. discount for GA holders). In the event of loss, theft, misuse or forgery or card replacement after a benefit has been purchased, the partner concerned will be informed. These data processing operations are necessary for the performance of the contract for the use of the SwissPass and are therefore based on this legal basis. Further information can be found in the data protection declaration on swisspass.ch and the data protection declaration of the respective SwissPass partner.
11. How are tracking tools used?
We use Google's web analytics services for the purpose of designing and continuously optimising our websites, apps and emails to meet our customers' needs. Our legitimate interest forms the legal basis for the data processing described below.
- Tracking on websites:
- In connection with our internet pages, pseudonymised usage profiles are created and small text files ("cookies") stored on your computer are used (see "What are cookies and when are they used?" below). The information generated by cookies about your use of these Internet pages is transmitted to the servers of the providers of these services, stored there and processed for us. In addition to the data listed above (see "What data is processed when you use our Internet pages?"), we thereby obtain the following information:
- Navigation path that a visitor takes on the website
- the length of time spent on the website or sub-page
- The sub-page on which the visitor leaves the website
- Country, region or city from which access is made
- terminal device (type, version, colour depth, resolution, width and height of the browser window)
- returning or new visitor
- Browser type/version
- Operating system used
- Referrer URL (the previously visited page)
- Host name of the accessing computer (IP address) and
- Time of the server request
This information is used to evaluate the use of the website.
Tracking when sending e-mails:
When sending e-mails, we use third-party e-mail marketing services. Our emails may therefore contain a so-called web beacon (tracking pixel) or similar technical means. A web beacon is a 1x1 pixel, invisible graphic that is associated with the user ID of the respective email subscriber.
For each newsletter sent, there is information on the address file used, the subject and the number of newsletters sent. Furthermore, it is possible to see which addresses have not yet received the newsletter, to which addresses the newsletter was sent and for which addresses the sending failed. In addition, the opening rate, including information on which addresses have opened the newsletter and which addresses have unsubscribed from the newsletter distribution list, can be discussed.
Recourse to corresponding services enables the evaluation of the information listed above. In addition, this also allows the click behaviour to be recorded and evaluated. We use this data for statistical purposes and to optimise the content of our news. This enables us to better tailor the information and offers in our emails to the individual interests of the respective recipient. The tracking pixel is deleted when you delete the email.
If you would like to prevent the use of the web beacon in our e-mails, please set your e-mail programme so that no HTML is displayed in messages, if this is not already the case by default. You can find instructions on how to do this here, for example.
You can find out more about our tracking tools below:
Google Analytics
Our website uses Google Analytics, a web analytics service provided by Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA or Google Iland Limited, Gordon House Barrow St, Dublin 4, Ireland. Google Analytics uses methods that enable an analysis of the use of the website, such as cookies (see "What are cookies and when are they used?"). The information generated by a cookie about your use of this website, as listed above, is transferred to servers of Google, a company of the holding company Alphabet Inc. in the USA and stored there. The IP address is shortened by activating the IP anonymisation ("anonymizeIP") on this website before transmission within the member states of the European Union or in other contracting states of the Agreement on the European Economic Area or Switzerland. The anonymised IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. In these cases, we ensure through contractual guarantees that Google maintains a sufficient level of data protection.
The information is used to evaluate the use of the website, to compile reports on the activities on the website and to provide other services associated with the use of the website and the use of the Internet for the purposes of market research and the design of the website in line with requirements. This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf of Google. According to Google, under no circumstances will the IP address be associated with other data relating to the user.
Users can prevent the collection of the data generated by the cookie and related to the use of the website by the user concerned (including the IP address) by Google and the processing of this data by Google by downloading and installing the following browser add-on.
12. What are cookies and when are they used?
We use cookies in certain cases. Cookies are small files that are stored on your computer or mobile device when you visit or use one of our websites. Cookies store certain settings about your browser and data about your interaction with the website via your browser. When a cookie is activated, it can be assigned an identification number that identifies your browser and allows the information contained in the cookie to be used. You can set your browser so that a warning appears on the screen before a cookie is saved. You can also choose not to take advantage of personal cookies. In this case, certain services cannot be used.
We use cookies to carry out an evaluation of general user behaviour. The aim is to optimise the digital presences. These are to be made easier to use and the content more intuitive to find. They should be more comprehensible and structured. It is our concern to make the digital presences user-friendly according to your needs. This enables us to optimise the website by providing targeted content or information on the website that may be of interest to you.
Most web browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or a message always appears when you receive a new cookie. On the following pages you will find explanations of how you can configure the processing of cookies:
- Google Chrome for Desktop: https://support.google.com/chrome/answer/95647?hl=de
- Google Chrome for Mobile: https://support.google.com/chrome/answer/2392709?hl=de&co=GENIE.Platform%3DAndroid&oco=1
- Microsofts Windows Internet Explorer link: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies
- Apple Safari for Mobile: https://support.apple.com/de-de/HT201265
Deactivating cookies may mean that you cannot use all the functions of our website. Our legitimate interest forms the legal basis for the data processing described.
13. Data security
We use appropriate technical and organisational security measures to protect your personal data stored with us against manipulation, partial or complete loss and against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.
We also take internal data protection very seriously. Our employees and the external service providers commissioned by us have undertaken to maintain confidentiality and to comply with the provisions of data protection law.
We take appropriate precautions to protect your data. However, the transmission of information via the Internet and other electronic means always involves certain security risks and we cannot guarantee the security of information transmitted in this way.
Most web browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or a message always appears when you receive a new cookie. On the following pages you will find explanations on how you can configure the processing of cookies:
- Google Chrome for Desktop: https://support.google.com/chrome/answer/95647?hl=de
- Google Chrome for Mobile: https://support.google.com/chrome/answer/2392709?hl=de&co=GENIE.Platform%3DAndroid&oco=1
- Microsofts Windows Internet Explorer link: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies
- Apple Safari for Mobile: https://support.apple.com/de-de/HT201265
Deactivating cookies may mean that you cannot use all the functions of our website. Our legitimate interest forms the legal basis for the data processing described.