Privacy Policy Gondelbahn Kandersteg-Oeschinensee AG

Privacy policy

This privacy policy applies to Gondelbahn Kandersteg-Oeschinensee AG, Oeschistrasse 50, CH-3718 Kandersteg and www.oeschinensee.ch as well as www.oeschinensee.com.

With this data protection declaration, we inform you about which data we process from you, what we need this data for and how you can object to the data collection.

Public transport companies handle customer data with confidence.

The protection of your personality and your privacy is an important concern for us, the public transport companies. http://www.ch-direct.org/datenschutz an important concern. We guarantee that your personal data will be processed in accordance with the applicable provisions of data protection law.

The public transport companies set an example for the trustful handling of your data with the following principles:

You decide yourself about the processing of your personal data.

Within the legal framework, you can refuse data processing at any time, revoke your consent or have your data deleted. You always have the option of travelling anonymously, i.e. without having your personal data recorded.

We offer you added value when processing your data.

The public transport companies use your personal data exclusively within the framework of service provision and to offer you added value along the mobility chain (e.g. tailor-made offers and information, support or compensation in the event of disruption). Your data is therefore only used for the development, provision, optimisation and evaluation of our services or for the maintenance of the customer relationship.

Your data will not be sold.

Your data will only be disclosed to selected third parties listed in this data protection declaration and only for the explicitly stated purposes. If we commission third parties with data processing, they are obliged to comply with our data protection standards.

We guarantee security and protection for your data.

The public transport companies guarantee the careful handling of customer data as well as the security and protection of your data. We ensure the necessary organisational and technical precautions for this.

Below you will find detailed information on how we handle your data.

Contents

  • Who is responsible for data processing?
  • Why do we collect personal data?
  • What data is stored and what is it used for?
  • How long will your data be kept?
  • Where is the data stored?
  • What data is processed in connection with marketing?
  • What data is processed for market research purposes?
  • What rights do you have with regard to your personal data?
  • What does "shared responsibility" mean?
  • Will your data be passed on to third parties?
  • How are tracking tools used?
  • What are cookies and when are they used?
  • What are social plug-ins and how are they used?
  • Displaying advertisements on our websites and in our apps.
  • Changes to this privacy policy.

 

Who is responsible for data processing?

Gondelbahn Kandersteg-Oeschinensee AG is responsible for the processing of your data. As a public transport company, we are required by law to carry out so-called direct transport (DV). For this purpose, certain data is exchanged within the transport companies (TU) and public transport networks http://www.ch-direct.org/datenschutzsowiewith third parties who distribute public transport products and stored centrally in databases operated jointly by all TU and public transport networks. We are therefore responsible for individual data processing jointly with these TUs and affiliates. For more information on the individual data processing, see the section "What does joint responsibility in public transport mean?

If you have any questions or suggestions regarding data protection, you can contact the following DSG or DSGVO contact "our company data protection officer" at any time. Either by post to:

Gondelbahn Kandersteg-Oeschinensee AG
Christoph Wandfluh
Oeschistrasse 50
3718 Kandersteg

Or by e-mail to Mr Christoph Wandfluh: christoph.wandfluh@oeschinensee.ch

Customers based in a member state of the EU can also contact our EU representation:

Invit Travel GmbH, Radlkoferstrasse 2, 81373 Munich, DE

Why do we collect personal data?

We are aware of how important it is for you to handle your personal data with care. All data processing is only carried out for specific purposes. These may result, for example, from technical necessity, contractual requirements, legal regulations, overriding interest, i.e. for legitimate reasons, or from your express consent. We collect, store and process personal data insofar as this is necessary, for example for the administration of the customer relationship, the sale of our products and the provision of our services, the processing of orders and contracts, the sale and invoicing, the answering of questions and concerns, the provision of information on our products and services and their marketing, support in technical matters and the evaluation and further development of services and products. For more detailed information on which data is processed for which purposes, please read the following sections.

What data is stored and what is it used for?

When purchasing services:
For contractual reasons, we require personal information for the online order or the purchase of certain services and products in order to provide our services and process the contractual relationship. For example, when purchasing a subscription or a single ticket.
When purchasing personalised services, we collect the following data - depending on the product or service - whereby mandatory data is marked with an asterisk (*) in the corresponding form:

  • Personal photo
  • Gender, name, e-mail address of the person purchasing or travelling
  • Further details such as postal address, date of birth
  • Telephone number
  • Means of payment/method
  • Agreement to the GTC

In order to process the contractual relationship, we also collect data about the services you have received ("service data"). This includes - depending on the product or service - the following information:

  • Type of product or service purchased
  • Price
  • Place, date and time of purchase
  • Purchase channel (internet, vending machine, counter, etc.)
  • Date of travel or period of validity and time of departure
  • Place of departure and destination

The legal basis for this data processing is the necessity for the execution of the contract.

Data generated during the purchase of services is stored in a central database (see the section on shared responsibility in public transport) and also processed for other purposes, which include marketing and market research purposes (for more details, see the relevant sections of this privacy statement). In addition, the data is used in the context of ticket control to identify the holder of a personalised ticket and to prevent misuse. The data is also used to provide our Après Vente service, to identify and assist you in the event of concerns or difficulties and to process any claims for compensation. Finally, the data is used to distribute the revenue generated by the purchase of fares fairly among the companies and affiliates of Direct Transport. Our legitimate interest forms the legal basis for this data processing.

When using the website www.oeschinensee.ch:
When you visit our website, the servers of our hosting provider temporarily save each access in a log file. The following technical data is collected:

  • IP address of the requesting computer
  • Date and time of access
  • Internet page from which the access was made, if applicable with the search word used.
  • Name and URL of the retrieved file
  • Searches carried out (timetable, general search function on website, products, etc.)
  • the operating system of your computer (provided by the user agent)
  • Browser you use (provided by the user agent)
  • Device type in case of access by mobile phones
  • Transmission protocol used

The collection and processing of this data is used for system security and stability and for error and performance analysis as well as for internal statistical purposes and enables us to optimise our website. In addition, this enables us to design our website in a target group-specific manner, i.e. to provide you with targeted content or information that may be of interest to you.

The IP address is also used to preset the language of the website. In addition, it is evaluated together with other data in the event of attacks on the network infrastructure or other unauthorised or improper use of the website for the purpose of clarification and defence and, if necessary, used within the framework of criminal proceedings for identification and for civil and criminal proceedings against the users concerned.

Finally, when you visit our websites, we use cookies as well as applications and tools that are based on the use of cookies. You can find more information on this in the sections on cookies, tracking tools, advertisements and social plug-ins of this privacy policy.

Our legitimate interest forms the legal basis for these processing operations.

In the case of external websites linked to our website, no guarantee is given for compliance with data protection regulations.

When using a contact form/helpdesk:
You have the option of using a contact form to get in touch with us. In doing so, the entry of the following personal data is mandatory:

  • Name and first name
  • E-mail address

We use this and other voluntarily entered data (such as title, address, telephone number and company) only to be able to answer your contact request in the best possible and personalised way. Any voluntary information about how you became aware of our offer will also be used for internal statistical purposes. We base this data processing on our legitimate interest as a legal basis or, if your contact is aimed at the conclusion of a contract, on the implementation of the pre-contractual measures requested by you:

  • E-mail address (*)
  • Password (*)
  • Agreement to the GTC (*)

We collect this information to provide you with an overview of your orders and the contracts concluded with you in this context. In this respect, it is a matter of data processing for which you have given us your consent. This is the legal basis for the data processing. You can revoke your consent at any time with effect for the future (see section 2.8). If you link your customer account with a SwissPass account, changes to your personal data (e.g. changes of address) and the services purchased are automatically compared with each other and recorded in both accounts. Please also note the following information for data processing in connection with your SwissPass account.

When creating a SwissPass login/customer account at www.swisspass.ch: You have the option of creating a customer account at swisspass.ch. In doing so, we require the following data from you:

  • Name and first name
  • Date of birth
  • Address (street, postcode, city and country)
  • Customer number (if you already have a public transport season ticket)
  • E-mail address and password (login data)

By registering, we enable you to access the numerous online services (webshops and apps) of the public transport companies and associations using the login data (so-called SwissPass login) and to obtain services from them without having to carry out an additional, time-consuming registration in each case. Services that you purchase using the SwissPass login (in particular public transport tickets/subscriptions) are recorded in your customer account and in a central database ("DV database"). This data processing is necessary for the execution of the contract for the use of the SwissPass and is therefore based on this legal basis. For more information, see the sections on shared responsibility in public transport and on disclosure to third parties in this data protection declaration and the data protection declaration on swisspass .ch https://www.swisspass.ch/disclaimer?lang=de.

How long is your data kept?
We only store personal data for as long as is necessary:

  • to provide services you have requested or consented to, to the extent set out in this Privacy Policy.
  • to use the tracking services mentioned in this privacy policy within the scope of our legitimate interest.

We retain contractual data for a longer period of time, as this is required by statutory retention obligations. Retention obligations that oblige us to retain data result from accounting regulations and tax law regulations. As soon as we no longer need this data to provide the services for you, the data will be blocked. This means that the data may then only be used to fulfil our retention obligations.

Where is the data stored?

Your data is generally stored in databases within Switzerland or in countries with a comparable level of data protection (namely EU countries). In some cases listed in this privacy policy, however, the data is also passed on to third parties that have their registered office outside Switzerland. If the country in question does not have an adequate level of data protection, we ensure that your data is adequately protected at these companies either through contractual arrangements with these companies or by ensuring that these companies are certified under the CH/EU-US Privacy Shield.

What data is processed in connection with marketing?

Unless you object, we use your customer data (name, gender, date of birth, address, customer number, e-mail address), your performance data (data on services purchased such as subscriptions or individual tickets) and your click behaviour on our websites or in e-mails you have received from us for marketing purposes. With regard to the evaluation of click behaviour, please also note the section on tracking tools.

We evaluate this data in order to further develop our offers in line with your needs and to send you or display information and offers that are as relevant as possible (via e-mail, letter, SMS, push messages in the app and personalised teasers on the web, in person at the ticket counter). For this purpose, we only use data that we can clearly assign to you, for example because you have registered or identified yourself on our website with your SwissPass login and purchased a ticket. We also use methods that predict possible future purchasing behaviour based on your current purchasing behaviour. The legal basis for this processing is our legitimate interest. In certain cases, under strict conditions, contact may also be made by SBB or another company involved in direct transport. Please note the information in the section on "shared responsibility in public transport".

You can refuse to be contacted by us, SBB (e.g. in connection with your GA or Half-Fare travelcard) and other public transport companies at any time. The following options are available to you for this purpose:

  • Every email you receive from us or other public transport companies contains an unsubscribe link which you can use to unsubscribe from further messages with one click.
  • You can also sign in or out at any counter.

Please also note the information on the right to object with regard to the evaluation of click behaviour in the section on tracking tools.

What data is processed for market research purposes?

In order to continuously improve the quality of our services and offers, we regularly conduct market research. We may therefore use your contact details to invite you to online surveys. If you do not wish to receive such invitations, you can opt out of receiving invitations to surveys here [link to: in progress] or by sending an e-mail to [e-mail address]. The legal basis for these processing operations is our legitimate interest.

What rights do you have with regard to your personal data? You have the following rights with regard to your personal data:

  • You can request information about your stored personal data.
  • You can request that your personal data be corrected, supplemented, blocked or deleted. Deletion is replaced by blocking if there are legal obstacles to deletion (e.g. legal obligations to retain data).
  • If you have set up a customer account, you can delete it or have it deleted.
  • You can object to the use of your data for marketing purposes.
  • You can revoke your consent at any time with effect for the future.
  • You can request the transfer of your data.

To exercise your rights, it is sufficient to send a letter either by post to:

Gondelbahn Kandersteg Oeschinensee AG
Demian Stettler
Oeschistrasse 50
3718 Kandersteg

Or by e-mail to Mr Demian Stettler: demian.stettler@oeschinensee.ch

Customers based in a member state of the EU can also contact our EU representation:

In addition, you have the right to complain to a data protection authority at any time.

What does "shared responsibility in public transport" mean?

Gondelbahn Kandersteg-Oeschinensee AG is responsible for processing your data. As a public transport company/association, we are required by law to provide certain transport services with other transport companies and associations ("direct transport").

For this and other purposes described in this privacy statement, data is shared at national level within the so-called National Direct Transport (NDV), an association of more than 240 transport companies (TU) and affiliates.

of public transport. The individual TUs and associations are listed here [link to: in progress]. Data from the purchase of services and the establishment of contacts are stored in a central database, which is managed by SBB on behalf of NDV and for which we are jointly responsible with the other companies and associations of NDV ("DV database").

In the case of services that you purchase using the SwissPass login, the data is then stored in another central database ("SwissPass database") for which we are jointly responsible with TU and Verbunden NDV, whereby the database is in turn managed by SBB on behalf of NDV. For efficient service provision and cooperation among the parties involved, the data from the various databases are merged where necessary. In order to enable you to use the so-called Single Sign-On (SSO) (one login for all applications that offer the use of their services with the SwissPass login), the aforementioned login, card, customer and service data are also exchanged between the central SwissPass login infrastructure and us as part of the authentication process.

The scope of access to the shared databases by the individual TUs and associations is regulated and limited by a joint agreement. The transfer and processing by the other TUs and associations of the NDV that takes place with the central storage is in principle limited to contract processing, ticket control, the Après Vente service and revenue distribution. In addition, the data collected when purchasing NDV services [link to: in process] is also processed for marketing purposes in certain cases. This includes the evaluation of the data in order to further develop and advertise the public transport services in a needs-oriented manner. If you are contacted for this purpose, we ([company]) will contact you. Other TUs and associations participating in the NDV will only contact you in exceptional cases and under strict conditions, and only if the evaluation of the data shows that a certain public transport service could bring added value for you as a customer. One exception to this is contacting SBB. SBB holds the marketing mandate for DV services (e.g. GA and Half-Fare travelcard) on behalf of the NDV and can contact you regularly in this role.

Our legitimate interest forms the legal basis for the data processing mentioned here.

Will your data be passed on to third parties?

Your data will not be resold by us. Your personal data will then only be passed on to selected service providers and only to the extent necessary for the provision of the service. These are IT support service providers, issuers of subscription cards, shipping service providers (such as Swiss Post), service providers commissioned to distribute traffic revenue among the participating transport companies (in particular in the course of drawing up so-called distribution keys within the meaning of the Swiss Passenger Transport Act), our hosting provider (see section "Use of website") and the providers mentioned in the sections on tracking tools, social plug-ins and advertisements. With regard to service providers based abroad, please also note the information in the section "Where is your data stored".

In addition, your data may be passed on if we are legally obliged to do so or if this is necessary to protect our rights, in particular to enforce claims arising from our relationship with you.

If you book cross-border travel, this information will also be passed on to the respective foreign providers. However, this is only done to the extent necessary to check the validity of the tickets and to prevent misuse.

Our legitimate interest forms the legal basis for the data processing mentioned here.

Your personal data will not be disclosed to third parties outside the public transport sector. The only exceptions are SwissPass partners (to the extent described below) and companies which have been authorised by the public transport companies, on the basis of a contractual agreement, to act as intermediaries for public transport services. These intermediaries only receive access to your personal data if you wish to obtain a public transport service through them and have given them your consent for access. Even in this case, they will only have access to your data to the extent necessary to determine whether you already have tickets or season tickets for the planned travel period that are relevant to your journey and the service you want from the third party. The legal basis for this data processing is therefore your consent. You can revoke your consent at any time with effect for the future (see section 2.8).

If you use offers with a SwissPass partner using your SwissPass, data on any benefits you may have purchased from us (e.g. a GA, Half-Fare or Composite Rail Pass) may be transmitted to the SwissPass partners in order to check whether you can benefit from a specific offer from the SwissPass partner (e.g. discount for GA holders). In the event of loss, theft, misuse or forgery or card replacement after a benefit has been purchased, the partner concerned will be informed. These data processing operations are necessary for the performance of the contract for the use of the SwissPass and are therefore based on this legal basis. Further information can be found in the data protection declaration on swisspass.ch and the data protection declaration of the respective SwissPass partner.

How are tracking tools used?

We use the web analytics services of and Google for the purpose of demand-oriented design and ongoing optimisation of our websites, apps and emails. Our legitimate interest forms the legal basis for the data processing described below.

Tracking on Internet pages:
In connection with our Internet pages, pseudonymised usage profiles are created and small text files ("cookies") stored on your computer are used (see below "What are cookies and when are they used?"). The information generated by cookies about your use of these Internet pages is transmitted to the servers of the providers of these services, stored there and processed for us. In addition to the data listed above (see "What data is processed when you use our internet pages?"), we receive the following information as a result:

  • Navigation path that a visitor follows on the website.
  • Dwell time on the website or subpage
  • Subpage on which the internet page is left
  • Country, region or city from where access is made
  • End device (type, version, colour depth, resolution, width and height of the browser window)
  • Returning or new visitor
  • Browser type/version
  • Operating system used
  • Referrer URL (the previously visited page)
  • Host name of the accessing computer (IP address) and
  • Time of the server request

The information is used to evaluate the use of the internet pages.

Tracking when sending emails:

When sending emails, we use third-party email marketing services.

Our emails may therefore contain a so-called web beacon (tracking pixel) or similar technical means. A web beacon is a 1×1 pixel, invisible graphic that is associated with the user ID of the respective e-mail subscriber.

For each newsletter sent, there is information on the address file used, the subject and the number of newsletters sent. Furthermore, it is possible to see which addresses have not yet received the newsletter, to which addresses the newsletter was sent and for which addresses the sending failed. In addition, the opening rate, including information on which addresses have opened the newsletter and which addresses have unsubscribed from the newsletter distribution list, can be discussed.

Recourse to corresponding services enables the evaluation of the information listed above. In addition, it can also be used to record and evaluate click behaviour. We use this data for statistical purposes and to optimise the content of our messages. This enables us to better tailor the information and offers in our emails to the individual interests of the respective recipient. The tracking pixel is deleted when you delete the email.

If you would like to prevent the use of the web beacon in our e-mails, please set your e-mail programme so that no HTML is displayed in messages, if this is not already the case by default.

You can find out more about our tracking tools below:

Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA or Google Iland Limited, Gordon House Barrow St, Dublin 4, Ireland. Google Analytics uses methods that enable an analysis of the use of the website, such as cookies (see below "What are cookies and when are they used?"). The information generated by a cookie about your use of this website, as listed above, is transferred to servers of Google, a company of the holding company Alphabet Inc. in the USA and stored there. By activating IP anonymisation ("anonymizeIP") on this website, the IP address is shortened before transmission within the member states of the European Union or in other contracting states of the Agreement on the European Economic Area or Switzerland. The anonymised IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. In these cases, we ensure through contractual guarantees that Google complies with a sufficient level of data protection.

The information is used to evaluate the use of the website, to compile reports on the activities on the website and to provide other services associated with the use of the website and the use of the internet for the purposes of market research and the design of the website in line with requirements. This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf of Google. According to Google, under no circumstances will the IP address be associated with other data relating to the user.

Users can prevent the collection of the data generated by the cookie and related to the use of the website by the user concerned (incl. the IP address) by Google as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following link:

http://tools.google.com/dlpage/gaoptout?hl=de

What are cookies and when are they used?

In certain cases, we use cookies. Cookies are small files that are stored on your computer or mobile device when you visit or use one of our websites. Cookies save certain settings about your browser and data about the exchange with the website via your browser. When a cookie is activated, it can be assigned an identification number that identifies your browser and allows the information contained in the cookie to be used. You can set your browser so that a warning appears on the screen before a cookie is saved. You can also choose not to take advantage of personal cookies. In this case, certain services cannot be used.

We use cookies to evaluate general user behaviour. The aim is to optimise the digital presences. These are to be made easier to use and the content more intuitive to find. They should be more comprehensible and structured. It is our concern to design the digital presences according to your needs in a user-friendly way. In this way, we can optimise the website with targeted content or information on the website that may be of interest to you.

Most web browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or a message always appears when you receive a new cookie. On the following pages you will find explanations on how you can configure the processing of cookies:

  • Google Chrome for Desktop [Link to: https://support.google.com/chrome/ans- who/95647?hl=en]
  • Google Chrome for Mobile [Link to: https://support.google.com/chrome/ans- who/2392709?hl=en&co=GENIE.Platform%3DAndroid&oco=1]
  • Microsoft's Windows Internet Explorer [Link on: https://support.microsoft.com/de- en/help/17442/windows-internet-explorer-delete-manage-cookies]
  • Apple Safari for Mobile [Link to: https://support.apple.com/de-de/HT201265]

Deactivating cookies may mean that you cannot use all the functions of our website. Our legitimate interest forms the legal basis for the data processing described.

What are social plug-ins and how are they used?

You can use the social plug-ins listed below on our website:

ToDo List

Social plug-ins serve to make our internet pages more personal. The plug-ins are deactivated by default on our internet pages and therefore do not send any data to the social networks. You can activate all plug-ins by clicking on the "Activate social media" button (so-called 2-click solution). The plug-ins can of course be deactivated again with one click.

If the plug-ins are activated, your browser establishes a direct connection with the servers of the respective social network as soon as you visit our website. The content of the plug-in is transmitted directly to your browser by the social network and integrated into the website by the browser.

By integrating the plug-ins, the respective provider receives the information that your browser has accessed the corresponding page of our website, even if you do not have an account with this social network or are not currently logged in to it. This information (including your IP address) is transmitted by your browser directly to a server of the provider (usually in the USA) and stored there. We therefore have no influence on the scope of the data that the provider collects with the plug-in.

If you are logged in to the social network, it can assign your visit to our website directly to your user account. If you interact with the plug-ins, the corresponding information is also transmitted directly to a server of the provider and stored there. The information may also be published on the social network and may be displayed to other users of the social network.

The provider of the social network may use this information for the purposes of advertising, market research and designing the respective offer in line with requirements. For this purpose, usage, interest and relationship profiles could be created, for example, to evaluate your use of our website with regard to the advertisements displayed to you on the social network, to inform other users about your activities on our website and to provide other services associated with the use of the social network.

The purpose and scope of the data collection and the further processing and use of the data by the providers of the social networks as well as your rights in this regard and setting options for protecting your privacy can be found directly in the data protection information of the respective provider.

If you do not want the provider of the social network to assign the data collected via our website to your user account, you must log out of the social network before activating the plug-ins.

Our legitimate interest forms the legal basis for the data processing described.

Data security.

We use appropriate technical and organisational security measures to protect your personal data stored with us against manipulation, partial or complete loss and against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.

We also take internal data protection very seriously. Our employees and the external service providers commissioned by us have undertaken to maintain confidentiality and to comply with the provisions of data protection law.

We take reasonable precautions to protect your information. However, the transmission of information via the Internet and other electronic means always involves certain security risks and we cannot guarantee the security of information transmitted in this way.

Last Updated: December 2019