Data protection declaration (DPD) OSTWIND fare network

OSTWIND is responsible for processing your data. As a public transport fare network, OSTWIND is a member of the Swiss National Direct Transport (NDV). As a result, certain data is exchanged within the transport companies (TU) and public transport associations, as well as with third parties who distribute a public transport range, and stored centrally in databases operated jointly by all TUs and public transport associations. We are therefore responsible for individual data processing jointly with these TUs and associations. You can find more information on the individual data processing in the section "What does joint responsibility in public transport mean?".

If you have any questions or suggestions regarding data protection, you can contact us at any time as follows. Either by post to:

Customers domiciled in a member state of the EU can also contact our EU representative:

or by e-mail to: ostwind@mll-gdpr.com

3.1 When purchasing services shop.ostwind.ch:

For contractual reasons, we require personal data for online orders or the purchase of certain services and products in order to provide our services and process the contractual relationship. For example, when purchasing a subscription or a single ticket. When purchasing personalised services, we collect the following data - depending on the product or service - whereby mandatory data is marked with an asterisk (*) in the corresponding form:

• Personal photo
• Gender, name, e-mail address of the person purchasing or travelling
• Further details such as postal address, date of birth
• Telephone number
• Means/method of payment
• Agreement to the general terms and conditions

In order to process the contractual relationship, we also collect data about the services you have purchased ("service data"). This includes - depending on the product or service - the following information:

• Type of product or service purchased
• Price
• Place, date and time of purchase
• Purchase channel (Internet, vending machine, counter, etc.)
• Date of travel or duration of validity and time of departure
• Place of departure and destination

The legal basis for this data processing is the need to process the contract. Data generated during the purchase of services is stored in a central database (see the section on shared responsibility in public transport) and is also processed for other purposes, including marketing and market research purposes (for more details, see the relevant sections of this data protection declaration). In addition, the data is used in the context of ticket control to identify the holder of a personalised ticket and to prevent misuse. The data is also used to provide our Après Vente service, to identify and assist you in the event of concerns or difficulties, and to process any compensation claims. Finally, the data is used to distribute the revenue generated by the purchase of tickets fairly among the companies and associations of Direct Transport. Our legitimate interest forms the legal basis for this data processing.

3.2 When using the ostwind.ch and entdeckungsreise.ostwind.ch websites:

When you visit our Internet pages, the servers of our hosting provider temporarily store each access in a log file. The following technical data is collected:

• IP address of the requesting computer
• Date and time of access
• Internet page from which the access was made, if applicable with the search word used
• name and URL of the file accessed
• search queries carried out (timetable, general search function on website, products, etc.)
• the operating system of your computer (provided by the user agent)
• the browser you are using (provided by the user agent)
• device type in the case of access by mobile phones
• the transmission protocol used

The collection and processing of this data is used for system security and stability and for error and performance analysis as well as for internal statistical purposes and enables us to optimise our Internet offering. In addition, this enables us to design our website in a target group-specific manner, i.e. to provide you with targeted content or information that may be of interest to you.

The IP address is also used to preset the language of the website. In addition, it is evaluated together with other data in the event of attacks on the network infrastructure or other unauthorised or abusive use of the website for the purpose of clarification and defence and, if necessary, used within the framework of criminal proceedings for the purpose of identification and civil and criminal proceedings against the users concerned.

Finally, we use cookies and applications and tools based on the use of cookies when you visit our website. You will find more details on this in the sections on cookies and tracking tools of this data protection declaration.

Our legitimate interest forms the legal basis for these processing operations. In the case of third-party websites that are linked to our website, no guarantee is given for compliance with data protection regulations.

3.3 When using our app "OSTWIND Tickets":

OSTWIND collects and processes data related to the use of the App and the purchase of Mobile Tickets. This data includes the customer information that the customer discloses:

• Email address
• Means of payment/method
• Smartphone ID
• Type of product or service purchased
• Price
• Date and time of purchase
• Date of travel or period of validity
• Agreement to the general terms and conditions
• Location data

Card information is not stored on the smartphone, in the app or at OSTWIND. Registration of the credit or debit card in the app is done directly with Datatrans AG, Stadelhoferstrasse 33, CH-8001 Zurich, Tel. +41 44 256 81 91, info@datatrans.ch.

Our legitimate interest forms the legal basis for these processing operations. In the case of third-party websites that are linked to our website, no guarantee is given for compliance with data protection regulations.

3.4 When using firmenabo.ostwind.ch:

For contractual reasons, we require personal data for the online order or the purchase of certain services and products in order to provide our services and process the contractual relationship. For example, when purchasing a company subscription. When you purchase a company subscription, we collect the following data. Mandatory data is marked with an asterisk (*) in the corresponding form:

• SwissPass customer number
• Name, e-mail address of the person purchasing or travelling
• Further details such as postal address, date of birth
• Telephone number
• Name of boarding stop
• Name of place of work (company name)
• Further individual additional information determined by the company, such as personnel number, department, degree of employment, etc.
• Means/method of payment
• Agreement to the general terms and conditions

In order to process the contractual relationship, we also collect data about the services you have received ("service data"). This includes - depending on the product or service - the following information:

• Type of product or service purchased
• Price
• Place, date and time of purchase
• Purchase channel (Internet, vending machine, counter, etc.)
• Date of travel or duration of validity and time of departure
• Place of departure and destination

The legal basis for this data processing is the need to process the contract. Data generated during the purchase of services are stored in a local and a central database (see the section on shared responsibility in public transport) and are also processed for other purposes, including marketing and market research purposes (for more details, see the relevant sections of this privacy statement). In addition, the data is used in the context of ticket control to identify the holder of a personalised ticket and to prevent misuse. The data is also used to provide our Après Vente service, to identify and assist you in the event of concerns or difficulties, and to process any compensation claims. Finally, the data is used to distribute the revenue generated by the purchase of tickets fairly among the companies and associations of Direct Transport. Our legitimate interest forms the legal basis for this data processing. In the case of external websites which are linked to our website, no guarantee is given for compliance with data protection regulations.

3.5 When using forms on ostwind.ch and entdeckungsreise.ostwind.ch:

You have the option of using forms (contact form, registration forms for events, competitions, order forms), whereby mandatory details are marked with an asterisk (*) in the relevant form. The following information can be entered:

• Subject
• Surname and first name
• E-mail address
• Salutation
• Telephone number
• Street and no.
• Postcode / City
• Country
• SwissPass no.
• Attachments
• Messages
• Reply details
• Agreement to the AGB

We use this data, unless otherwise indicated in special GTC, exclusively to be able to answer your contact request in the best possible and personalised way. Any voluntary information about how you became aware of our offer will also be used for internal statistical purposes. We base this data processing on our legitimate interest as a legal basis or, if your contact is aimed at the conclusion of a contract, on the implementation of the pre-contractual measures requested by you.

3.6 When contacting our customer service by telephone:

If you contact our customer service by telephone. If provided by your provider, your telephone number and the time of the call will be stored. We use this data exclusively to be able to answer your contact request in the best possible way. We base this data processing on our legitimate interest as a legal basis or, if your contact is aimed at the conclusion of a contract, on the implementation of the pre-contractual measures requested by you.

3.7 When creating a SwissPass login/customer account at https://www.swisspass.ch/:

You have the option of creating a customer account on swisspass.ch. In doing so, we require the following data from you:

• Surname and first name
• Date of birth
• Address (street, postcode, town and country)
• Customer number (if you already have a public transport season ticket)
• E-mail address and password (login data)

By registering, we enable you to access the numerous online services (webshops and apps) of the public transport companies and associations with the login data (so-called SwissPass login) and to obtain services from them without having to carry out an additional, time-consuming registration in each case. Services that you purchase using the SwissPass login (in particular public transport tickets/subscriptions) are recorded in your customer account and in a central database ("NDV database"). This data processing is necessary for the execution of the contract for the use of the SwissPass and is therefore based on this legal basis. For more information, please refer to the sections on shared responsibility in public transport and on disclosure to third parties in this privacy statement as well as the privacy statement on swisspass.ch

Unless you object, we use your customer data (name, gender, date of birth, address, customer number, e-mail address), your performance data (data on services purchased such as subscriptions or individual tickets) and your click behaviour on our websites or in e-mails you have received from us for marketing purposes. Please also note the section on tracking tools with regard to the evaluation of click behaviour.

We evaluate this data in order to further develop our offers in line with your needs and to send you or display information and offers that are as relevant as possible (via e-mail, letter, SMS, push messages in the app and personalised teasers on the web, in person at the ticket counter). For this purpose, we only use data that we can clearly assign to you, for example because you have registered or identified yourself on our website with your SwissPass login and purchased a ticket. We also use methods that predict possible future purchasing behaviour based on your current purchasing behaviour. The legal basis for this processing is our legitimate interest. In certain cases, under strict conditions, contact may also be made by SBB or another company involved in direct transport. Please refer to the information in the section on "joint responsibility in public transport".

You can refuse to be contacted by us, the SBB (e.g. in connection with your GA or half-fare travelcard) or by other public transport companies at any time. The following options are available to you for this purpose:

• Every e-mail with a marketing purpose that you receive from us or other public transport companies contains a link that you can use to unsubscribe from further messages with one click.
• If you have a SwissPass login, you can log on to https://www.swisspass.ch/ and manage your settings for receiving messages in your user account at any time.
• You can also subscribe or unsubscribe at any counter or by telephone (+41 71 226 88 99) or email (info@ostwind.ch).

Please also note the information on the right to object with regard to the evaluation of click behaviour in the section on tracking tools.

You have the following rights with regard to your personal data:

• You can request information about your stored personal data.
• You can request that your personal data be corrected, supplemented, blocked or deleted. Deletion is replaced by blocking if there are legal obstacles to deletion (e.g. legal obligations to retain data).
• If you have set up a customer account, you can delete it or have it deleted.
• You can object to the use of your data for marketing purposes.
• You can revoke your consent at any time with effect for the future.
• You can request the transfer of your data.

To exercise your rights, it is sufficient to send a letter by post to:

or by e-mail to: datenschutz@ostwind.ch

Customers domiciled in a member state of the EU can also contact our EU representative:

or by e-mail to: ostwind@mll-gdpr.com

In addition, you have the right to complain to a data protection authority at any time.

OSTWIND is responsible for the processing of your data. As a company/association of public transport, we are obliged by law to provide certain transport services with other transport companies and associations ("direct transport").

For this purpose and for other purposes described in this data protection declaration, data is shared at national level within the so-called National Direct Transport (NDV), an association of over 240 transport companies (TU) and public transport associations. The individual TUs and associations are listed here. Data from the purchase of services and the establishment of contact are stored in a central database which is managed by SBB on behalf of the NDV and for which we are jointly responsible with the other companies and associations of the NDV ("NDV database").

For services that you purchase using the SwissPass login, the data is then stored in another central database ("SwissPass database") for which we are jointly responsible with the TUs, associations and NDV, the database again being managed by SBB on behalf of NDV. For efficient service provision and cooperation among the parties involved, the data from the various databases are merged where necessary. In order to enable the so-called Single Sign-On (SSO) (one login for all applications that offer the use of their services with the SwissPass login), the aforementioned login, card, customer and service data are also exchanged between the central login infrastructure of the SwissPass and us as part of the authentication process.

The scope of access to the shared databases by the individual TUs and associations is regulated and limited by a joint agreement. The transfer and processing by the other TUs and associations of the NDV that takes place with the central storage is basically limited to contract processing, ticket control, the Après Vente service and revenue distribution. In addition, the data collected when purchasing NDV services is also processed for marketing purposes in certain cases. This includes the evaluation of the data in order to further develop and advertise the public transport services in a needs-oriented manner. If you are contacted for this purpose, we (OSTWIND) will contact you. The other TUs and associations involved in the NDV will only contact you in exceptional cases and under strict conditions, and only if the evaluation of the data shows that a certain public transport service could bring added value for you as a customer. One exception to this is contacting SBB. On behalf of the NDV, the SBB manages the marketing mandate for NDV services (e.g. GA and half-fare travelcard) and in this role may contact you on a regular basis.

Our legitimate interest forms the legal basis for the data processing mentioned here.

Your data will not be sold on by us. Your personal data will then only be passed on to selected service providers and only to the extent necessary for the provision of the service. These are IT support service providers, issuers of subscription cards, shipping service providers (such as Swiss Post), service providers commissioned to distribute traffic revenue among the transport companies involved (in particular in the course of drawing up so-called distribution keys within the meaning of the Swiss Passenger Transport Act), our hosting provider (see section "Use of website") and the providers mentioned in the sections on tracking tools, social plug-ins and advertisements. With regard to service providers based abroad, please also note the information in the section "Where is your data stored".

In addition, your data may be passed on if we are legally obliged to do so or if this is necessary to protect our rights, in particular to enforce claims arising from our relationship with you.

If you book cross-border travel, your data will then also be passed on to the respective foreign providers. However, this will only be done to the extent necessary to check the validity of the tickets and to prevent misuse.

Our legitimate interest forms the legal basis for the data processing mentioned here.

Your personal data will not be disclosed to third parties outside the public transport system. The only exceptions are SwissPass partners (to the extent described below) and companies that have been authorised by the public transport companies to broker public transport services on the basis of a contractual agreement. These intermediaries only receive access to your personal data if you wish to obtain a public transport service through them and have given them your consent for access. Even in this case, they will only have access to your data to the extent necessary to determine whether you already have tickets or season tickets for the planned travel period that are relevant to your journey and the service you want from the third party. The legal basis for this data processing is therefore your consent. You can revoke your consent at any time with effect for the future (see section 8). Payment service providers are another exception if the selected means of payment requires this information (in particular purchase on account).

If you use offers with a SwissPass partner using your SwissPass, data about any benefits you may have purchased from us (e.g. a GA, half-fare travelcard or federation/route season ticket) may be transmitted to the SwissPass partners in order to check whether you can benefit from a specific offer from the SwissPass partner (e.g. discount for GA holders). In the event of loss, theft, misuse or forgery or card replacement after a benefit has been purchased, the partner concerned will be informed. These data processing operations are necessary for the performance of the contract for the use of the SwissPass and are therefore based on this legal basis. Further information can be found in the data protection declaration on swisspass.ch and the data protection declaration of the respective SwissPass partner.

We use Google's web analytics services for the purpose of designing and continuously optimising our websites, apps and emails to meet our customers' needs. Our legitimate interest forms the legal basis for the data processing described below.

• Tracking on websites:
• In connection with our internet pages, pseudonymised usage profiles are created and small text files ("cookies") stored on your computer are used (see "What are cookies and when are they used?" below). The information generated by cookies about your use of these Internet pages is transmitted to the servers of the providers of these services, stored there and processed for us. In addition to the data listed above (see "What data is processed when you use our Internet pages?"), we thereby obtain the following information:
• Navigation path that a visitor takes on the website
• the length of time spent on the website or sub-page
• The sub-page on which the visitor leaves the website
• Country, region or city from which access is made
• terminal device (type, version, colour depth, resolution, width and height of the browser window)
• returning or new visitor
• Browser type/version
• Operating system used
• Referrer URL (the previously visited page)
• Host name of the accessing computer (IP address) and
• Time of the server request

This information is used to evaluate the use of the website.

Tracking when sending e-mails:

When sending e-mails, we use third-party e-mail marketing services. Our emails may therefore contain a so-called web beacon (tracking pixel) or similar technical means. A web beacon is a 1x1 pixel, invisible graphic that is associated with the user ID of the respective email subscriber.

For each newsletter sent, there is information on the address file used, the subject and the number of newsletters sent. Furthermore, it is possible to see which addresses have not yet received the newsletter, to which addresses the newsletter was sent and for which addresses the sending failed. In addition, the opening rate, including information on which addresses have opened the newsletter and which addresses have unsubscribed from the newsletter distribution list, can be discussed.

Recourse to corresponding services enables the evaluation of the information listed above. In addition, this also allows the click behaviour to be recorded and evaluated. We use this data for statistical purposes and to optimise the content of our news. This enables us to better tailor the information and offers in our emails to the individual interests of the respective recipient. The tracking pixel is deleted when you delete the email.

If you would like to prevent the use of the web beacon in our e-mails, please set your e-mail programme so that no HTML is displayed in messages, if this is not already the case by default. You can find instructions on how to do this here, for example.

You can find out more about our tracking tools below:

Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA or Google Iland Limited, Gordon House Barrow St, Dublin 4, Ireland. Google Analytics uses methods that enable an analysis of the use of the website, such as cookies (see "What are cookies and when are they used?"). The information generated by a cookie about your use of this website, as listed above, is transferred to servers of Google, a company of the holding company Alphabet Inc. in the USA and stored there. The IP address is shortened by activating the IP anonymisation ("anonymizeIP") on this website before transmission within the member states of the European Union or in other contracting states of the Agreement on the European Economic Area or Switzerland. The anonymised IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. In these cases, we ensure through contractual guarantees that Google maintains a sufficient level of data protection.

The information is used to evaluate the use of the website, to compile reports on the activities on the website and to provide other services associated with the use of the website and the use of the Internet for the purposes of market research and the design of the website in line with requirements. This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf of Google. According to Google, under no circumstances will the IP address be associated with other data relating to the user.

Users can prevent the collection of the data generated by the cookie and related to the use of the website by the user concerned (including the IP address) by Google and the processing of this data by Google by downloading and installing the following browser add-on.

We use cookies in certain cases. Cookies are small files that are stored on your computer or mobile device when you visit or use one of our websites. Cookies store certain settings about your browser and data about your interaction with the website via your browser. When a cookie is activated, it can be assigned an identification number that identifies your browser and allows the information contained in the cookie to be used. You can set your browser so that a warning appears on the screen before a cookie is saved. You can also choose not to take advantage of personal cookies. In this case, certain services cannot be used.

We use cookies to carry out an evaluation of general user behaviour. The aim is to optimise the digital presences. These are to be made easier to use and the content more intuitive to find. They should be more comprehensible and structured. It is our concern to make the digital presences user-friendly according to your needs. This enables us to optimise the website by providing targeted content or information on the website that may be of interest to you.

Most web browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or a message always appears when you receive a new cookie. On the following pages you will find explanations of how you can configure the processing of cookies:

• Google Chrome for Desktop: https://support.google.com/chrome/answer/95647?hl=de
• Google Chrome for Mobile: https://support.google.com/chrome/answer/2392709?hl=de&co=GENIE.Platform%3DAndroid&oco=1
• Microsofts Windows Internet Explorer link: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies
• Apple Safari for Mobile: https://support.apple.com/de-de/HT201265

Deactivating cookies may mean that you cannot use all the functions of our website. Our legitimate interest forms the legal basis for the data processing described.