Data Privacy Statement

Privacy Policy of SBB AG System Tasks Customer Information (SKI+) for the Open Data Platform Mobility Switzerland

This privacy policy applies to the processing of personal data on the Open Data Platform Mobility Switzerland (https://opentransportdata.swiss) within the scope of the Swiss Data Protection Act (DSG) and the General Data Protection Regulation (GDPR) of the European Union.

Here you will find the most important information: what data we process, for what purpose we need it, how we protect it, what added value you get from data processing and how you can object to it.

1. Your contact for questions

SBB AG
Systemaufgaben Kundeninformation
SBB Infrastruktur
Wylerstrasse 123/125
3000 Bern 65

Contact: opendata@sbb.ch or via the contact form.

2. Why Do We Process Personal Data?

We know how important it is to you that your personal data is handled carefully. All data processing operations are carried out only for specific purposes. These operations may result, e.g. from technical necessity, contractual requirements, legal regulations, an overriding interest, i.e. from legitimate grounds, or from your express consent. We collect, store and process personal data insofar as this is necessary, for example to manage the customer relationship, to provide our services, to answer questions and concerns, to provide support in technical matters and to evaluate and further develop services and products. For detailed information as to what data is processed for which particular purposes, please read the following paragraphs.

3. What Data Is Stored and What Is It Used For?

Most of the content on the opentransportdata.swiss platform can be used without prior login, and data records can be downloaded without registration.

When using the website

When you visit our website, the servers of our hosting provider temporarily store every access in a log file. The following technical data is collected:

• IP address of the computer requesting access
• Date and time of access
• Website from which the access was made
• Name and URL of the file being requested
• Search queries carried out
• Operating system of your computer (provided by the user agent)
• Browser used (provided by the user agent)
• Device type in case of access by mobile phones
• Transmission protocol utilised

This data is processed and collected for the purposes of system security and stability and for analysing errors and performance as well as for internal statistical purposes. In addition, it enables us to optimise our website. It also allows us to customise our website for specific target groups, i.e. to provide targeted content or information that may be of interest to you.

The IP address is also used to set the default language on the website. The IP address is also analysed together with other data when there is an attempt to access the network infrastructure or in the event of other unauthorised or improper use of our websites for information and defence purposes and, where applicable, is used for the purposes of identification during criminal proceedings and in civil and criminal procedures against the data subject.

Finally, when you visit our websites, we use cookies and other applications and tools which are based on cookies. You can find more information on this in the Cookies section of this privacy policy.

Insofar as the EU GDPR is applicable, our legitimate interest forms the legal basis for this processing of personal data.

We assume no liability for compliance with data protection regulations on third-party websites that are linked to our website.

Log files are stored for several months and deleted periodically.

When using API interfaces

For all API interfaces on the opentransportdata.swiss platform, you must first register and order an API key. We also record the following personal data:

• “My profile”: personal profile with user name, first name, surname, company (optional), access data (e-mail address, password).
• “API Keys”: Access keys assigned to the profile for individual APIs.
• “Usage”: Accesses (date, time) with a specific API key to the API.
• “Quotas”: Any valid quotas.

This personal data (in particular the e-mail addresses) may be used for targeted information in connection with the API interfaces and for occasional newsletters.

Profiles and associated API keys can be deleted by sending us a request (see Contact). Subsequently, the associated personal data is usually deleted within 14 days.

When using the contact form

You have the option of using a contact form to get in touch with us. It is mandatory to enter the following personal data:

• Last name and first name
• Email address
• Reason for contacting us
• Message

We only use this and other voluntarily entered data (such as telephone number and uploaded files) to answer your contact enquiry in the best possible and personalised way.

Insofar as the EU GDPR is applicable, our legitimate interest forms the legal basis for this processing of personal data.

4. How Long Is Your Data Stored?

We only store personal data for as long as is necessary,

• to provide services that you have requested or for which you have given your consent, to the extent specified in this privacy policy.
• to use the tracking services mentioned in this privacy policy within the scope of our legitimate interest.

Personal data (registration data) will be stored by us for as long as required by statutory retention obligations. If we no longer need this data to provide the services for you, the data will be blocked. This means that the data may then only be used to fulfill our retention obligations.

5. Where Is The Data Stored?

Your data is normally stored in databases within Switzerland. However, in some cases listed in this privacy policy, data is also passed on to third parties based outside Switzerland (see section “Is your data passed on to third parties?”). If the country in question does not have an adequate level of data protection, we ensure through contractual arrangements with these companies that your data is adequately protected by these companies.

6. What Data Is Processed in Connection With Marketing?

We occasionally inform you about news and events in our field by e-mail newsletter and/or direct mailing; we use e-mail addresses from the registration for API interfaces and from support enquiries.

Beyond that, no marketing is carried out.

7. What Rights Do You Have in Relation to Your Personal Data?

You have the following rights with regard to your data. You can exercise them at any time.

• Obtaining information about your personal data stored by us
• Rectification, supplementation, blocking or erasure of your personal data (if due to legal storage obligations we can only erase your data at a later date, they will be blocked in the meantime)
• Have your customer account deleted.
• Object to the use of your data for marketing purposes
• Withdraw your consent for future data processing
• Transmission of your data

You can send us your request for information and deletion via the contact form or by email to opendata@sbb.ch.

You also have the right to submit your concerns or questions to the Federal Data Protection and Information Commissioner (FDPIC) at any time.

8. Is Your Data Passed on to Third Parties?

Your data will not be resold by us. Your personal data will then only be passed on to selected service providers and only to the extent necessary for the provision of the service and processing of support enquiries. These are:

• IT support service providers
• Our hosting provider
• Partners who have been commissioned to operate the platform, such as Mentz GmbH in Munich (Germany) and Liip AG in Fribourg (Switzerland)

No personal data is passed on to companies and institutions in the community (see https://opentransportdata.swiss/de/community/).

With regard to service providers based abroad, please also note the information in the section “Where is the data stored?”.

In addition, your data may be passed on if we are legally obliged to do so or if this is necessary to protect our rights, in particular to enforce claims arising from the relationship with you.

9. Data Security

We employ suitable technical and organisational security measures to protect the personal data we store against manipulation, partial or total loss and unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.

We also take data protection within SBB very seriously. Our staff and the external service providers working on our behalf are committed to maintaining confidentiality and to complying with data protection provisions.

We will take appropriate precautionary measures to protect your data. However, transferring information over the Internet and other electronic media always entails certain risks, and we cannot guarantee the security of information transferred in this manner.

10. Cookies

We draw attention to the use of cookies by means of a separate cookie banner.

 

Last update: November 2023