We process general personal data about you, such as your name and contact details.

Example: We send you a ticket that you have ordered online to your email address. 

We process your location data.

Example: Our app uses your current location for a route suggestion provided you have switched on this functionality on your smartphone. 

We process personal data that you provide to us.

Example: You enter your email address when ordering tickets in our webshop. 

We process personal data that we collect about you.

Example: We check the language setting of your browser when you visit our webshop.  

We process personal data about you that we receive from third parties.

Example: You buy a Half Fare Travelcard at the point of sale of your regional public transport company, which you also use when traveling with us. 

We use your personal data for marketing and advertising.

Example: We send you our newsletter to which you have subscribed. 

We use your personal data for the development and improvement of products and services.

Example: Based on an online survey, we identify the need for a new service/offer. 

We analyse your behaviour and make assumptions about your interests and preferences.

Example: Unless you choose to opt out, we analyse your ticket purchases to tailor offers in our newsletter to your needs. 

We transfer your personal data to other companies that decide themselves how to use the data.

Example: We hand over an unpaid invoice to a collection agency. 

We also process your personal data outside of Switzerland and the EU.

Example: An IT expert in the U.S. supports us in the event of problems at night and accesses a data storage facility in Switzerland for this purpose. 

Protecting your personality and privacy is a major concern for us as public transport companies. We guarantee to you that we will process your personal data in accordance with the applicable provisions of data protection law. By adhering to the following principles, public transport companies give a clear signal that your data will be handled confidentially.

Public transport companiesLink opens in new window.

You decide yourself how your personal data are to be processed.  

Where permitted by law, you can at any time object to data processing, withdraw your consent or require that your data be erased. You always have the option of travelling anonymously without your personal data being recorded.

We offer you added value by processing your data.

Public transport companies use your personal data to offer you added value throughout the mobility chain (e.g. bespoke offers and information, support or compensation in the event of disruption). Your data are therefore used only in relation to the development, provision, optimisation and assessment of our services or for customer support purposes.

Your data are not sold.

Your data are only disclosed to selected third parties specified in this Privacy Policy and only for the purposes specifically indicated. If we commission third parties to carry out data processing, they will be required to comply with our data protection standards.

We guarantee the security of your data and ensure that they are protected.

Public transport companies undertake to handle customer data with care and to guarantee their security and protection. We ensure this by adopting the necessary technical and organisational precautions. 

You have the following rights with regard to your data. You can make use of them at any time. 

• Information about your stored personal data 
• Rectification, supplementation, blocking or erasure of your personal data (if due to legal storage obligations we can only erase your data at a later date, they will be blocked in the meantime)
• Delete your customer account or have it deleted
• Object to the use of your data for marketing purposes
• Withdraw your consent for future data processing
• Transmission of your data 

You can send us your request for access to data or erasure of data via the web form.

In addition, you have the right to put any questions or concerns you may have at any time to the Federal Data Protection and Information Commissioner.

Data protection advisors
Federal Data Protection and Information CommissionerLink opens in new window.

In order to guarantee direct transport - as we are legally obliged to - we cooperate with other transport companies, public transport associations and companies that sell public transport products. Data is exchanged and stored in shared databases. This ensures that you can travel seamlessly with different transport companies and in different fare networks with one ticket.

Together with these companies and networks, we assume responsibility for the processing of your data.

There are clear legal regulations for the use of personal data, to which we refer again and again in this Privacy Policy. They refer to the applicable law in Switzerland and the EU General Data Protection Regulation (EU-GDPR).

The applicable law requires us to retain certain data concerning you. At the request of law enforcement or other authorities, we are required to disclose some of this data. 

Example:

• When connecting to SBB WiFi, we must retain and, if necessary, disclose connection and identification data in accordance with the Swiss Federal Act on the Surveillance of Postal and Telecommunications Traffic (BÜPF) and the associated ordinance (VÜPF).
• The Federal Act on Combating Money Laundering and Terrorist Financing (Money Laundering Act, AMLA) requires us to retain customer and transaction data for a specific period of time. 

If you have any questions regarding data protection, please contact our data protection advisors (this will be kept confidential). 

SBB AG 
Data Protection Office 
Hilfikerstrasse 1
3000 Bern 65
[email protected]Link opens in new window.

This is how to reach our data protection representative in the EU 

MLL Brussels SPRL
222, Av. Louise
1050 Bruxelles [Brussels]
Belgium 
[email protected]Link opens in new window.

Book tickets, make reservations or buy a subscription - for this we need basic information from you.

E.g.:

• Your name and email address so that you can be issued a ticket online.
• Your date of birth for discounts to which you are entitled (senior citizens' or children's tickets).
• Your licence plate, so that we can reserve a parking space for you.

Certain data make our websites and apps more efficient to use. This makes things more convenient, especially when you are on the move.

E.g.:

• Session cookies remember your purchases, allowing you to pay for all items at once.
• For correct screen display, we need to know which device you are using.
• Route suggestions and route guidance are calculated from the GPS data of your current location - provided you have given your consent.

If we store your preferences, you will be able to access services more quickly and use additional features. That is, of course, only if you do not refuse.

E.g.:

• We use cookies to maintain your language preference on the website and in apps.
• We will send you "push notifications" to inform you of delays or diversions. So you can react faster.

We are committed to improving our website and apps to make them even easier for you to use. To do this, we test existing and new applications - your feedback is needed for internal statistics and is of great assistance to us.

E.g.:

• Your responses to online customer satisfaction surveys help us improve our services.
• By evaluating the click behaviour on websites and in apps, we can adapt the user interface to your needs.

Support is important to us. Certain data can be used to send you information by telephone or email and to answer questions in live chat or forums.

Some data helps us to inform you about products and new services or to adapt advertisements on our websites to your interests. That is, of course, only if you do not refuse.

E.g.:

• If we know your purchases such as single tickets or subscriptions, only relevant offers will land in your mailbox.
• If you register with SBB Mobile, you will receive offers that match your travel habits.

When purchasing services and products, such as subscriptions or tickets, we require personal data - depending on the product and purchase channel: 

• The gender, name and Date of birth of the passenger or person buying the service or product
• A personal photo
• Contact details  (e-mail address, address, telephone number)
• Customer number
• Subscriptions
• Payment method
• Consent to the General Terms and Conditions
• Product details:
  • The type of product or service being purchased 
  • The price 
  • The place, date and time of purchase
  • Purchase channel (online, mobile, ticket machine, counter, etc.)
  • Date of travel or period of validity and departure time
  • Starting point and destination

To ensure that we can always reach you by post, we check your address with Swiss Post and update it if necessary.

This data is stored in a central database and can be used for marketing and market research purposes.

Central database

For cross-border journeys, we will notify you by e-mail or SMS about your upcoming journey and any delays or cancellations. You can unsubscribe from these notifications.

For group journeys we need additional information about the group. We will notify you via SMS about your group reservation and any delays or cancellations. When you book a group journey, you can decide whether you want to receive these notifications.

When checking in baggage, the bag must be labelled with name, address and mobile phone number. For online orders, we also need your e-mail address. We need this information so that the baggage can be identified in the event of loss and so that we can contact you about delivery or collection.

As far as the EU-GDPR applies, our legitimate interest and the contractual performance requirement form the legal basis for this processing of personal data.

The following information is recorded in connection with orders in the SBB Shop (for guest purchases or with SwissPass login):

• Name and e-mail address of the purchaser
• Address (billing and delivery address)
• Telephone number
• Product ordered
• Reference number
• Order date
• Method of payment
• Shipping costs 

This information is also stored if the order is cancelled.

Insofar as the EU-GDPR applies, our legitimate interest and the fact that it is required for the performance of a contract constitutes the legal basis for the processing of these personal data.

Debit/credit cards.

When you pay by credit card, we forward your card details to your card issuer via our payment service provider (acquirer). This sending of data is solely for the purpose of authorization and transaction processing and takes place in encrypted form. If you decide to make a card payment, you will be asked to enter all mandatory information (payment card type, payment card number, CVC2/CVV2, expiry date, first name, last name). Under certain circumstances, it may be necessary to authenticate yourself as an authorised cardholder, e.g. using the 3DSecure procedure. 

Wallet solutions (Twint, Apple Pay).

With wallet payment solutions, your card details are securely stored in the wallet beforehand. If you choose to pay with a wallet solution, usually you do not have to enter any further payment card information. Only the data required for authorization and transaction processing are transferred via the wallet. 

Monthly invoice.

If you choose the ‘Monthly Invoice’ option, you will need access to a Swiss or Liechtenstein mobile phone number to register. Name, date of birth, e-mail address, address, mobile phone number and IP address are forwarded to our partner Byjuno AG. Byjuno AG will handle the entire billing process and will perform an identity and credit check. 

Invoice in SBB Shop.

If you choose the ‘Invoice in SBB Shop’ option, your mobile phone number and date of birth will also be recorded. Name, date of birth, e-mail address, address, mobile phone number, IP address and device ID will be forwarded to our partner Byjuno AG. Byjuno AG will handle the entire billing process and will perform an identity and credit check. 

Lodge Cards (corporate credit cards).

When you pay by Lodge Card, we forward your credit card information to your credit card issuer and also to the credit card acquirer. If you choose to pay by credit card, you will be asked to enter all mandatory information (payment card type, payment card number, CVC2/CVV2 (based on option), expiration date, first name, last name). In addition, information on the purchased service, last name, first name and date of birth of the person purchasing or travelling and information on the credit card holder (company) are forwarded to the credit card issuer for billing purposes in accordance with the agreement with the credit card holder (company).

Insofar as the EU GDPR applies, the legal basis for the processing of personal data is the contractual performance requirement. With regard to processing of your payment method information by these third parties, please also read the relevant General Terms and Conditions and Data Protection Declaration of the payment method used.

You do not have to reveal any data to surf on our website pages. What happens automatically is that our servers record every access, store the following data for seven months and then automatically delete it again.

• IP address of the computer requesting access 
• date and time of access 
• the website from which our website was accessed, including the search term where applicable
• the name and URL of the file being requested 
• searches performed (timetable, products, etc.) 
• the computer’s operating system  
• the browser being used  
• device type of the mobile phone, if used
• the transmission protocol being used 

Good performance.

These data are used to ensure system security and stability, to facilitate error and performance analysis, and to help to optimise our range of products and services so they meet your wishes and needs. 

Protection against hackers.

The IP address provides intelligence if there are attacks on the network infrastructure or other misuse or abuse. It may be used in criminal proceedings for identification purposes and for civil and criminal proceedings against the users concerned. 

As far as the EU-GDPR applies, our legitimate interest forms the legal basis for this processing of personal data.

We cannot guarantee that non-SBB websites that are linked to our web pages comply with the relevant data protection regulations.

We offer you a range of apps that support your mobility and make travelling easier. You can identify which data is processed in the privacy policy of the respective app.

These apps are available to you:

• SBB Mobile 
• SBB Preview
• P+Rail
• My station 
• SBB AR
• SmartWay
  
• SBB FreeSurf

Push notifications in the apps inform you about delays, redirected trains, or other relevant information. You can decide for yourself whether you wish to receive them and simply set them up when you initially install the app. You can also turn off push notifications at any time. 

Your SwissPass customer account allows you to use our websites and apps to their full extent. For this we need the following data from you:

• Full name
• Date of birth 
• Address (street, postcode, city and country)
• Customer number (if you have a public transport subscription)
• Email address and password (login data)

With your SwissPass login, you can access the online services of public transport companies and networks without having to additionally register. This is practical and makes many things easier for you. 

Services purchased using the SwissPass login (in particular public transport tickets/subscriptions) are recorded in a central database (National Direct Service database, “NDS-database”).

Data exchange via Single Sign-On (SSO).

During authentication, login, customer and performance data are exchanged between the central login infrastructure of the Public Transport Network, the partner platform and ourselves. This applies to the name, date of birth, address, email address and performance data.

Use of partner services.

Whenever you register with a partner (e.g. Mobility, PubliBike, etc.) and whenever you purchase or use partner services, your card and customer data (card ID, customer number, title, form of address, surname, first name, address, date of birth, subscription information and photo) are transmitted to SwissPass partners for the purpose of processing transactions. Whenever any partner services are acquired, data concerning the service are stored by us. We inform SwissPass partners in the event of the loss, theft, misuse, forgery or replacement of your card.

In order to enable you to take advantage of discounted services, SwissPass partners are entitled to retrieve any subscription data that are directly required.

Insofar as the EU-GDPR applies, the legal basis for the processing of personal data is the contractual performance requirement.

Further information regarding this can be found in the Data Exchange within Direct Service section as well as in the privacy policy at swisspass.chLink opens in new window..

About the SBB Contact Centre.

Calls made when making contact by telephone are recorded for training and quality assurance purposes and are kept for 3 months, along with your telephone number and the time of the call. After 3 months, the recording is deleted. At the beginning of your call, you will be made aware that the conversation is to be recorded. To decline the recording of the conversation, please ask our employee to stop recording at the start of the conversation.

We store all e-mails we receive via the contact forms and these are linked to your customer account, to the extent that this is possible on the basis of the information provided.

If you contact us via the chat window, we save the entire text of the chat history, as well as your first name, surname and customer number, if you provide us with these. If it is possible to do so, we will link these details to your customer account. The text of the chat history may contain other personal data, if you mention such data in your chat with our staff. We also use the stored data to improve the chat function.

After you have contacted the SBB Contact Center we may contact you by SMS or e-mail to perform a customer satisfaction survey. At any time, you can opt out of receiving the customer satisfaction survey.

As far as the EU-GDPR applies, our legitimate interest and the contractual performance requirement form the legal basis for this processing of personal data..

About forums and chats.

You can participate in forums and chats on SBB.ch and other SBB websites. Please remember that any information you disclose online will be made public.

About SBB Customer Say.

Your voice counts: By participating in SBB Customer Say, you can have a say in the development of new processes and products. The aim is to design products and services according to customer needs. Certain data is required from you for this.

You can find out which data is processed at kundenstimme.sbb.chLink opens in new window..

Using SBB WiFi is easy: Register and surf away. Your access is valid for 12 months.

If you register, your mobile phone number or customer number, the MAC address of your device, and data regarding the station area visited will be recorded, along with the time, date and device.

Our statutory obligations.

As a telecommunications service provider, we are registered with the Federal Office of Communications and must therefore comply with the statutory obligations of the Federal Act of 18 March 2016 on the Surveillance of Postal and Telecommunications Traffic and its associated ordinance.

For us, this means.

Provided the legal conditions are met, we are required, on behalf of the competent authority, to monitor, either directly or through a third party, the use of the Internet and data traffic between the customer and the Internet. Furthermore, we may be required to disclose the customer’s contact, usage and peripheral data to the authorised administrative bodies. 

For your data, this means.

The usage data and peripheral data generated when establishing and ending electronic connections will be stored in personally identifiable form for six months. After that the usage data will be anonymised and the peripheral data will be destroyed.

From the time participation in the WiFi service is cancelled or 12 months after registration, the contact data will be stored for another six months and then destroyed. 

If you reserve a car from a car sharing provider through us, we will carry out an electronic driver's licence check when you register for the first time. For this purpose, you provide us with a photo of your driver's licence and a selfie. We store the following data from your driving licence with us: Identification number, first name, last name, date of birth, date of issue, expiry date if available, country of issue, driving categories.

If you give consent, your customer data will be forwarded to the car sharing provider to create an account. To ensure that the reservation, usage and billing processes can be carried out, the car sharing provider stores the following data:

• card ID 
• client numbers
• title,
• surname, first name
• address
• date of birth
• telephone numbers
• e-mail address
• driver's licence details
• correspondence
• language
• date of last data change
• IP address of the client
• role of the user
• newsletter subscribed to

We use the data we receive from you - by e-mail, letter, SMS or personally at the counter - to make you offers that correspond to your buying behaviour. Provided we know your age, we will only send marketing material to you by email or letter if you are at least 16 years old.

The following data can be used for this purpose: 

• Name
• Gender
• Date of birth
• Address
• Customer number
• E-mail address
• Information about subscriptions or single tickets
• Clicking behaviour on our websites or in e-mails that we have sent you
• Click-through rate on displays / banners with SBB advertising
• Information concerning interests, affinities and user behaviour

We use third-party e-mail marketing services that use tracking tools when sending e-mails. We collect the data for statistical purposes and subsequent dispatch as well as to optimise the content of our messages. 

The following data is used:

• Information about the address file used
• Subject and number of newsletters sent
• Addresses to which the newsletter has not yet been sent
• Addresses to which the newsletter has been sent
• Addresses with failed dispatch 
• Opening rate 
• Addresses that have opened the newsletter
• Addresses that have unsubscribed from the newsletter distribution list
• Clicking behaviour 

We use the Google ad server service (Google Ad Manager) for advertisements on our websites and in our apps. Ad servers are automated ad management systems that are used to store, deliver and measure the success of Internet advertisements. These allow you to see only those ads that interest you. 

The ad server uses the following information when you visit our websites and apps:

• Profile data (age, place of residence and gender) 
• Contextual travel information (place, time, date and day of departure, destination, arrival time, date and day, class of travel, article number, zone and subscription type)
• Website accessed, including search performed, if applicable
• Rough GPS coordinates 
• User ID (Unique User ID), advertising ID (Ad ID), IP address  
• Information on the browser and operating system 
• Device manufacturer and model 

On the basis of this information, for each request, the ad server checks whether a suitable campaign is running and then delivers specific, non-specific or no advertising at all at random and depending on capacity.

If you have a Google account and have agreed to personalised ads, the ad server may also take account of your Google account settings when displaying the ads. We do not obtain any access to the data used.

Your data are never disclosed to the advertiser and are not stored for further use, but are used exclusively for the one-time display of advertising. We do not create profiles that identify any specific individuals or process names, telephone numbers, addresses or e-mail addresses in connection with advertising. 

On SBB.ch, Adobe Target is used for website optimisation and the display of personalised content. 

The following data will be processed:

• Anonymised IP address
• Tracking data on how you use the site, such as your preferred topics

You can request that your data will not be processed by Adobe Target.

To improve the quality of our services and offerings, we conduct market research. This may mean that we use your contact details for customer surveys (e.g. online surveys). If you do not wish to participate in such surveys, you can control in your user account which “Information & Offers” you would like to receive.

You can reject offers and information from us or public transport companies at any time. 

• One click is all you need: Unsubscribe link for e-mails
• Manage which information & offers you would like to receive on SBB.ch in the user account under “Notifications”. 
• Manage your settings under “Offers & Advertising” when you log in to SBB Mobile 
• Register or deregister at any counter or by calling the SBB Contact Centre (0848 44 66 88 / CHF 0.08/min.)
• Configure cookies in cookie settings.

The use of the device-specific advertising ID, which is used for interest-based advertising, can be blocked on your smart phone as follows:

• Android: Open “Settings”, tap on the menu item “Privacy” and within the sub-menu “Ads” select “Opt out of Ads Personalization”.
• iOS: Open “Settings”, tap on the menu item “Privacy” and within the sub-menu “Advertising” select “Limit ad tracking”.

In order to disable Google's personalised advertising, please consult the following link: policies.google.com/technologies/partner-sitesLink opens in new window.

You also have the right to object to the analysis of your click behaviour. 

Your personal data will only be passed on to selected service providers - and only to the extent necessary to provide the service. 

These include: 

• IT support service providers 
• Issuers of subscription tickets 
• Shipping service providers (e.g. Swiss Post) 
• Service providers charged with allocating traffic revenues to the transport companies involved (in particular in the course of drawing up so-called distribution keys within the meaning of the Federal Passenger Transport Act of 20 March 2009 (Personenbeförderungsgesetz, PBG))
• Our Hosting Provider

We may be legally required to pass on such information or it may be necessary to pass it on in order to safeguard our rights.

External service providers who process data on our behalf are contractually obliged to comply with the relevant data protection regulations and are not considered third parties under data protection law.

As far as the EU-GDPR applies, our legitimate interest and legal requirements form the legal basis for this processing of personal data.

On our website we use various services provided by Google (Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland). Google already stores information (e.g. your IP address) concerning your use of the website whenever you access any website into which Google services have been integrated. This may also result in the transfer of data to the servers of Google LLC. in the USA. If you are logged in to Google, your information will be directly associated with your account. If you do not wish any such data to be associated with your Google profile, you must first sign out of your Google account. Google stores your data (including those relating to users who are not logged in) as user profiles and evaluates them. Collection, storage and evaluation occur on the basis of Google’s legitimate interest in the incorporation of personalised advertising, market research and/or the design of Google websites in order to meet with user requirements. You have the right to object to the creation of these user profiles, and must contact Google in order to exercise this right.

To ensure that your journey runs smoothly, the following data is transferred within National Direct Service, an association of more than 240 public transport companies, as well as to regional networks: 

• Personal identification and contact details
• Identity verification (SwissPass login)
• Travel and purchase data

These are required for the following:

• To get you from A to B 
• Ticket inspection
• After-sales service
• Revenue distribution
• Joint marketing (to a limited extent)
• Single Sign-On (SSO) 

Analysis of the data helps us to further develop and advertise public transport services according to your needs. 

On behalf of National Direct Service, we carry out the marketing mandate for the services of National Direct Service (e.g. GA and Half Fare Travelcard). We may contact you regularly in this role. Contact is always made by us. Only in exceptional cases and under strict conditions may another participating transport company or network get in touch with you.

As public transport companies, we are obliged by law to provide transport services alongside other transport companies and public transport networks (NDS – National Direct Service). To make this possible for you, data collected from contact with you or from services you have purchased is passed on within NDS.

If you book a cross-border journey, your data will be transferred to foreign public transport providers so that descriptions of available services can be provided, to allow checking of and prevent misuse of tickets, and to notify you in the event of a delay or cancellation.

We are entitled to transfer your personal data to contract data processors in or outside the EU. If we do this, these companies are obliged to comply with data protection to the same extent as we are.

Data that is passed on within NDS is stored in a central database (NDS-database). This is supervised by us as we are mandated by NDS – we are jointly responsible with the NDS companies and networks. 

It is our goal as transport companies and public transport networks to offer you efficient services; data regarding selling of personalised services are therefore stored in a joint database (NDS-database).

For example: Single Sign-On (SSO), a login for all services of your SwissPass account.

Access is regulated.

Access to the joint databases by the individual transport companies and networks of NDS is regulated by a joint agreement and is limited to contract processing, ticket inspection, after-sales service and revenue distribution. 

Advantages of Single Sign-On.

So that we can get you from A to B efficiently, the login, ticket, customer and performance data are merged. Single Sign-On (SSO) enables you to use all the services of the SwissPass account with a single login. 

Data protection.

We protect your personal data stored with us against manipulation, loss or unauthorised third-party access. In order to ensure continuous protection, we are constantly developing our security measures. Our data protection advisors will be pleased to provide you with additional information concerning this. More information at Your contact for questions concerning data protection.

The transmission of data over the internet and via other electronic means always entails risks. Despite taking appropriate precautions, we cannot therefore guarantee the security of any information transmitted over the Internet. 

Cookies are small files that are stored on your computer or mobile device when you visit our websites or use apps. Some cookies are necessary for the website or app to function, while others extend the range of functions and improve user comfort for you. You can adjust the cookie settings here at any time. If you accept certain cookies, you also consent to the transfer of your data to third countries. These third countries may not have a level of data protection comparable to Switzerland. There may be a risk, for example, of your data being collected and processed by local authorities and that your rights as a data subject cannot be enforced.

Together with tracking tools, cookies can analyse the usage behaviour when online offers are made.

We use cookies in order to

• ensure you do not have to re-enter your information and data every time.
• ensure you can stay logged in and no information will be lost.
• remember your personal settings and preferences.
• ensure you receive content that is as relevant as possible.