Data protection and security of data processing
(Status: 21 August 2023)
1. Who is responsible for data processing and who can you contact?
The data controller is railtour suisse sa, Kornhausplatz 7, 3011 Bern. If you have any questions on the subject of data protection, you can contact the following e-mail address:
2. What data and what sources do we use?
We process data that we receive as part of our contractual relationship with you or based on your consent. We receive the data directly from you, e.g. as part of the travel booking or another order placement, e.g. via a travel agency.
If you provide us with personal data of other persons (e.g. fellow travellers) as a travel applicant, you must ensure that they agree to this and that you may transmit the data. You must ensure that these persons know how their personal data is processed by us and what rights they have.
As far as necessary, we process the following data:
· 1. identification/authentication data (surname, first name of all travellers, booking number, user name, passwords, ID/passport data).
· 2. demographic data (age, date of birth of all travellers)
· 3. physical characteristics (salutation, gender of all travellers)
· 4. communication data (address, e-mail address, telephone number, correspondence, e-mail correspondence)
· 5. account data (IBAN number, credit card number)
· 6. travel data (type of travel, travel price, travel destination, travel date, travel duration, hotel data, room type, flight data, travel history)
· 7. Sensitive data, if provided by you (mobility aids, meal requests, pregnancies, if submitted).
· 8. marketing and sales data (history of our marketing offers, new potentially interesting offers).
· 9. preferences (your preferences, your ratings with regard to the travel, if arranged through/by us).
· 10. behaviour (behaviour on our websites/app, location).
· 11. family relationship (children travelling with you)
· 12. data in the context of complaints and crisis cases
3. On what legal basis and for what purpose is your data used?
3.1 Required to carry out pre-contractual measures in response to your request or to fulfil contractual obligations with you (Art. 31 para. 2 lit. a SWISS DATA PROTECTION ACT)
We process your data 1-7, 11, 12 for the preparation of offers and the execution of our contracts with you, i.e. in particular for the mediation, organisation and implementation of travel services, including complaints and crisis management (mediation/travel contract) by us or by authorised third parties. Further purposes are
· For the provision of contact options to us (e.g. contact form, arranging appointments for counselling) (agency/travel contract).
· To participate in sweepstakes, contests or similar promotions (sweepstakes contract):
From time to time, we may offer you the opportunity to participate in sweepstakes or contests and similar promotions.
Personal data such as title, first name, surname, address, e-mail address, communication may be processed for the purpose of processing these promotions. All personal data provided in the context of such a promotion will be used exclusively for the processing of the promotion, e.g. for the determination of the prize, notification or sending of the prize. The data will be deleted after the end of the promotion if prior ranking retention periods have expired. The legal basis for the processing of the promotion is Art. 31 para. 2 lit. a SWISS DATA PROTECTION ACT (competition contract).
3.2 Based on legal requirements (Art. 31 para. 1 SWISS DATA PROTECTION ACT)
We are subject to various legal obligations and statutory requirements (e.g. travel law, tax laws). Your data (1.-7., 11, 12) will be processed by us or authorised third parties for the purposes of identity and age verification, prevention of criminal offences (e.g. fraud), the fulfilment of tax law/official control and reporting obligations, the assessment and management of risks as well as the storage under financial and tax law.
3.3 Data processing to protect vital interests (Art. 31 para. 2 lit. a SWISS DATA PROTECTION ACT)
In order to protect vital interests of you or another natural person, e.g. to provide an evacuation list to emergency services in emergency situations, your data (1.-7., 11, 12) may be processed by us or authorised third parties.
3.4 To safeguard predominant legitimate interests (Art. 31 para. 2 lit. a SWISS DATA PROTECTION ACT)
Within the framework of a balancing of interests, to protect our predominant legitimate interests as well as the interests of third parties, your data may be processed by us or by legitimate third parties. This is done for the following purposes:
· Function, availability and security of business operations (e.g. IT, other services), surname, first name, user data, passwords
· Further development of services/travel services and additional products (e.g. quality management), surname, first name, e-mail addresses, evaluations
· Sales management
· Advertising, market and opinion research, new customer acquisition, surname, first name, email address, travel data
· Assertion, exercise or defence of legal claims – the legitimate interest is given in particular when entering into transactions with financial default risk (1-7, 11, 12).
· Prevention and Investigation of criminal offences (e.g. fraud) – the legitimate interest is especially given when entering into transactions with financial default risk), (1.-7., 11, 12)
· Processing enquiries and providing necessary information (e.g. contact form), (1.-7., 11, 12)
Our interest in the respective processing results from the respective purposes (profit generation, avoidance of legal risks, assertion, exercise or defence of legal claims, provision and security of our business operations, efficient task fulfilment, process optimisation, protection against financial default risk).
As far as the specific purpose allows, we process your data pseudonymously.
3.4.1 Data processing for direct advertising (Art. 31 para. 2 lit. a SWISS DATA PROTECTION ACT)
We process your data for the purpose of direct marketing, for sending emails tailored to your travels with information and offers related to your travels. The profiling explained in section 10 is used for this purpose. The data processing is carried out on the basis of Art. 31 Para. 2 lit. a SWISS DATA PROTECTION ACT in conjunction with Art. 3 Para. 1 lit. o UWG and in the interest of informing you about new products and services. Each customer has his or her own right to object to this processing in accordance with Art. 32 Para. 2 lit. c SWISS DATA PROTECTION ACT, the exercise of which leads to the termination of processing for the purpose of direct advertising. Your data will be blocked for advertising purposes. Your data will be deleted when prior ranking retention periods have expired.
You can unsubscribe from existing customer mailings at any time with effect for the future. You can do this by contacting us directly at email@example.com or, if applicable, via a link in the case of existing customer mailings, without incurring any costs.
3.5 Based on your consent (Art. 31 para. 1 SWISS DATA PROTECTION ACT)
If you have given us consent to process your personal data, this consent is the justification for the processing mentioned there. In particular, you may have consented to being contacted by e-mail, post, telephone or messenger service. You can withdraw your consent at any time with effect for the future. To do so, please contact us at our contact address. The withdrawal only applies to future processing, not to processing that has already taken place.
Separate consents may be given for the following services:
· Newsletter dispatch
You have the option to register for our free newsletter on some of our websites. The newsletter contains current offers on travel services, attractive specials and competitions and surveys (such as inspiration about your next trip travel equipment/literature, attractions or financial services). When you subscribe to the newsletter, we process the data listed below. We only process this data insofar as it actually accrues to us.
· Data that you provide to us when ordering the newsletter (e-mail address, title, first name, surname, date of birth if applicable, content preferences).
· Data proving your consent to receive the newsletter (IP address, timestamp of consent)
· Data on the use of the newsletter (openings, clicks on contained links, accessibility of the e-mail address, data of the terminal device used).
· Data that accrue during the use of our website (e.g. IDs, pages viewed, booking of a service, shopping cart abandonment), this information is used temporarily for the personalisation of the newsletter content to your profile and then deleted. You can unsubscribe from the newsletter at any time with effect for the future. This can be done by contacting us directly and using the «Unsubscribe Newsletter» link contained in every newsletter or, if applicable, via a link in the e-mail for existing customer e-mailings, without incurring any costs. Your data will be blocked for advertising. Your data will be deleted when prior ranking retention periods have expired.
· Preferences (e.g. your preferences, your ratings with regard to their trips, if arranged through/by us).
Who gets my data?
Your personal data will only be passed on in compliance with the provisions of the Data Protection Act and only insofar as this is permitted by a justification reason. Your data will only be disclosed to those bodies that need it to fulfil our contractual and legal obligations or to perform their respective tasks, e.g.
· Departmens commissioned with the implementation of the journey/processing of your enquiry within and outside the responsible party (customer care, data protection management, accounting, internal and external legal advice, compliance)
· Printing and dispatch service providers (printing and dispatch of invoices/travel confirmation/travel documents)
· Destination agency (tour guide, hotel reservation, transfer and possibly excursion services)
· Transport service provider (airline, rail if applicable)
· Accommodation operator (hotel management)
· Service provider of other booked services
· Partner for the implementation of advertising, market and opinion research, new customer acquisition
· Public authorities (tax authorities, embassies of the destination country) in the event of a legal or official obligation (e.g. retention obligations, VISA procurement, obtaining entry requirements).
· Other bodies for which you have given us your consent to data processing
How long will my personal data be stored?
To the extent necessary, we process your personal data for the duration of our business relationship, which also includes the initiation and execution of a contract.
In addition, we are subject to various retantion and documentation obligations, which result, among other things, from travel law and tax laws.
-retention for 6 years according to German law begins with the end of the calendar year in which the last entry was made in the trading book, the inventory was drawn up, the opening balance sheet or the annual financial statements were adopted, the individual financial statements pursuant to section 325 para. 2a or the consolidated financial statements were drawn up, the commercial letter was received or dispatched or the accounting voucher was created in accordance with statutory retention periods from section 257 para. 5 HGB (German commercial code) for commercial letters and begins with the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance sheet, the annual financial statements or the management report was prepared, the commercial or business letter was received or sent or the accounting document was created, furthermore the recording was made or the other documents were created according to § 147 para. 4 AO for commercial and business letters, other documents insofar as they are of importance for taxation.
-Retention for 10 years according to German law begins at the end of the calendar year in which the last entry was made in the commercial ledger, the inventory was drawn up, the opening balance sheet or the annual financial statements were adopted, the individual financial statements pursuant to § 325 para. 2a or the consolidated financial statements were drawn up, the commercial letter was received or dispatched or the accounting voucher organisational was created in accordance with statutory retention periods from § 257 para. 5 HGB (German commercial code) for commercial books, inventories, opening balance sheets, annual financial statements, individual financial statements pursuant to § 325 para. 2a, management reports, consolidated financial statements, group management reports as well as the work instructions and other documents required for their comprehension, documents for entries in books to be kept pursuant to § 238 para. 1 (accounting vouchers) and begins with the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance sheet, the annual financial statements or the management report was prepared, the commercial or business letter was received or dispatched or the accounting voucher was created, furthermore the recording was made or the other documents were created in accordance with § 147 Para. 4 AO (German tax code) for books and records, inventories, annual financial statements, management reports, the opening balance sheet as well as the work instructions and other organisational documents required for their understanding, accounting vouchers, documents pursuant to Article 15(1) and Article 163 of the Union Customs Code
-Retention for 10 years according to Swiss law
Art. 958 f OR (Swiss tax code)
The books of account and the accounting vouchers as well as the annual report and the auditors› report shall be kept for ten years. The retention period shall commence at the end of the financial year. The books of account and the accounting vouchers may be kept on paper, electronically or in a comparable manner, provided that this ensures consistency with the underlying business transactions and facts and that they can be made legible again at any time.
Limitation of claims CO Art. 127 general limitation of 10 years for all claims for which federal civil law does not provide otherwise.
CO Art. 130 The limitation period begins when the claim becomes due. OR Ar. 132 In calculating the time limit, the day from which the limitation period runs is not to be counted and the limitation period is not to be regarded as ended until the last day has passed without being used.
Processing for advertising purposes can be objected to free of charge at any time upon informal request; in this case, the data will be blocked for advertising purposes. Your data will be deleted when priority retention periods have expired.
Your personal data will be deleted on the basis of your consent as soon as the purpose has been fulfilled or until revocation and when priority retention periods have expired.
6. Will my data be transferred to a third country?
We tansfer your data to recipients in accordance with the provisions of Art. 16 para. 1 SWISS DATA PROTECTION ACT if the Federal Council has determined that the legislation of the state concerned or the international body guarantees adequate protection or if there is no decision by the Federal Council in accordance with para. 1, personal data may be disclosed abroad if adequate data protection is guaranteed in accordance with Art. 16 para. 2 SWISS DATA PROTECTION ACT and Art. 17 para. 1 SWISS DATA PROTECTION ACT:
· Standard data protection clauses previously approved, issued or recognised by the FDPIC
· The data subject has expressly consented to the disclosure.
· The disclosure is directly related to the conclusion or performance of a contract: between the controller and the data subject; or between the data controller and its contractual partner in the interest of the data subject.
· The disclosure is necessary for the establishment, exercise or enforcement of legal claims before a court or another competent foreign authority.
· Disclosure is necessary to protect the life or physical integrity of the data subject or a third party and it is not possible to obtain the data subject’s consent within a reasonable time.
Information and copies can be obtained from the contact given.
Do I have certain rights when dealing with my data?
You have the right to information (Art. 25, taking into account the restrictions of Art. 26 SWISS DATA PROTECTION ACT), to correction, to deletion, to restriction of processing and to data portability (Art. 28 SWISS DATA PROTECTION ACT) under the respective legal conditions.
In addition, you have the right to object at any time to the processing of personal data concerning you that is carried out on the basis of Article 31 (2) of the Swiss
Data Protection Act for reasons that arise from your particular situation. This also applies to so-called «profiling» based on this provision. If a justified objection is made, we will no longer process this personal data for these purposes. You can address your rights informally to our contact address. You also have the right to lodge a complaint with a data protection supervisory authority.
Federal Data Protection and Information Commissioner
8. Is there an obligation for me to provide my data?
Within the scope of our business relationship, you only have to provide the personal data that is required for the establishment, implementation and termination of a business relationship or which we are legally obliged to collect. Without this data, we will usually have to refuse the conclusion of the contract or the execution of the order or will no longer be able to execute an existing contract and may have to terminate it.
9. Is there automated decision-making in individual cases?
As a matter of principle, we do not use automated decision-making pursuant to Art. 21 SWISS DATA PROTECTION ACT for the establishment and implementation of the business relationship. Should we use these procedures in individual cases, you will be informed separately if this is required by law.
10. Will my data be used for profiling in any way?
If you have booked a trip with us, we process your data partly automatically with the aim of evaluating your potential interest in certain products, offers and services («profiling» pursuant to Art. 5 lit. f SWISS DATA PROTECTION ACT). The evaluation is carried out using statistical and market research procedures, procedures taking into account your previously booked trips, services and your booking behaviour. We take into account your booking history with us as well as characteristics of the bookings and booked trips, products and services. As a rule, a selection of the characteristics mentioned is used with equal weighting, but they can also be used in their entirety with a weighting not specified in advance.
We use the results of these analyses for market and opinion research, a targeted and needs-based customer approach and for the acquisition of new customers. This form of data use is carried out on the legal basis of Art. 31 para. 2 lit. a SWISS DATA PROTECTION ACT due to the overriding legitimate interest in direct advertising, market and opinion research and new customer acquisition.
In order to assess the potential risk of non-payment, we use information we have about fraudulent behaviour and publicly available information to forecast the likelihood of your payment defaulting on the booking you have made.
For this risk probability calculation, contact data, bank details, date of birth and address are used in equal weighting.
The results support us in individual decision-making to prevent fraud damage and follow up on legal claims.
This data processing is carried out on the legal basis of Art. 31 para. 1 lit. a SWISS DATA PROTECTION ACT due to the overriding legitimate interest in preventing fraud damage and following up on legal claims.
11. Contact details of the data protection officer
If you have any questions on the subject of data protection, please contact: railtour suisse sa
Data Protection Officer