1. Customer promise by public transport companies
Public transport companies handle customer data confidentially. The protection of your personality and your privacy is of utmost importance for us public transport companies. We guarantee that your personal data will be processed pursuant to the applicable provisions of data protection law. The public transport companies set an example with the following principles for the trustwor-thy handling of your data: You decide yourself about the processing of your personal data. Within the legal framework, you can refuse data processing at any time or revoke your con-sent to it or have your data deleted. You always have the option of travelling anonymously, i.e. without having your personal data recorded. We offer you added value when processing your data. Public transport companies use your personal data exclusively to offer you added value along the mobility chain (e.g. tailor-made offers and information, support or compensation in the event of disruption). Your data is therefore only used for the development, provision, optimisa-tion and evaluation of our services or for the maintenance of the customer relationship. Your data will not be sold. Your data will only be disclosed to selected third parties listed in this data protection declara-tion and only for the explicitly stated purposes. If we commission third parties with data pro-cessing, they are obliged to comply with our data protection standards.
We guarantee the security and protection for your data. Public transport companies guarantee the careful handling of customer data as well as the security and protection of your data. We ensure the necessary organisational and technical precautions for this. Below you will find detailed information on how we handle your data.
2. Responsibility for data processing
We, Matterhorn Gotthard Bahn (Bahnhofplatz 7, 3900 Brig, Switzerland), a public limited company, are responsible for the data processing listed in this data protection declaration, un-less otherwise stated. As a public transport company, we are required by law to carry out so-called direct transports (DT). For this purpose, certain data is exchanged with the transport companies (TC) and public transport associations as well as with third parties that distribute public transport products, and stored centrally in databases operated jointly by all TU and pub-lic transport associations. We are therefore responsible for individual data processing jointly with these TCs and associations. For more information on individual data processing, see sec-tion 12.
3. Data processing when visiting www.matterhorngotthardbahn.ch and www.gornergrat.ch
During your visit to our website, our servers temporarily save each access in a log file. The following data is collected without your intervention and stored until it is automatically deleted by us:
the IP address of the requesting computer,
the date and time of access,
the name and URL of the accessed file,
the website from which the access was made, if applicable with the search word used,
the operating system of your computer and the browser you use (incl. language set-ting),
device type in case of access by mobile phones
the city or region from where the access was made,
the name of your internet access provider.
4. Data processing during registration for a user account
For the voluntary creation of your user account on our website, we collect the following data, with mandatory data marked with an asterisk (*) in the corresponding form:
date of birth
We require the data to provide an overview of the services you have obtained and a simple way to manage your personal data, to process and administer our website, to check the plausibility of the data entered, i.e. to establish, structure the content of, process and amend the contractual relationships concluded with you via your user account. The e-mail address and the password together form the login data. The data in the customer account can be viewed and changed by the customer at any time. Finally, a customer can request the complete deletion of the customer account. The provision of data that is not marked as mandatory is provided on a voluntary basis. We process this data in order to tailor our offer to your personal needs in the best possible way, to facilitate the processing of contracts, to contact you via an alternative communication channel if required with a view to fulfilling the contract or for statistical collection and evaluation in or-der to optimise our offers. The legal basis for the processing of your data for the preceding purpose is your consent pursuant to Art. 6 (1) lit. a EU GDPR. You can revoke your consent at any time (see section 15), which would, however, be tantamount to deleting your customer account. If you link your customer account with a Swiss Pass account, changes to your personal data (e.g. change of address) and the services you have purchased are automatically reconciled and recorded in both accounts. For data processing in connection with your Swiss Pass account, please also note the infor-mation provided in section 14.5.
5. Data processing when using the website as a registered user
During the use of the website by logged-in registered users, we collect data for statistical reasons and to enable the smooth functioning of the website. In particular, the following data is collected:
the type, frequency and intensity of use of the website
the duration of your membership
the orders placed
the composition of the shopping basket
6. Data processing during purchase of services
If you would like to order products or book services on our website, such as train tickets, ho-tel accommodation, car transport tickets, vouchers or events, we require various data to pro-cess the contract. We collect – depending on the product or service – the following data, whereby mandatory data is marked with an asterisk (*) in the corresponding form:
your last name and first name, and, if applicable, those of other benefit recipients
postal address (street, house number, postcode, city, country)
information within the framework of the payment
date of birth
loading direction, loading time, vehicle type, trailer
number plate and country
existing tickets/subscriptions (e.g. Half-Fare Card)
In order to process the contractual relationship, we also collect data regarding the services you have obtained ("service data"). This includes – depending on the product or service – the following information:
type of product or service purchased
date and time of purchase
time of service provision (e.g. date of event, overnight stay or travel or duration of va-lidity)
place of departure and destination
We will also disclose this information to the relevant third-party service providers (e.g. transport companies (such as SBB; please also refer to the last paragraph of this section), hotels (such as the Grand Hotel Zermatterhof), online shop providers (ALTUROS Destinations GmbH, Lakeside B03, 9020 Klagenfurt, Austria), event organisers (such as the Verein Freilichtspiele Zermatt) or an insurance company (when booking travel cancellation insurance) to the extent necessary for the performance of the contract. The legal basis for this processing is the fulfilment of a contract pursuant to Art. 6 para. 1 lit. b EU GDPR. The provision of data that is not marked as mandatory is provided as voluntary. We process this data in order to tailor our offer to your personal needs in the best possible way, to facilitate the processing of contracts, to contact you via an alternative communication channel if neces-sary with a view to fulfilling the contract or for statistical collection and evaluation to optimise our offers. The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f EU GDPR in providing a personalised offer and optimising it. If you purchase services after opening a customer account or using your login data for the cus-tomer photo, we will store your data in the customer account (please also refer to sections 4 and 5). The legal basis for this data processing is your consent within the meaning of Art. 6 pa-ra. 1 lit. a EU GDPR. Data generated when purchasing public transport services is stored in a central database (see the section on shared responsibility in public transport) and also processed for other purposes, which include marketing purposes (see sections 11). Furthermore, the data is used in the con-text of ticket control to identify the holder of a personalised ticket and to prevent misuse. The data is also used to provide our service-après-vent, to identify and assist you in the event of concerns or difficulties, and to process any compensation claims. As well, the data is used to distribute the revenue generated by the purchase of tickets fairly among the companies and affiliates of direct transport. The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 Para. 1 lit. f EU GDPR.
7. Data processing by video cameras during car transport
The car transport access area is monitored by cameras. The cameras make video recordings of all vehicles using the car transport and also scan the number plates of the vehicles for this purpose. The purpose of this processing is to prevent misuse. The legal basis for this is our legitimate interest in controlling misuse within the mean-ing of Art. 6 Para. 1 lit. f. GDPR. When purchasing an online ticket for a car transport (e.g. Furka car transport), you can register your number plate in the online shop. The number plates of the vehicles scanned by the cam-era are compared with the list of number plates entered when ordering the online ticket. If a valid ticket has been deposited with the online shop operator (ALTUROS Destinations GmbH, Lakeside B03, 9020 Klagenfurt, Austria) for your number plate, you will be granted access. The legal basis for the processing of your data for this purpose is your consent within the meaning of Art. 6 Para. 1 lit. a EU-GDPR. It is also possible to purchase an anonymous ticket without recording your number plate. The video recordings made are stored for seven days and then deleted. The service providers op-erating the camera system for us (Schenk AG, Fännring 1, 6403 Küssnacht am Rigi) have ac-cess to the video recordings. The data is stored with Matterhorn Gotthard Bahn. We reserve the right to store the data for a longer period and to pass it on to third parties in justified indi-vidual cases (e.g. for the enforcement of claims or the filing of charges).
8. Data processing when using the contact form
In the event that you contact us using the contact form on the website, we collect the follow-ing data from you, whereby mandatory data in the corresponding form is marked with an as-terisk (*):
field which your message pertains to
first name and last name
address (street, city, country)
We use this data exclusively to answer the questions you have asked or to provide the ser-vices you have requested. The collection of your first and last name as well as your address allows us to provide targeted customer service to existing customers and to efficiently pre-pare offers for potential new customers. Furthermore, your country of residence allows us to inform you of any country-specific factors. The legal basis for this data processing is the re-quirement to execute pre-contractual measures within the meaning of Art. 6 para. 1 lit. b EU GDPR. The provision of data that is not marked as mandatory is provided on a voluntary basis. We process this data, as well as data that is not related to a potential contract, in order to deal with your request in the best possible way pursuant to your personal needs, to facilitate the preparation and execution of future contracts, to contact you regarding the concluding and fulfilling of the contract or to deal with your request via an alternative communication channel if required, or for statistical collection and evaluation in order to optimise our offers. The legal basis for this data processing is our legitimate interest according to Art. 6 para. 1 lit. f EU GDPR in handling contact requests.
9. Data processing for purchases in the Pandinavia AG sou-venir shop
On our website you will find the section "Souvenirs". After clicking on the corresponding link, you will be taken to another website. This website is operated on our behalf by Pandinavia AG (Industriestrasse 30, CH-8302 Kloten), on their servers. Pandinavia AG is solely respon-sible for data processing in connection with the souvenir shop, and we have no influence over this. When using the souvenir shop website, the data protection guidelines and GTCs of Pan-dinavia AG apply accordingly.
10. Data processing when using the online Photopoint station and ordering your personalised video
You can take a photo at the Photopoint of the Gornergrat mountain station, which will then be integrated into the personalised video of your ride on the Gornergratbahn (see below). To take a photo, you need to scan your Skidata ticket or SwissPass at the Photopoint. Only the re-spective card number will be recorded for further processing. No other information will be processed when the photo is taken. The respective number is linked to your photo. However, the photo does not identify you by name. The photo and the respective card numbers are passed on to the third-party service provider, ALTUROS Destinations GmbH, Lakeside B03, 9020 Klagenfurt, Austria (hereinafter ALTUROS). You can then order and download a personalised video of your ride on the Gornergratbahn from our website. The photo taken at the Photopoint will also be processed for this purpose. To do so, we require the following mandatory information from you:
SwissPass number or skidata number
first name and last name
country of origin
We will pass this information on to ALTUROS. The data you provide for the download, as well as the photo created at Photopoint, will be stored on ALTUROS' servers. ALTUROS will use this data and the photo to create your personalised video on our behalf. The legal basis for the processing of your data for the order of the personalised video is the fulfilment of a contract pursuant to Art. 6 para. 1 lit. b EU GDPR.
Deactivating cookies may mean that you cannot use all the functions of our website.
12. Google SiteSearch / Google Custom Search Engine
13. Use of your data for marketing purposes
13.1 Central data storage and analysis in our CRM system
13.2 Newsletter / E-mail advertising
You will only receive a newsletter or e-mail advertising from us at your express request. Reg-istration on the website is required for this. The following data must be provided as part of the registration:
first and last name
By registering you give us your consent to process this data for the purpose of sending you communications regarding our company, our tourism and transport offers and related prod-ucts and services (such as souvenirs or hotel accommodation) from us, the companies in which BVZ Holding holds an interest and selected partner companies, such as hotels or ser-vice providers in municipalities in our route network. This may also include requests to parti-cipate in surveys (market research) or competitions or to evaluate one of the aforementioned services/products or companies. We will use your data for e-mailing until you revoke your consent. Revocation is possible at any time. You will also find an unsubscribe link in every advertising e-mail. Our promotional e-mails may contain a so-called web beacon (tracking pixel) or similar tech-nical means. A web beacon is a 1x1 pixel invisible graphic, that is associated with the user ID of the respective newsletter subscriber. For each advertising e-mail sent, there is information available on the address file used, the subject and the number of advertising e-mails sent. In addition, it is possible to see which ad-dresses have not yet received the e-mail, to which address it was sent and for which ad-dresses the sending failed. In addition, we see which addresses have already opened the e-mail. Finally, we also receive information regarding the addresses that have unsubscribed. We use this data for statistical purposes and to optimise our advertising e-mails in terms of content and structure. This enables us to better tailor the information and offers in our e-mails to the individual interests of the recipients. The tracking pixel is deleted when you delete the e-mail. To prevent the use of the web beacon in our advertising e-mails, please set your e-mail pro-gramme so that HTML is not displayed in messages, if this is not already the case by default. On the following pages you will find explanations on how to change this setting in the most common e-mail programmes.
Mail for Mac ("Load removed content in messages")
By registering you give us your consent to process the data provided for the regular sending of promotional e-mails to the address you have provided and for the statistical evaluation of usage behaviour as well as the optimisation of the newsletter. This consent constitutes our legal basis for the processing of the data within the meaning of Art. 6 para. 1 lit. a EU GDPR. We use e-mail marketing software by Alturos Destinations (Lakeside B03, 9020 Klagenfurt, Austria) to send out promotional e-mails. For this purpose, your data is stored on a Braze da-tabase system (77 Hatton Garden, 4th Floor, Holborn, London EC1N 8JS, United Kingdom), so that your data may be accessed by Alturos and Braze to the extent necessary to provide the software and support for the use of the software. The legal basis for this transfer is our legitimate interest within the meaning of Art. 6 para. 1 lit. f EU-DSGVO in having recourse to third-party service providers. In certain cases, contact may also be made by SBB or another company involved in direct transport under strict conditions. You can refuse to be contacted by SBB (e.g. in connection with your General or Half-Fare Card) or by other public transport companies at any time. The following options are available for this purpose:
Every e-mail you receive from public transport companies contains an unsubscribe link that allows you to unsubscribe from further messages with one click.
Provided you have a SwissPass login, you can log on to www.swisspass.ch and manage your settings for receiving messages in your user account at any time.
You can also deregister at any counter of a public transport company.
13.3 Tracking tools
13.3.1 General information
For the purpose of demand-oriented design and continuous optimisation of our pages, we use the web analysis services listed below. In this context, pseudonymised usage profiles are created and cookies are used (please also refer to section 9). The information generated by the cookie about your use of this website is generally transmitted together with the data listed in section 3 to a server of the service provider, where it is stored and processed; this may also involve transmission to servers in the USA. In this case and by means of contractual arrangements with these companies, we guarantee that your data is adequately protected at these companies. By processing the data, we obtain the following information:
navigation path followed by a visitor on the site (incl. content viewed and products se-lected or purchased),
dwell time on the website or sub-page,
the sub-page on which the website is left,
the country, region or city from where access is made,
end device (type, version, colour depth, resolution, width and height of the browser window) and
returning or new visitor
The provider will use this information on our behalf to evaluate the use of the website, to com-pile reports on website activities for us and to provide other services associated with website and internet use for the purposes of market research and demand-oriented design of these webpages. This information may also be transferred to third parties if this is required by law or if third parties process this data on our behalf. The legal basis for this data processing with the following tools is your consent within the meaning of Art. 6 para. 1 lit. a EU GDPR. You can revoke your consent at any time by reject-ing or deactivating the relevant cookies in the menu bar of your web browser (see section 9) or by making use of the options described below.
13.3.2 Google Analytics and Google Optimize
13.3.3 Crazy Egg
We use the web tracking tool Crazy Egg on our website. Crazy Egg is operated by Crazy Egg Inc. (6220 E. Ridgeview Lane, La Mirada, CA, 90638, USA).
In doing so, the data described regarding the use of the website is transferred to a Crazy Egg server in the USA for the processing purposes explained (see section 11.4.1) and stored there. The tool also allows us to recognise which areas of our website are visited and clicked on most often by means of a so-called "heat map" or "scroll map". For this purpose, a usage profile is visually displayed. Accordingly, the web analysis tool records in particular mouse movements, clicks and entries of website users. This creates a log of mouse movements and clicks with the intention of randomly replaying individual website visits and deriving from this potential improvements for the website. We have contractual guarantees to ensure that Crazy Egg maintains a sufficient level of data protection.
You can prevent the collection and transfer of the data generated by the cookie relating to your use of the website (including your IP address) to Crazy Egg and the processing of this data by Crazy Egg by following the instructions at the following link: http://www.crazyegg.com/opt-out.
We use the Fusedeck tool on our website for campaign tracking. The provider of Fusedeck is Capture Media AG, Löwenstrasse 3, 8001 Zurich, Switzerland. The central storage location of all tracking data is in the European Union or optionally in Switzerland. All data collected with Fusedeck shall not be shared with third parties, and Capture Media AG will not use the collected tracking data for its own purposes. Fusedeck allows tracking in three ways: classic full cookie tracking, cookie-less user tracking or cookie-less session tracking. With full cookie tracking, an identifier is persistently written to the user's device in order to uniquely recognise the device and user (also refer to section 11 on cookies). The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a EU GDPR. With cookie-less user tracking and cookie-less session tracking, you as a user are not tracked individually and solely anonymised data is used. Further information on data processing by Fusedeck can be found in the Fusedeck data protection statement: https://fusedeck.com/en/privacy-policy/.
13.4 Links, plugins and tools from social media networks
13.4.1 Links to social media networks
You will find links to social media networks on our website. These are not plugins provided by the provider which transmit data to the provider when the page is loaded, without the user having any influence. The buttons to the social media networks merely contain a link to the social media network including the transfer of the website to be shared. No user data is transmitted from the website to the social media network. The links lead to the following networks:
Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA,
LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (www.matterhorngotthardbahn.ch only)
Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025, USA
YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA
When you call up a link to one of our social media profiles, a direct connection is established between your browser and the server of the social network concerned. This provides the network with the information that you have visited our website with your IP address and ac-cessed the link. If you call up a link to a network while you are logged into your account with the network in question, the content of our site may be linked to your profile with the network, which means that the network can assign your visit to our website directly to your user ac-count. To prevent this from happening, you must log out before clicking on the corresponding links. An assignment will take place in any case if you log in to the relevant network after clicking on the link.
13.4.2 Social plugins
You can use the social plugins listed below on our website:
Facebook; Facebook Inc. (1601 S. California Ave, Palo Alto, CA 94304, USA)
Twitter; Twitter Inc. (795 Folsom St., Suite 600, San Francisco, CA 94107, USA)
Social plugins are used to make our websites more personal. Your browser establishes a direct connection with the servers of the respective social net-work as soon as you call up our website. The content of the plugin is transmitted directly to your browser by the social network and integrated into the website by it. By integrating the plugins, the respective provider receives the information that your browser has accessed the corresponding page of our website, even if you do not have an account with this social network or are not currently logged in to it. This information (including your IP address) is transmitted from your browser directly to a server of the provider (usually in the USA) and stored there. We therefore have no influence on the scope of the data that the pro-vider collects with the plugin. If you are logged into the social network, it can assign your visit to our website directly to your user account. If you interact with the plugins, the corresponding information is also transmit-ted directly to the provider’s server and stored there. The information may also be published on the social network and displayed for other users of the social network to see. The provider of the social network may use this information for the purposes of advertising, market research and designing the respective offer in line with requirements. For this pur-pose, usage, interest and relationship profiles could be created, e.g. to evaluate your use of our website with regard to the advertisements displayed to you on the social network, to in-form other users about your activities on our website and to provide other services associat-ed with the use of the social network. For the purpose and scope of the data collection and the further processing and use of the data by the providers of the social networks, as well as your rights in this regard and setting options for protecting your privacy, please refer directly to the data protection notices of the respective provider (Facebook: https://www.facebook.com/about/privacy/update; Twitter: https://twitter.com/de/privacy). If you do not want the provider of the social network to assign the data collected via our web-site to your user account, you must log out of the social network before activating the plugins. Your consent within the meaning of Art. 6 (1) lit. a EU GDPR forms the legal basis for the data processing described.
13.4.3 Facebook pixel / Facebook custom audience
We use so-called re-targeting technologies. This involves analysing your user behaviour on our website in order to be able to offer you individually tailored advertising on partner websites. Your user behaviour is recorded pseudonymously. Most re-targeting technologies work with cookies (also refer to section 11). The data on user behaviour is thereby also made available to the parties involved in the advertising networks, in particular their operators. The data may then be analysed for the purpose of billing the advertising network and assessing the effectiveness of advertising measures in order to better understand the needs of our users and customers and to improve future campaigns. This may also include the information that a booking or the purchase of a service is due to a specific advertisement.
220.127.116.11 DoubleClick and Remarketing by Google
This website uses DoubleClick by Google, a service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"), to place ads based on the use of previously visited websites. Google uses the so-called DoubleClick cookie for this purpose, which your browser to be recognised when visiting other websites. The information generated by the cookie about your visit to these websites (including your IP address) will be transmitted to and stored by Google on servers in the United States (for information on data transfers to the United States, please refer to section 16). Google will use this information for the purpose of evaluating your use of the website in relation to the advertisements to be displayed, compiling reports on website activity and advertisements for website operators and providing other services relating to website activity and internet usage. In addition, DoubleClick can use cookie IDs to record so-called conversions that are related to ad requests. This is the case, for example, when a user sees a DoubleClick ad and later visits the advertiser's website with the same browser and makes a purchase there. We also use Google Remarketing, also called retargeting, a technology that allows us to follow potential customers through Google ads. When you visit our website, an ID that recognises you is added to a remarketing list. For this purpose, Google stores cookies on your terminal device. The remarketing lists are based on the remarketing tag, which is created by linking our conversion ID and conversion label to the cookie. The remarketing lists are not based on a link to uploaded customer lists. Then, when you visit another website that is also linked to the Google advertising network, you may be shown one of our ads. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. However, Google has stated that it will not associate your IP address with any other data held by Google. Further information on data protection at Google can be found here. We also use Google Tag Manager to manage the usage-based advertising services. The Tag Manager tool itself is a cookie-less domain and does not collect any personal data. Rather, the tool triggers other tags, which in turn may collect data (for more information, see above). If you have deactivated a tag at the domain or cookie level, this remains in place for all tracking tags that are implemented with the Google Tag Manager. The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a EU GDPR. You can revoke your consent at any time by rejecting or deactivating the relevant cookies in the menu bar of your web browser (for more information, refer to section 11).
18.104.22.168 Re Targeting with Facebook Pixel
We also use the Facebook Pixel for re-targeting purposes. With the help of the Facebook Pixel, we can track the Facebook ads you have seen when visiting our website, which subpages you visit and which products you add to your shopping cart. This information is used to offer you individually tailored advertising on partner websites as well (for more information on the Facebook Pixel refer to section 13.4.3). The legal basis for data processing in connection with Facebook Pixel is your consent within the meaning of Art. 6 para. 1 lit. a EU GDPR.
14. Mutual responsibility in public transport
15. Disclosure of data to third parties or granting of access to data to third parties
16. Transmission of personal data abroad
Your data is generally stored in databases within Switzerland. However, we are also entitled to transmit your personal data to third companies abroad if this is required in connection with the processing of your enquiries, the provision of services and marketing campaigns (see in par-ticular section 11). In doing so, the legal requirements for the transfer of personal data to third parties will of course be complied with. If the country in question does not have an adequate level of data protection, we guarantee through contractual arrangements with these compa-nies that your data is adequately protected at these companies.
17. Your rights
You can object to data processing at any time, especially data processing in connection with direct advertising (e.g. against advertising e-mails). You also have the following rights: Right of access: You have the right to request access to your personal data stored by us at any time and free of charge when we process it. This gives you the opportunity to check which personal data we process about you and that we use it pursuant to applicable data pro-tection regulations. Right to rectification: You have the right to have inaccurate or incomplete personal data corrected and to be informed about the correction. In this event, we will inform the recipients of the data concerned about the adjustments made, unless this is impossible or involves a disproportionate effort. Right to deletion: You have the right to have your personal data deleted under certain cir-cumstances. In individual cases, especially in the case of statutory retention obligations, the right to deletion may be excluded. In this event, the deletion may be replaced by a blocking of the data if the conditions are met. Right to restrict processing: You have the right, under certain conditions, to request that the processing of your personal data be restricted. Right to data transmission: If the legal requirements are met, you have the right under cer-tain circumstances to receive from us, free of charge, the personal data that you have pro-vided to us in a readable format. Right of revocation: In principle, you have the right to revoke your consent at any time. However, processing activities based on your consent in the past do not become unlawful as a result of your revocation. To exercise your rights, please send us an e-mail to the following address: firstname.lastname@example.org or email@example.com Right to appeal: You have the right to appeal to a competent supervisory authority about the manner in which your personal data is processed.
18. Data security
We use appropriate technical and organisational security measures to protect your personal data stored with us against manipulation, partial or complete loss and against unauthorised access by third parties. Our security measures are continuously adapted in line with techno-logical developments. However, the transmission of information via the internet and other electronic means always involves certain security risks and we cannot guarantee the securi-ty of information transmitted in this way. When you register with us as a customer, access to your customer account is only possible after entering your personal login details in each case. You should always keep your payment information confidential and close the browser window when you have finished communi-cating with us, especially if you share the computer with others. We also take internal data protection very seriously. Our employees and the service compa-nies commissioned by us are obliged by us to maintain confidentiality and to comply with the provisions of data protection law. Furthermore, they are only granted access to personal data to the extent necessary.
19. Retention periods
We shall only store personal data for as long as is required to carry out the above-mentioned tracking services and other processing within the scope of our legitimate interest. We retain contractual data for a longer period of time, as this is required by statutory retention obligations. Retention obligations that oblige us to retain data result from accounting regula-tions and tax regulations. According to these regulations, business communications, con-tracts concluded and accounting vouchers must be kept for up to 10 years. As soon as we no longer need this data to perform services for you, the data is blocked. This means that the data may then only be used for accounting and tax purposes.
If you have any questions regarding data protection, please contact our data protection of-ficer. BVZ Holding AG Matterhorn Gotthard Bahn AG Data Protection Officer Bahnhofplatz 7 3900 Brig firstname.lastname@example.org How to contact our data protection representative in the EU MLL EU-GDPR GmbH Ganghoferstrasse 33 DE-80339 München email@example.com firstname.lastname@example.org Effective: November 2021