Data privacy

All you need to know about how we handle your personal data: Here you can find the privacy policy of BLS Schifffahrt AG and manage your cookie settings individually.

Data privacy statement of BLS Schifffahrt Ltd.

A.    Purpose

This data privacy statement informs you about what we do with your data when you visit bls-schiff.ch, other websites we operate, or use our apps (hereinafter collectively referred to as “website”), make use of our products or services, are otherwise associated with us in the scope of a contract, communicate with us, or have any other dealings with us. Where necessary, you will receive prompt written communication from us about additional processing activities not mentioned in this privacy policy. In addition, we can inform you separately about the processing of your data, e.g. in declarations of consent, contractual conditions, additional data privacy statements, forms and notices (e.g. FAQs).

B.    Corporate responsibility

BLS Schifffahrt AG, Lachenweg 19, 3604 Thun, hereinafter referred to as "BLS Schifffahrt", is responsible in accordance with data protection law for the data processing described in this data privacy statement unless otherwise communicated in individual cases, e.g. in other data privacy statements, forms, or contracts.

Furthermore, as a transport service provider, we are required by law to perform what is known as the "National Direct Service" (NDS). For this purpose, an exchange of certain data takes place among the transport service providers (TSPs) and public transport partners (see overview here) as well as third parties that sell public transport products, and these data are stored centrally in the databases operated jointly by all TSPs and public transport partners. Consequently, we are responsible for individual data processing together with these TSPs and tariff associations. You can reach us at the following address for all your concerns relating to data protection and in order to exercise your rights in accordance with Section 10:

BLS Ltd.
Legal / Data Protection
Genfergasse 11, 3001 Bern
datenschutz@bls.ch

In addition, we have appointed the following data protection representatives in the EU in accordance with Art. 27 GDPR:

Swiss Infosec (Deutschland) GmbH
Friedrichstrasse 123
10117 Berlin

C.    Our promise to customers

BLS Schifffahrt is a public transport operator in Switzerland. Public transport operators handle customer data on the basis of trust.

The protection of you personally and your privacy is an important concern for us as public transport operators. We guarantee that we will process your personal data in accordance with the applicable provisions of data protection law.

The public transport operators set an example for the trustworthy handling of your data with the following principles:

You make your own decisions about the processing of your personal data.
Within the legal framework, you can refuse and/or withdraw your consent to data processing or have your data deleted at any time. You always have the opportunity to travel anonymously, that is without the collection of your personal data. Exceptions to this are any purchases from our web store.

We offer you added value when processing your data.
The public transport operators exclusively use your personal data to offer you added value along the mobility chain (e.g. tailored offers and information, support or compensation in the event of service disruption). Your data will be used exclusively for the development, delivery, optimisation and evaluation of our services or for the maintenance of the customer relationship.

Your data will not be sold.
Your data will only be disclosed to selected third parties listed in this data privacy statement and only for the explicitly stated purposes. Where we commission third parties with data processing, they will be obliged to adhere to our standards pertaining to data protection law.

We guarantee that your data will be secure and protected.
The public transport operators guarantee the conscientious handling of customer data and that your data will be secure and protected. We ensure that the necessary organisational and technical precautions for this are in place.

In the following, you will receive detailed information on how we handle your data.

D.    Data processing by BLS Schifffahrt

1.    For what purposes do we process your personal data?

We are aware that conscientious handling of your personal data is important to you. All data processing is only carried out for specific purposes. This could result from, for example, technical necessity, contractual requirements, legal provisions, prevailing interests, i.e. legitimate reasons, or your express consent. We collect, store and process personal data where this is necessary, for example, for initiating, managing and handling the customer relationship, communication with you, marketing purposes and relationship management, as well as for market research and the further development of services and products.

That way, some of your personal characteristics can be automatically evaluated for the purposes mentioned above ("profiling"), if we want to determine preference data, but also to identify misuse and security risks, perform statistical evaluations, or for operational planning purposes. We can also create profiles for the same purposes. This means we can combine behavioural and preference data but also master and contract data and technical data assigned to you to better understand you as a person with your various interests and other characteristics. However, we can also create anonymous mobility profiles for you and – with your consent – personalised mobility profiles. 

In certain situations, for reasons of efficiency and the uniformity of decision-making processes, it may be necessary that we automate discretionary decisions that affect you and have legal implications or possibly significant disadvantages ("automated individual decisions," such as the automatic acceptance of orders by our web store). In this case, we will inform you accordingly and ensure compliance with measures required by the applicable law.

For detailed information on which data are processed for which purposes, please read the following sections.

2.    Which data are stored and to what end are they used?

2.1    For purchases of services & reservations

For contractual reasons, for online orders and reservations as well as the purchase of certain services and products, we require personal information to provide our services and process the contractual relationship. One example is the purchase of a travel card, a single ticket or a reservation.

We collect the following data when you purchase personalised services – depending on the product or service:
 

  • personal photo
  • gender, name, e-mail address of the purchaser and/or travelling person
  • additional information such as postal address, date of birth
  • telephone number
  • method/means of payment
  • consent to the GTCs

In order to process the contractual relationship, we also collect data relating to the services purchased by you ("service data"). These include – depending on the product or service – the following information:
 

  • type of product or service purchased
  • price
  • place, date and time of purchase
  • sales channel (internet, vending machine, at the counter etc.)
  • travel date or duration of validity and departure time
  • departure point, destination and itinerary
  • available travel cards (e.g. half-fare card, GA, lake pass)
  • desired class

For group reservations also:
 

  • group name/company name
  • billing address
  • number of people 

To ensure that we are always able to reach you by post, we match your address with a service provider and update it if necessary.

Data that are generated by the purchase of services will be processed by BLS Schifffahrt, stored in a central database, and processed for additional purposes, which include marketing and market research. Moreover, the data are used within the scope of ticket inspection in order to identify the owner of a personalised ticket and to avoid any misuse of said ticket. Data are also used for the provision of our after-sales service to identify and assist you in the event that you have any concerns or difficulties and to process any compensation claims. Finally, data are used to ensure fair distribution of the revenue generated by the sale of tickets among transport service providers and affiliates of the National Direct Service.

Finally, we evaluate your data anonymously in order to be able to further develop the overall system of public transport according to demand.

Insofar as the EU GDPR is applicable, our legitimate interest and the necessity for the execution of the contract form the legal basis for this processing of personal data.

2.2    Data collection during payment

The following then applies in connection with payment in the web stores we use: 

Debit/credit cards/PostFinance card
For payment by credit card, we forward your card details to your card issuer via our payment service provider (acquirer and Payyo). The transmission takes place exclusively for the purpose of authorisation and transaction processing and in encrypted form. If you choose to make a card payment, you will be asked to enter all mandatory information (payment card type, payment card number, CVC2/CVV2, expiry date, first name, last name). In certain circumstances it may be necessary to authenticate yourself as an authorised cardholder, e.g. using the 3DSecure procedure. 

Wallet solutions (Twint, Apple and Google Pay)
With wallet payment solutions, your card details have been securely stored in the wallet beforehand. If you decide to pay with a wallet solution, you usually do not have to enter any payment card information. Only the data required for authorisation and transaction processing is transferred via the wallet. 

Insofar as the GDPR is applicable, the legal basis for the transfer of data is the necessity for the performance of the contract. 

2.3    For monitoring services performed

Customer and travelcard data are required and processed for the purpose of securing revenue (checking the validity of travel or discount passes, collection, combating abuse). The TSPs, associations and third parties who arrange tickets are therefore entitled to process all data (ticket and control data, as well as, where applicable, data worthy of protection in connection with all types of travel without a valid ticket, such as travellers with a partially valid ticket, travellers with invalid tickets, or travellers who have forgotten their tickets or discount cards, and any kind of misuse) relating to the travellers or the contracting parties and to store them for the periods defined by data protection law and to exchange them with other TSPs, associations and third parties who arrange tickets (in the case of international tickets or discount cards, also across borders).

The following provisions apply to individual services or bearer media:

Swisspass card
Where the physical Swisspass card is used as a bearer medium, no control data is stored (exception: see Swisspass Mobile).

Swisspass Mobile
For use of the Swisspass Mobile application, the provisions that apply are those acknowledged during the activation of Swisspass Mobile (see separate data privacy statement). The following data are processed in this regard: registration, activation and control data that accrue through use of Swisspass Mobile. As soon as Swisspass Mobile is used, these data are also collected from the Swisspass card.

Electronic tickets
When electronic tickets (e-tickets) are used, control data are stored in the central control data server at SBB. This data is stored for 360 days for the purpose of combating misuse and for measures to prevent misuse and abusive refunds.

Insofar as the EU GDPR is applicable, our legitimate interest and the necessity for the execution of the contract form the legal basis for this processing of personal data.

2.4    For the use of our website and our web store

When visiting our website, the servers of our hosting provider temporarily save each access as log data. The following technical data is collected in this context:
 

  • IP address of the requesting computer
  • date and time of access
  • web pages from which the access takes place, where applicable with search word used
  • name and URL of the data retrieved
  • executed search queries (timetable, general search function on the website, products, etc.)
  • the operating system of your computer (provided by the user agent)
  • the browser you have used (provided by the user agent)
  • device type in the event of access via mobile phone
  • transmission protocol used
  • the country from which you accessed the site and the language settings of your browser

The collection and processing of these data contribute to system security and stability and error and performance analysis, which enables our hosting provider to optimise our internet offering. In addition, this enables us to configure our website in accordance with the specific target group, i.e. to provide targeted content or information that may be of interest to you.

The IP address, together with other data, will be evaluated for the purposes of clarification and defence in the event of attacks on the network infrastructure or other prohibited or improper use and, if necessary, used in criminal proceedings to identify and take civil and criminal action against the users in question.

Finally, when you visit our websites, we use cookies in addition to applications and tools that are based on the use of cookies. More detailed information can be found in the sections on cookies, tracking tools, advertising and social plug-ins within this data privacy statement.

Insofar as the EU GDPR is applicable, our legitimate interest forms the legal basis for this processing of personal data.

We can make no guarantee for compliance with data protection regulations for external web pages that are linked to our website.

2.5    For a booking via our web store

When a booking is made via our web store, our servers temporarily store the following personal data in addition to the technical data listed in section 2.4:

Personal data of the person making the booking:

  • title
  • first name and surname
  • address (street, building number, town, postcode)
  • country
  • telephone number (optional)
  • email address

Personal details of the tickets/products booked per person:

  • first name and surname
  • date of birth
  • Other personal data if this is required by the connected third-party systems to complete the booking (e.g. allergies for catering services)

The following information is also recorded:

  • ordered product (article number, validity, class)
  • ticket price
  • date of journey
  • reference number
  • order date
  • means of payment
  • any voucher or discount codes used, or other vouchers

Insofar as the EU GDPR is applicable, our legitimate interest and the necessity for the execution of the contract form the legal basis for this processing of personal data.

2.6    When making contact via the contact form or e-mail

You have the opportunity to get in touch with our customer service via a contact form or e-mail. The following personal data must be entered as a minimum when contacting us via the contact form:
 

  • form of address, last name, first name
  • address (street, building number, town, postcode)
  • telephone number
  • e-mail address

We use these and other voluntarily supplied data (in particular the address, telephone number and company) to answer your query in the best possible, personalised manner. Moreover, we may use the information you provide to our customer service via contact form or e-mail for internal analytical purposes or the improvement of our services. Any voluntary information on how you became aware of our offer will also be used for internal statistical purposes.

Insofar as the EU GDPR is applicable, our legitimate interest and the necessity for the execution of the contract form the legal basis for this processing of personal data.

2.7    When contacting our customer service via telephone

When you contact our customer service by telephone, we record the form of address, first names and surnames if they become known. If we have or require further personal data relating to you from previous contact with BLS, we use this for the purpose of helping you as quickly as possible. (Example: You call us with a question about a ticket purchased in the web store. With the help of your e-mail address, we can find the transactions and help you further.)

After completing your request, we will send you a text message with a customer satisfaction survey if you contacted us using a mobile number. If the initial contact was made by e-mail, we will send the customer satisfaction survey by e-mail.

Personal data will be deleted after five years, unless you contact customer service again in the meantime or request the deletion of the data yourself. The data are stored in the CRM MS Dynamics (Microsoft) as well as in Zendesk.

Insofar as the EU GDPR is applicable, our legitimate interest and the necessity for the execution of the contract form the legal basis for this processing of personal data.

2.8    When contacting us as part of a social media campaign

If you use social media, BLS Schifffahrt may run advertising campaigns that are visible on your user profile based on your consent to the social media provider. You have the option of contacting BLS Schifffahrt in the course of these campaigns. If you contact us, we will use the following personal data that we received as part of your consent from the social media provider:
 

  • form of address, last name, first name
  • e-mail address

We use this data exclusively to provide you with the information you requested through your contact.

Insofar as the EU GDPR is applicable, your consent forms the legal basis for this processing of personal data.

2.9    For the use of our boats and the Interlaken West station

Based on Art. 55 of the Passenger Transport Act (PBG), Art. 128 of the Inland Navigation Ordinance (BSV) and the implementing provisions pursuant to the Public Transport Video Surveillance Ordinance (VüV-ÖV), BLS Schifffahrt monitors its Interlaken West station by means of video cameras, which serve to protect customers, operations and infrastructure, and uses live camera images on the port and starboard sides for the purpose of safe navigation of the boat.

With the exception of the live camera images for the safe navigation of the boat, the image signal recordings that enable the identification of individuals are stored centrally. All recordings are stored for a maximum of 10 days and then automatically deleted. Recordings are only backed up when incidents have been identified. Instructions to back up and the backing up of recordings themselves may only be initiated and/or carried out by clearly defined functions within BLS Schifffahrt.

Backed-up recordings containing personal data will, as a rule, be evaluated on the next workday; as an exception for operational or technical reasons, this may take place within two additional workdays. Evaluations take place in the following cases:
 

  • in the event of security and vandalism;
  • based on the orders of authorities;
  • upon requests for information from affected persons.

The evaluation will be exclusively carried out by the responsible authorised functions within BLS Schifffahrt.

Backed-up recordings will be stored in such a way as to protect them from unauthorised access. The recordings will be deleted 100 days after their creation at the latest unless disclosed in accordance with the following.

Recordings will only be disclosed to the following authorities:
 

  • the prosecuting authorities of the Confederation and cantons;
  • the authorities to whom BLS Schifffahrt reports or pursues legal claims.

Disclosure will only take place where this is necessary for the proceedings. In the case of disclosure, the recordings shall be retained until the formal conclusion of the legal proceedings.

2.10    In connection with marketing and contact by BLS Schifffahrt

Provided that you agree, we will use the following for marketing purposes: your customer data (in particular name, gender, date of birth, address, customer number, e-mail address), your service data (in particular data about services used by you such as travel cards or single tickets) as well as your click behaviour on our web pages or in emails that you have received from us. With regard to the evaluation of click behaviour, please see the section on tracking tools.

We evaluate this data to further develop our offering in line with requirements and show or provide you with the most relevant information and offers (via email, letter, SMS, push notifications in the app and personalised teasers on the web, in person at the counter). To this end, we use only the data that can be unequivocally assigned to you. In addition, we implement methods that predict your future potential purchasing behaviour on the basis of your current purchasing behaviour.

The legal basis for this processing is our legitimate interest. In certain cases, under strict provisions, contact may also be made by the SBB or another company affiliated with the National Direct Service. Please see also the reference in the section "General responsibility within public transport."

You can refuse to be contacted by SBB (e.g. in connection with your GA or half-fare travelcard) or by other public transport companies or us at any time. In this regard, the following options are at your disposal:
 

  • Every newsletter that you receive from us or another public transport company contains a link that you can click on to unsubscribe from further messages.
  • Provided you have a Swisspass login, you can log in to the user account at swisspass.ch and manage your settings for receiving messages at any time.
  • You can also register or de-register via schiff@bls.ch, over the phone (58 327 48 11) or via datenschutz@bls.ch.

Please also be aware of the information on your right to object with regard to the evaluation of click behaviour in the section on tracking tools.

2.11    In connection with market research

We regularly carry out market research to continuously improve the quality of our services and offers. Consequently, we may use your contact details to invite you to take part in surveys. This may be either via e-mail or over the phone. 

In general, all information provided by you in the context of BLS Schifffahrt market research is exclusively evaluated in an anonymised form. Participation in BLS Schifffahrt market research is voluntary. It is not possible to draw conclusions about the individual participants (unless the participants voluntarily provide their e-mail address to enter a competition in connection with the survey), nor is this the intention. By taking part in surveys, you are consenting to this use of data in each case.

If you do not wish to be invited to such surveys, you have the following options:
 

  • Every email that you receive from us or another public transport company contains a link that you can click on to unsubscribe from further messages.
  • You can also exclude yourself from invitations to surveys via schiff@bls.ch and via datenschutz@bls.ch or by telephone (058 327 48 11).
  • Provided you have a Swisspass login, you can log in to the user account at swisspass.ch and manage your settings for receiving messages at any time.

Insofar as the EU GDPR is applicable, your consent forms the legal basis for this processing of personal data.

2.12    In connection with lost items

In order to return lost items (on boats, at stations, etc.) to their owners or to contact the owners, we record certain personal data in connection with the management of lost property, including the following: 
 

  • first and last names
  • postal address (if the lost property needs to be posted)
  • lost item
  • telephone number
  • e-mail

Insofar as the EU GDPR is applicable, our legitimate interest and the necessity for the execution of the contract form the legal basis for this processing of personal data.

2.13    Participation in competitions, prize draws and similar events

If we organise competitions, prize draws and similar events, we will process personal data, such as your contact details and information about your participation, for the purpose of organising the competitions and prize draws and, where applicable, communicating with you in this regard. Further details can be found in the relevant conditions of participation.

3.    Will your data be passed on to third parties?

We will pass on your personal data to third parties in Switzerland and abroad in connection with our contracts, the website, our products and services, our legal obligations or for the protection of our legitimate interests and the other listed purposes. The third parties include the following categories of recipients in particular:
 

  • Group companies: You can find a list of group companies here. Group companies may use the data in accordance with this privacy policy for the same purposes as we do.
     
  • Service providers: We work with service providers in Switzerland and abroad who process data about you on our behalf or in joint responsibility with us, or who receive data about you from us for which they are solely responsible (e.g. IT providers, shipping companies (such as Swiss Post), address management service providers, marketing service providers, including providers of tracking tools and web store providers, social plug-ins and advertising, as well as market research service providers, security companies, banks, insurers). Our central IT and customer management service providers, including for ticket sales and reservations, are Microsoft Ireland Operation Limited and Zendesk, Inc., San Francisco, US. 
     
  • Integrated subcontractors in our "cariboo" web store: cariboo is an open digital ecosystem that links to third-party systems via interfaces. At the front end, cariboo is a "one-stop shop", for all the tourism services of a destination, with a booking process, a shopping basket and a payment process. The following subcontractors are deployed within the cariboo digital ecosystem for BLS Schifffahrt AG:
     
    • We use the services of Digital Ocean (101 Sixth Ave, New York, NY 10013, United States). DigitalOcean is used to host the cariboo backend including the databases of orders and users. Data is stored on EU servers (in Frankfurt).
    • Auth0 is a service provided by Okta Inc. 100 First Street, 6th Floor San Francisco, CA 94105, USA. It is used to authenticate users (by email and password or via social login). Data is stored on EU servers.
    • Cloudinary is a service operated by Cloudinary Inc., 111 W Evelyn Ave, Suite 206, Sunnyvale, CA 94086, USA. It is a CDN (Content Delivery Network) for images, which is used for images that are uploaded directly to cariboo. Data is stored on EU servers.
    • Sendgrid is a subsidiary of Twilio, 1801 California St Ste 500, Denver, CO 80202, United States. Sendgrid is a service that is used to send emails from cariboo (e.g. booking confirmations). Certain data for sending emails (e.g. booking confirmations) is stored in the USA.
    • Sentry is a service provided by Functional Software Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA. The Sentry monitoring tool is used to recognise any errors in the system in good time and thus ensure the secure operation of the SaaS solution. The IP address is stored in the USA.
    • Cloudflare: Cloudflare 101 Townsend St, San Francisco, CA 94107, USA, is used to protect cariboo from DDOS attacks. Data is stored on EU servers.
       
  • Transport companies and associations (public transport sector): See Section C. 
     
  • Contracting partners: Recipients also include contracting partners with whom we cooperate in the following areas and to whom we consequently pass on data about you:
     
    • If you use offers with a Swisspass partner using your Swisspass, data on any benefits you may have acquired from us (e.g. a GA, half-fare or regional point-to-point travelcard) may be transmitted to the Swisspass partners in order to check whether you can benefit from a specific offer from the Swisspass partner (e.g. discount for GA travelcard holders). In the event of loss, theft, misuse or forgery, or card replacement after the purchase of a service, the partner concerned will be informed. This data processing is necessary for the execution of the contract for the use of the Swisspass and therefore stems from this legal basis. You can find more information in the data privacy statement at swisspass.ch.
    • Leisure partners in connection with the use of joint offers
    • Service providers in connection with the arrangement of travel. If your journey involves foreign transport companies, the data will also be passed on to the respective foreign providers/transport companies. However, this will only be to the extent necessary to check the validity of the tickets and to prevent misuse.
    • Third-party systems connected to cariboo (our web store): We use various third-party systems connected to cariboo to generate online bookings and have direct contracts with the following third-party systems:
      • BiLL GmbH, Sonnenbodenstrasse 7a, CH-3076 Worb, Switzerland, offers distribution systems for public transport. Booking data for booked tickets is transmitted to BiLL.
      • Trekksoft AG, Hauptstrasse 15, 3800 Matten bei Interlaken, Switzerland, offers a platform for booking management in the tourism sector and specialises in outdoor activities. Booking data for booked experiences is transmitted to Trekksoft.
      • BpEvent is a software solution from Bankettprofi GmbH, Johannesstrasse 13, 67346 Speyer, Germany, for the organisation of business events and conferences. Booking data for table reservations is transmitted to BpEvent.
      • e-guma is a platform from Idea Creation GmbH, Walchestrasse 15, 8006 Zurich, Switzerland, for the sale of vouchers and gift cards for companies in various sectors. Booking data is transmitted to e-guma when vouchers or experiences are purchased.
         
  • Authorities: We may forward personal data to government departments, courts or other authorities in Switzerland and abroad if we are legally obliged or authorised to do so or if we deem this necessary in the protection of our legitimate interests. The authorities are solely responsible for any processing of the data about you that they receive from us.
     
  • Your personal data will not be disclosed to other third parties outside the public transport sector. The only exceptions are Swisspass partners (to the extent described below) and companies that have been authorised by the public transport companies, on the basis of a contractual agreement, to act as intermediaries for public transport services. These intermediaries only receive access to your personal data if you wish to obtain a public transport service through them and have given them your consent for access. Even in this case, they will only have access to your data to the extent necessary to determine whether you already have tickets or travel cards for the planned travel period that are relevant to your journey or the service you want from the third party. The legal basis for this data processing is therefore your consent. You can withdraw your consent at any time with effect for the future.

4.    Will your data be disclosed abroad?

As explained in Clause 3, we also disclose your data to other organisations. These organisations are not exclusively based in Switzerland. Consequently, your data may be processed in both Europe and in a third country, for example the USA.

If a recipient is situated in a country without appropriate legal data protection, we contractually require the recipient to adhere to applicable data protection standards (to this end we use the revised standard contractual clauses of the European Commission, which can be viewed here), insofar as the recipient is not already subject to a legally recognised set of regulations for ensuring data protection and we cannot rely on an exemption clause. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the processing of a contract requires such disclosure, if you have consented to the disclosure, or if it is a matter of data that you have made generally accessible and to the processing of which you have not objected. 

5.    How long and where will your data be stored?

We only store your personal data for as long as is required:
 

  • to perform the services that you have requested or to which you have given your consent to the extent that is laid out in this data privacy statement;
  • in order to use the tracking services mentioned in this data privacy statement within the scope of our legitimate interest.

Contractual data is stored by us for a longer duration, since this is required by legal data retention obligations. Retention obligations that oblige us to retain data are based on accounting regulations and tax law regulations. Provided the data is no longer needed to carry out services for you, any further processing of the data will be terminated. This means that the data may then only be used to comply with our retention obligations.

Below is an overview of the storage duration and locations of databases that process our customers' personal data.
 

Database Storage period Storage location
Database for group bookings Customer data will be deleted after 5 years of inactivity at the latest. Switzerland 
Sales database

Personal data is only stored for as long as necessary for the respective purpose or as required by law. 

Master data of registered persons will be deleted after five years of inactivity at the latest, provided there are no statutory retention obligations. Earlier deletion can take place at any time at the request of the person concerned. 

In the case of orders without an account, the master data will be deleted after the warranty period has expired or after the service has ended, provided there are no legal obligations for further storage. The deletion takes place either immediately or as part of regular deletion runs. 

Contract data that may contain personal information is stored for up to ten years in accordance with legal requirements. Once the period of active use has expired, this data is blocked and used exclusively for legally prescribed purposes such as accounting or tax matters.

Data relating to misuse, payment defaults or other legitimate reasons may be stored for five years, or ten years in the event of recurrence.

 

Switzerland/EU/EEA
Database for reservation management for culinary and event cruises Customer data will be deleted after 5 years of inactivity at the latest. EU/EEA 
Database for management of vouchersCustomer data will be deleted after 5 years at the latest, provided the voucher has been fully redeemed and there are no statutory retention obligations.EU/EEA 
Analytics database Raw data (incl. IP addresses) is deleted within 25 months. EU/EEA 
Financial database Data that we have to retain for accounting reasons is archived after the statutory period.   EU/EEA 
Customer relationship management system Completed customer contacts are anonymised after 2 years. Switzerland 

6.    Data security

To protect your personal data that we have stored, we operate suitable technical and organisational security measures against manipulation, partial or total loss and unauthorised access by third parties. Our security measures are subject to continuous improvement in line with technological developments. We also take internal data protection very seriously. Our employees and external service providers commissioned by us are obliged to maintain confidentiality and comply with data protection regulations. We take reasonable precautions to protect your data. However, the transmission of information via the internet and other electronic means is always subject to certain security risks, and we can offer no guarantee for the security of information that is transmitted in this way.

7.    How are tracking & analytics tools used?

We use web analytics services for the purpose of designing and continuously optimising our website and mailings to meet needs. 

Insofar as the EU GDPR is applicable, your consent and/or our legitimate interest form the legal basis for this processing of personal data.

Tracking on internet pages
In connection with our internet pages, pseudonymised usage profiles are created and small text files ("cookies") stored on your computer are used (see "What are cookies and when are they used?" below). The information generated by cookies about your use of this website is transmitted to the servers of the providers of these services, stored there and processed for us. In addition to the data listed above (see "What data is processed when you use our internet pages?"), we thereby obtain the following information:
 

  • navigation path that a visitor follows on the website
  • time spent on the website or subpage
  • subpage from which the website is left
  • country, region or city from which access takes place
  • end device (type, version, colour depth, resolution, width and height of the browser window)
  • recurring or new visitor
  • browser type/version
  • operating system used
  • referrer URL (the previously visited site)
  • host name of the accessing computer (IP address) and
  • time of the server request

The information is used to evaluate the use of the web pages.

Tracking the sending of e-mails
We use the e-mail marketing services of third parties when sending emails. Consequently, our emails may contain what is known as a web beacon (tracking pixel) or similar technological tools. A web beacon is an invisible graphic the size of a single pixel that is linked to the user ID of the respective email subscriber.

For each newsletter sent, there is information on the address file used, the subject and the number of newsletters sent. In addition, it is possible to see which addresses have yet to receive the newsletter, to which addresses the newsletter was sent, and for which addresses the sending failed. In addition, the opening rate, including information on which addresses have opened the newsletter and which addresses have unsubscribed from the newsletter distribution list are discerned.

The utilisation of appropriate services enables the evaluation of the information listed above. In addition, click behaviour can also be recorded and evaluated. We use these data for statistical purposes and optimising the content of our messages. This enables us to better align the information and offers in our emails with the individual interests of the respective recipients. The web beacon is deleted when you delete the e-mail.

If you would like to prevent the use of the web beacon in our emails, please configure your email program in such a way that no HTML is displayed in messages, if this is not already the default setting. You can find example instructions for how to do this here.

We currently use the following tracking and analytics tools:
 

  • Piwik PRO Analytics Suite: Piwik PRO GmbH (headquartered in Germany) is the provider of the service Piwik PRO Analytics Suite that focuses on the user’s private sphere and data security and is tailored to the needs of organisations in the private and public sector. The tool contains the modules "Analytics", "Tag Manager" and "Consent Manager" and is fully compliant with the GDPR. User behaviour on the website is tracked with Piwik PRO Analytics (sessions, number of page views, entry and exit pages, custom conversions such as purchases, session duration, etc.). The reports generated on the basis of the user behaviour serve as a basis for us to improve the user experience on our website.
  • ClickDimensions: ClickDimensions is a marketing automation solution specially developed for Microsoft Dynamics. ClickDimensions is seamlessly integrated into Microsoft Dynamics 365 CMR. Microsoft Ireland Operations Limited (headquartered in Ireland) is the provider of the service and functions as the order processor. Microsoft Ireland Operations Limited relies on ClickDimensions LLC (headquartered in the USA) as its order processor for this purpose. ClickDimensions enables the analysis, planning, organisation, implementation and control of marketing measures. The primary functionality of ClickDimensions lies in email marketing. By using ClickDimensions, emails can be created, sent and tracked. After a marketing email has been sent, information is available in real time that allows conclusions to be drawn about which recipients have, for example, visited a website and what they were interested in. You can find further information here

8.    What are cookies and when are they used?

We use cookies in certain cases. Cookies are small files that are stored on your computer or mobile device when you visit or use one of our websites. Cookies store certain settings about your browser and data about exchanges with the website through your browser. When a cookie is activated, it can be assigned an identification number that identifies your browser and allows the information contained in the cookie to be used. You can configure your browser to display a warning on the screen before saving a cookie. You can also choose not to take advantage of personal cookies. Certain services cannot be used in this case.

We use cookies to evaluate general user behaviour. The aim is to optimise the digital presences. These are to be made easier to use and the content more intuitive to find. The aim is to structure them in a more comprehensible way. It is important to us to make the digital presences user-friendly according to your needs. This allows us to optimise the website by providing targeted content or information on the website that may be of interest to you.

You can configure your cookies using the following consent management tools: 

Piwik PRO GmbH, Kurfürstendamm 21, 10719 Berlin

Disabling cookies may result in you not being able to use all the functions of our website. 

Insofar as the EU GDPR is applicable, our legitimate interest forms the legal basis for this processing of personal data.

9.    What are social plug-ins and how are they used?

On our website, we link to the following social networks or our corresponding profiles on the sites:
 

  • Facebook: Facebook is operated at www.facebook.com by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, and at www.facebook.de by Facebook Ireland Limited, Hanover Reach, 5-7 Hanover Quay, Dublin 2, Ireland ("Facebook"). You can find an overview of the Facebook plugins and their appearance here. You can find information on data protection at Facebook here.
  • Google+ and YouTube: Google+ is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). You can find an overview of the Google+ plugins and their appearance here and information on data protection at Google+ here.
  • Instagram: Instagram is operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA ("Instagram"). You can find an overview of the Instagram plugins and their appearance here; information on data protection at Instagram is available here.
  • LinkedIn: For users based in Europe, the responsible entity for operating the platform is LinkedIn Ireland Unlimited Company, Dublin, Ireland. Their privacy policy can be found here.

Either the plugins are only displayed as graphics or with a link on our website, or the plugins are deactivated on our websites and therefore do not send any data to the social networks. When you click on the graphic or the plugin, you will be forwarded to the respective social media platform and the aforementioned provisions of the respective provider apply (see bullet points). Or you can activate all plugins by clicking on the "Activate plugins" button (so-called two-click solution). The plugins can, of course, be deactivated again with one click.

If the plugins are activated, your browser will establish a direct connection with the servers of the respective social network as soon as you access our website. The content of the plugin is transmitted directly to your browser by the social network and integrated into the website by it.

By integrating the plugins, the respective provider receives the information that your browser has accessed the corresponding page of our website, even if you do not have an account with this social network or are not currently logged in to it. This information (including your IP address) is transmitted from your browser directly to a server of the provider (usually in the USA) and stored there. We therefore have no influence on the scope of the data that the provider collects with the plug-in.

If you are logged in to the social network, it can assign the visit to our website directly to your user account. If you interact with the plug-ins, the corresponding information will also be transmitted directly to a server of the provider and stored there. The information can also be published on the social network and, under certain circumstances, may be displayed to other users of the social network.

The provider of the social network may use this information for the purposes of advertising, market research, and to customise the design of the respective offering. For this purpose, usage, interest and relationship profiles could be created, for example, to evaluate your use of our website with regard to the advertisements displayed to you on the social network, to inform other users about your activities on our website and to provide other services associated with the use of the social network.

The purpose and scope of the data collection and further processing and use of data by the providers of the social networks and the relevant rights and settings to protect your privacy can be found in the data protection information of the relevant providers.

If you do not want the provider of the social network to assign the data collected via our website to your user account, you must log out of the social network before activating the plugins.

Insofar as the EU GDPR is applicable, our legitimate interest forms the legal basis for this processing of personal data. 

10.    Displaying adverts on our internet pages and in our apps

We do not use third-party providers (ad servers) to place and use personalised adverts on our website bls-schiff.ch.

11.    What rights do you have?

With regard to your personal data, you have the following rights:

  • You can request information about your stored personal data.
  • You can request a correction, completion, restriction of use, or deletion of your personal data. The use of data will be restricted rather than deleting the data outright if there are legal obstacles to deletion (for example, legal obligations to retain data).
  • You may request that we provide certain personal data in a commonly used electronic format or transfer it to another controller.
  • If you have set up a customer account, you can delete this or request that it be deleted.
  • You can decline the use of your data for marketing and market research purposes.
  • You can withdraw your consent at any time with effect for the future.
  • In the case of automated, individual decisions, you have the right to express your point of view and request that the decision in question be reviewed by a natural person.

If you wish to exercise the above-mentioned rights against us or one of our group companies, please contact us in writing or send us an email; our contact information can be found in Section B. In order for us to rule out any potential misuse, we must identify you (e.g. with a copy of your ID, if this is not possible via any other method).

If you wish to request information or deletion of the data stored about you in the entire public transport system, you can do so in writing and with a copy of your ID card to SBB (SBB AG, Recht & Compliance, Fachstelle Datenschutz, Hilfikerstrasse 1, CH-3000 Bern 65). You can find further details of the information and deletion process within Public Transport Switzerland here.

Requests for information from the information system on travellers without a valid ticket in accordance with Art. 20a of the Swiss Federal Law on Passenger Transport (Bundesgesetzes über die Personenbeförderung, PGB) should be sent to the operator of the system at the following address:

PostAuto AG, 'SynServ', Pfingstweidstrasse 60b, CH-8080 Zurich

or via e-mail to: synserv@postauto.ch 

If you do not agree with our handling of your rights or data protection, please communicate this to us. In particular, if you are located in the EEA, in the United Kingdom or in Switzerland, you also have the right to complain to the data protection supervisory authority within your country.

You can find a list of the authorities within the EEA here

You can reach the supervisory authority of the United Kingdom here

12.    Changes to the privacy policy

Changes to this privacy policy may be necessary from time to time. BLS Schifffahrt reserves the right to amend this data privacy statement at any time with effect from a future date. The version published on this website is the currently applicable version.

E.    Updates

Last updated in May 2025

Cookie-Einstellungen

You can change your cookie settings at any time here: