Data privacy statement

for distribution model surveys by National Direct Service based on the myJourney app

Last updated 11 Oct. 2023

Table of contents

1. Applicability
2. Contact
3. Purpose and legal basis of the distribution model surveys
4. Where does the data come from?
5. What data do we process?
   1. Data processing for the delivery of invitations
   2. Data processing for registration in the myJourney app
   3. Data processing in the myJourney app
   4. Data processing for support
   5. Data processing for participation in the competition
6. Where is the data stored?
7. How long will your data be kept for?
8. Will your personal data be shared with third parties?
9. Push notifications
10. Crash reports
11. What are beacons and how are they used?
12. What are your rights?
13. Data security

1 Applicability

This data privacy statement applies to the processing of personal data in connection with the pilot project for the distribution model surveys of public transport tickets carried out by National Direct Service (NDV) with the "myJourney" app from Alliance Swisspass.

In this data privacy statement, we will explain how we use your personal data and why we need it. This data privacy statement applies to the processing of personal data within the scope of the Swiss Data Protection Act (DSG) and the General Data Protection Regulation (GDPR) of the European Union.

2 Contact

The company responsible for processing personal data for the NDV distribution model surveys is the ch-integral association, which is responsible for managing the office of Alliance SwissPass, Länggassstrasse 7, 3012 Bern. If you have any questions about data privacy, please use the following contact details:

ch-integral
c/o Alliance SwissPass Office
Data privacy
Länggassstrasse 7
3012 Bern
datenschutz@allianceswisspass.ch

3 Purpose and legal basis of the distribution model surveys

Your National Direct Service (NDS) travelcard entitles you to use the route networks of public transport companies all over Switzerland. This app-based survey uses tracking technology to tell us about the journeys you have made within a specific period (for example, one month). We need this information so that we can distribute the income from NDS travel passes – such as the GA Travelcard, for example – fairly to the different transport companies. By taking part, you are helping us discharge our legal responsibilities.

The head office of Alliance SwissPass, which is managed by ch-integral, has a statutory mandate prescribed by the Swiss law governing the carriage of passengers (PBG) to collect the travel information required to distribute the income from ticket sales equitably. The office has a mandate to distribute the revenues received by National Direct Service on behalf of the transport companies. The mandate is embodied in the agreement on the cooperation between National Direct Service and the public transport associations ( Ue500). For more information about the distribution model survey, please visit the following link.

The data collected is anonymized prior to evaluation and analysis. Under no circumstances will your data be used for advertising purposes or sold to third parties.

4 Where does the data come from?

Data from the sale of NDS travel passes is kept in a central database, which is managed on our behalf by SBB AG. Access to the shared databases by individual transport operators and associations is regulated and limited by a common agreement. Sharing and processing of the centrally stored data is normally limited to contract processing, ticket control, after-sales service and revenue distribution. The sharing of data with service providers is explained in the data privacy statements of the individual transport companies.

We obtain the personal data required to distribute revenues and administer the distribution model from the above-mentioned database, from the tickets collected by the sales systems and from the myJourney app (see Chapter 5).

5 What data do we process?

5.1 Data processing for the delivery of invitations

In order to invite our target groups to participate in the public transport ticket survey, we need their contact and travel pass details (see Chapter 4). More specifically, we process the following data:

• First name and surname of customer/passenger
• Gender
• Language of communication
• Email

The personal data is completely anonymized by our partner Intervista once the invitations have been sent.

5.2 Data processing for registration in the myJourney app

Data obtained from the use of the myJourney app is pseudoanonymized. The invitation to use the app contains a personal registration code. When you register, you do not have to provide any personal data, such as your first or last name. We identify your user account via a pseudonymized identifier (known as a UUID) in our partner's backend system. This is derived from your registration code, email address and the password you have chosen.

5.3 Data processing in the myJourney app

Data processing in the app occurs only if you install the app and agree to the terms of use. In other words, it requires your explicit consent. To accomplish the purpose of revenue distribution, the following data is collected and stored on the server of our partner, MotionTag GmbH:

Mobility data:

• Pseudonymized Universally Unique Identifier (UUID)
• Period covered by the survey
• Date of travel
• Route (departure point, destination, connection points)
• Time of the localization
• Geocoordinates and accuracy (obtained via GPS or the device's location service)
• Acceleration values (obtained from sensors in the smartphone)
• Location tracking by the operating system
• Validation, corrections or additions of travel routes (manual input)
• Beacon signals (scanned by the app and processed when beacons from public transport vehicles), see Chapter 10
• Mode of transport and operator used (obtained via beacons)

Technical details:

• Metadata (device type, device settings, app settings)
• Operating system version
• App version
• Usage and communication data (app use and data transmission times, battery status, connection status)

The travel data collected is evaluated without reference to individuals. The data is anonymized and[G(3] [DPG(VGC4] [SH5] consolidated into general, impersonal information on the use of the ticket. The data is therefore completely anonymous and cannot be linked to any specific or identifiable persons.

5.4 Data processing for support

To enable us to respond to your queries via the app or contact form, we will process your first and second name, email address, usage data (e.g., access and transmission times), meta/communication data (e.g., device information and settings) and the message you have sent. No connection will be made with the mobility data collected in the app.

5.5 Data processing for participation in the competition

Your contact details will also be used in connection with the competition provided you have consented to this and only for the purpose of delivering the prizes.

6 Where is the data stored?

Your personal data will be processed and stored in Switzerland and Germany.

7 How long will your data be kept for?

The data is irrevocably anonymized six months after the end of the project. From then on, no personal references to individuals will exist. The travel data stored by our partner Motiontag is deleted in its entirety on an ongoing basis or at the latest after twelve months.

8 Will your personal data be shared with third parties?

Your personal data will only be shared with selected, authorized service providers – and only to the extent necessary for them to provide their service.

These include:

• IT and hosting service providers
• Delivery service providers

We operate the myJourney app in cooperation with MotionTag GmbH, based in Potsdam, Germany. We send out invitations (see Chapter 5.1) together with Intervista AG, based in Bern and Zurich, Switzerland. Our tool for processing travel data and selecting samples is managed by our hosting partner EveryWare AG, based in Zurich, Switzerland.

All of our partners process your data on behalf of the ch-integral association or the office of the Alliance SwissPass and are contractually obliged to comply with this data privacy statement and all relevant data protection regulations.

9 Push notifications

We use Google Analytics, a web analysis service from Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA, in conjunction with the myJourney app. Google Ireland Limited is responsible for users based in the European Economic Area (EEA) and Switzerland.

If you agree, we can send you "push notifications". These are messages that are displayed on your device even when you are not actively using our app. Push notifications require the explicit consent of the recipient. As part of the app's onboarding process, you will be asked if you agree to receive notifications. You are free to accept or decline. If you reject the request, you will not receive any notifications. You can revoke authorization at any time or limit the notifications to certain categories (such as error messages) from the Settings section of your device.

Push notifications may contain:

• Information about the survey being carried out or reminders about the start or end of the survey period
• Reminders to validate the routes detected
• Hints and tips on the content of the app and how to use it
• Information about new features, settings or problems that require action on your part

10 Crash reports

We use Google Analytics, a web analysis service from Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA, in conjunction with the myJourney app. Google Ireland Limited is responsible for users based in the European Economic Area (EEA).

As part of the app's onboarding process, you will be asked whether you agree to Firebase Crashlytics collecting crash reports. You are free to accept or decline. If you decline, no crash reports will be sent. You can check your decision and (de)activate the crash reports setting at any time via the app's Settings section. The app only uses the default Firebase Crashlytics configuration and shares as little data as possible. The app does not make use of the option provided by Firebase Crashlytics to add additional parameters or user identities to the crash reports.

The types of data provided include:

• Meta/communication data (device information, operating system information, app or SDK runtime data)
• Usage data (access times)

11 What are beacons and how are they used?

Beacons are small, mostly autonomous transmitters that use Bluetooth Low Energy (BLE) to send an identification number to smartphones. When a smartphone receives this identification number, it is matched by the myJourney app. This enables locations to be established more accurately and in a more energy-efficient way than is possible with GPS alone. The beacons themselves cannot store any personal data.

12 What are your rights?

You have the following rights to your data, which you can exercise at any time

• You may request information about your stored personal data
• You may request that your personal data be corrected, supplemented, blocked or deleted
• You can delete your account or ask to have it deleted
• You can revoke your consent to future data processing
• You can ask for your data to be transferred to a third party
• You can ask for the recording of your transaction data in the application to be stopped. Once this has been done, the functionality of the application will no longer be guaranteed.

You can request information about your stored data at any time. To do this, please refer to our contact details.

You also have the right to submit any concerns or questions to the Federal Data Protection and Information Commissioner (FDPIC)) at any time.

13 Data security

We use appropriate technical and organizational security measures to protect the personal data stored with us against manipulation, partial or complete loss, and unauthorized access by third parties. Our security measures are continually improved in line with technological developments.

We take all necessary steps to ensure the safekeeping of your data. Sending information via the internet and other electronic means, however, always involves a degree of risk and we cannot guarantee the security of information sent in this way.