With this privacy policy, we inform you about the processing of personal data in connection with our activities and operations, including our website under the domain name www.bpg.ch. We specifically inform you about the purpose, how, and where we process which personal data. We also inform you about the rights of individuals whose data we process.

For individual or additional activities and operations, we may publish further privacy policies or other information on data protection.

We are subject to Swiss law as well as any applicable foreign law, in particular that of the European Union (EU) with the European General Data Protection Regulation (GDPR).

The European Commission recognized by decision of July 26, 2000, that Swiss data protection law provides adequate data protection. In a report dated January 15, 2024, the European Commission confirmed this adequacy decision.

1. Contact addresses

Responsible in the sense of data protection law is:
Basler Personenschifffahrt AG
Westquaistrasse 62
4057 Basel
Switzerland
[email protected]

In individual cases, third parties may be responsible for the processing of personal data or there may be joint responsibility with third parties. We are happy to provide affected individuals with information about the respective responsibility upon request.

1.1 Data protection officer or data protection consultant

We have the following data protection officer or the following data protection consultant as a point of contact for affected individuals and authorities for inquiries related to data protection:
Data protection officer
Basler Personenschifffahrt AG
Westquaistrasse 62
4057 Basel
[email protected]

1.2 Data protection representation in the European Economic Area (EEA)

We have the following data protection representation according to Art. 27 GDPR:
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
[email protected]

The data protection representation serves affected persons and authorities in the European Union (EU) and in the rest of the European Economic Area (EEA) as an additional point of contact for inquiries related to the GDPR.

2. Terms and Legal Bases

2.1 Terms

Affected person: Natural person whose personal data we process.

Personal data: All information relating to an identified or identifiable natural person.

Particularly sensitive personal data: Data concerning trade union, political, religious or philosophical beliefs and activities, data concerning health, sexual orientation or membership in an ethnic or racial group, genetic data, biometric data that uniquely identify a natural person, data concerning criminal and administrative sanctions or prosecutions, and data concerning measures of social assistance.

Editing: Any handling of personal data, regardless of the means and methods used, such as querying, matching, adjusting, archiving, storing, reading out, disclosing, procuring, capturing, collecting, deleting, revealing, organizing, arranging, storing, modifying, disseminating, linking, destroying, and using personal data.

European Economic Area (EEA): Member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway.

2.2 Legal bases

We process personal data in accordance with Swiss law, in particular the Federal Act on Data Protection (Data Protection Act, DPA) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).

We process – to the extent that the European General Data Protection Regulation (GDPR) is applicable – personal data or personal information according to at least one of the following legal bases:

Art. 6 para. 1 lit. b GDPR for the necessary processing of personal data to fulfill a contract with the data subject as well as to carry out pre-contractual measures.

Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data to protect legitimate interests – including the legitimate interests of third parties – provided that the fundamental freedoms and rights as well as the interests of the data subject do not prevail. Such interests include in particular the sustainable, humane, secure, and reliable exercise of our activities and operations, ensuring information security, protection against abuse, enforcement of our own legal claims, and compliance with Swiss law.

Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject under any applicable law of member states in the European Economic Area (EEA).

Art. 6 para. 1 lit. e GDPR for the necessary processing of personal data to perform a task that is in the public interest.

Art. 6 para. 1 lit. a GDPR for the processing of personal data with the consent of the data subject.

Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data to protect vital interests of the data subject or another natural person.

Art. 9 para. 2 ff. GDPR for the processing of special categories of personal data, in particular with the consent of the data subjects.

The European General Data Protection Regulation (GDPR) refers to the processing of personal data as processing of personal data and the processing of particularly sensitive personal data as processing of special categories of personal data (Art. 9 GDPR).

3. Type, scope, and purpose of the processing of personal data

We process those personal data that are necessary to carry out our activities and operations in a sustainable, user-friendly, secure, and reliable manner. The processed personal data may particularly fall into the categories of browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data, and payment data. The personal data may also represent particularly sensitive personal data.

We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect in the course of our activities and operations, as far as such processing is permissible.

We process personal data, as far as necessary, with the consent of the affected individuals. We can process personal data in many cases without consent, for example, to fulfill legal obligations or to safeguard overriding interests. We may also request the consent of affected individuals when their consent is not required.

We process personal data for the duration necessary for the respective purpose. We anonymize or delete personal data, particularly depending on legal retention and limitation periods.

4. Disclosure of personal data

We may disclose personal data to third parties, have third parties process it, or process it jointly with third parties. Such third parties may include specialized providers whose services we utilize.

We may disclose personal data in the context of our activities and operations, particularly to banks and other financial service providers, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and economic information agencies, logistics and shipping companies, marketing and advertising agencies, media, parent, sister, and subsidiary companies, organizations and associations, social institutions, telecommunications companies, insurance companies, and payment service providers.

5. Communication

We process personal data to communicate with individuals as well as with authorities, organizations, and companies. In doing so, we particularly process data that an affected person transmits to us when contacting us, for example, by mail or email. We may store such data in an address book or with comparable aids.

Third parties who transmit data to us about other individuals are obliged to independently ensure the data protection of these affected individuals. They must particularly ensure that such data is accurate and may be transmitted.

We use selected services from suitable providers to enable and improve communication with individual persons and other communication partners. With such services, we can also manage and otherwise process the data of the affected persons beyond direct communication.

6. Applications

We process personal data about applicants as far as it is necessary for assessing their suitability for an employment relationship or for the later execution of an employment contract. The required personal data arises particularly from the requested information, for example, in the context of a job advertisement. We can publish job advertisements with the help of suitable third parties, for example in electronic and printed media or on job portals and job platforms.

We also process those personal data that applicants voluntarily provide or publish, particularly as part of cover letters, resumes, and other application documents as well as online profiles.

We process – insofar as and to the extent that the General Data Protection Regulation (GDPR) is applicable – personal data about applicants particularly in accordance with Art. 9 para. 2 lit. b GDPR.

We use selected services from suitable third parties to advertise positions via e-recruitment and to enable and manage applications.

7. Data security

We take appropriate technical and organizational measures to ensure a level of data security appropriate to the respective risk. With our measures, we particularly ensure the confidentiality, availability, traceability, and integrity of the processed personal data, without being able to guarantee absolute data security.

Access to our website and our other digital presence is carried out using transport encryption (SSL / TLS, particularly with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers warn against visiting a website without transport encryption.

Our digital communication is subject – like basically any digital communication – to mass surveillance without cause and suspicion by security authorities in Switzerland, in the rest of Europe, in the United States of America (USA), and in other countries. We cannot exert direct influence on the corresponding processing of personal data by intelligence services, police stations, and other security authorities. We also cannot exclude that an affected person is being specifically monitored.

8. Personal data abroad

We process personal data primarily in Switzerland and in the European Economic Area (EEA). However, we can also export or transmit personal data to other countries, particularly to process them there or have them processed.

We can export personal data to all countries on Earth and elsewhere in the universe, provided that the local law ensures adequate data protection according to the decision of the Swiss Federal Council and – to the extent that the General Data Protection Regulation (GDPR) is applicable – also according to the decision of the European Commission.

We can transmit personal data to countries whose laws do not ensure adequate data protection, provided that data protection is ensured for other reasons, particularly on the basis of standard data protection clauses or with other suitable guarantees. Exceptionally, we may export personal data to countries without adequate or suitable data protection if the specific data protection legal requirements are met, for example, the explicit consent of the affected persons or a direct connection with the conclusion or execution of a contract. We are happy to provide affected persons with information about any guarantees upon request or provide a copy of any guarantees.

9. Rights of affected persons

9.1 Data protection legal claims

We grant affected persons all claims according to applicable law. Affected persons have the following rights in particular:

Information: Affected persons can request information on whether we process personal data about them, and if so, which personal data it concerns. Affected persons also receive the information necessary to assert their data protection legal claims and to ensure transparency. This includes the processed personal data as such, but also information about the purpose of processing, the duration of storage, any disclosure or potential export of data to other countries, and the source of the personal data.

Correction and restriction: Affected persons can correct inaccurate personal data, complete incomplete data, and request the restriction of the processing of their data.

Opportunity for own position and human review: Affected persons can present their own position in decisions that are based solely on automated processing of personal data and that have legal effects for them or significantly affect them (automated individual decisions), and request a review by a human.

Deletion and objection: Affected persons can request the deletion of personal data ('right to be forgotten') and object to the processing of their data with effect for the future.

Data release and data transfer: Affected persons can request the release of personal data or the transfer of their data to another controller.

We can postpone, restrict, or deny the exercise of rights of affected persons within the legally permissible framework. We may inform affected persons of any prerequisites that must be met for the exercise of their data protection rights. For example, we may refuse to provide information in whole or in part, citing confidentiality obligations, overriding interests, or the protection of other individuals. We may also refuse the deletion of personal data in whole or in part, particularly citing legal retention obligations.

We may exceptionally charge fees for the exercise of rights. We inform affected persons in advance about any potential costs.

We are obligated to identify affected persons who request information or assert other rights with appropriate measures. Affected persons are required to cooperate.

9.2 Legal Protection

Affected persons have the right to enforce their data protection claims through legal means or to file a complaint with a data protection supervisory authority.

The data protection supervisory authority for private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (EDÖB).

European data protection supervisory authorities are organized as members of the European Data Protection Committee (EDSA). In some member states of the European Economic Area (EEA), the data protection supervisory authorities are federally structured, particularly in Germany.

10. Use of the Website

10.1 Cookies

We may use cookies. Cookies – both first-party cookies and third-party cookies from services we use – are data stored in the browser. Such stored data do not have to be limited to traditional cookies in text form.

Cookies can be temporarily stored in the browser as 'session cookies' or for a specific period as so-called permanent cookies. 'Session cookies' are automatically deleted when the browser is closed. Permanent cookies have a specific storage duration. Cookies allow, in particular, to recognize a browser during the next visit to our website and thus, for example, measure the reach of our website. However, permanent cookies can also be used for online marketing.

Cookies can be completely or partially deactivated, restricted, or deleted at any time in the browser settings. The browser settings often also allow for automated deletion and other management of cookies. Without cookies, our website may not be fully available. We request – at least to the extent and as required by applicable law – active explicit consent for the use of cookies.

For cookies used for success and reach measurement or for advertising, a general objection ('opt-out') is possible for many services via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

10.2 Logging

We can log at least the following information for each access to our website and our other digital presence, provided that this information is typically determined or transmitted during such accesses to our digital infrastructure: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, requested individual subpage of our website including transmitted data volume, last webpage accessed in the same browser window (referer).

We log such information, which may also represent personal data, in log files. The information is necessary to provide our digital presence permanently, user-friendly, and reliably. The information is also necessary to ensure data security – even through third parties or with the help of third parties.

10.3 Tracking Pixels

We can integrate tracking pixels into our digital presence. Tracking pixels are also referred to as web beacons. Tracking pixels – also from third parties whose services we use – are usually small, invisible images or scripts formulated in JavaScript that are automatically retrieved when accessing our digital presence. With tracking pixels, at least the same information as in logging in log files can be captured.

11. Notifications and Messages

11.1 Success and Reach Measurement

Notifications and messages may contain web links or tracking pixels that capture whether an individual message has been opened and which web links were clicked. Such web links and tracking pixels can also capture the use of notifications and messages on a personal basis. We need this statistical recording of usage for success and reach measurement to be able to send notifications and messages effectively and user-friendly based on the needs and reading habits of the recipients permanently, securely, and reliably.

11.2 Consent and Objection

You must generally consent to the use of your email address and other contact addresses, unless the use is permissible for other legal reasons. For obtaining a double-confirmed consent, we may use the "Double Opt-in" procedure. In this case, you will receive a notification with instructions for the double confirmation. We can log obtained consents including IP address and timestamp for proof and security reasons.

You can generally object to receiving notifications and messages such as newsletters at any time. With such an objection, you can simultaneously object to the statistical collection of usage for success and reach measurement. Required notifications and messages related to our activities and operations remain reserved.

11.3 Service providers for notifications and messages

We send notifications and messages with the help of specialized service providers.

We particularly use:
Brevo: Building and maintaining relationships with customers and users, particularly via email and instant messaging; provider: Sendinblue GmbH (Germany); information on data protection: "Data protection and data security", data protection declaration, "Security and data protection".

12. Social Media

We are present on social media platforms and other online platforms to communicate with interested individuals and to inform about our activities and operations. In connection with such platforms, personal data may also be processed outside of Switzerland and the European Economic Area (EEA).

The General Terms and Conditions (GTC) and Terms of Use as well as Privacy Policies and other provisions of the individual operators of such platforms also apply. These provisions particularly inform about the rights of affected persons directly towards the respective platform, including, for example, the right to information.

For our social media presence on Facebook, including the so-called page insights, we are – insofar as the General Data Protection Regulation (GDPR) is applicable – jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta companies (among others in the USA). The page insights provide information on how visitors interact with our Facebook presence. We use page insights to effectively and user-friendly provide our social media presence on Facebook.

Further information about the type, scope, and purpose of data processing, information about the rights of affected persons, as well as the contact details of Facebook and the data protection officer of Facebook can be found in Facebook's privacy policy. We have concluded the so-called 'Addendum for Controllers' with Facebook and have particularly agreed that Facebook is responsible for ensuring the rights of affected persons. For the so-called page insights, the corresponding information can be found on the page 'Information on Page Insights' including 'Information on Page Insights Data'.

13. Services from Third Parties

We use services from specialized third parties to carry out our activities and operations permanently, user-friendly, safely, and reliably. With such services, we can embed functions and content into our website. When embedding, the services used temporarily collect the IP addresses of the users for technically necessary reasons.

For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data in connection with our activities and operations in an aggregated, anonymized, or pseudonymized manner. This includes, for example, performance or usage data to be able to offer the respective service.

We use in particular:
Services from Google: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) partially for users in the European Economic Area (EEA) and in Switzerland; General information on data protection: «Handling of data protection & protective measures», privacy policy, «More information on how Google uses personal data», «Google is committed to complying with applicable data protection laws», «Guide to data protection in Google products», «How we use data from websites or apps where our services are used», cookie policy, «Advertising you can influence» (settings for personalized advertising).

13.1 Digital infrastructure

We use services from specialized third parties to access the necessary digital infrastructure in connection with our activities and operations. This includes, for example, hosting and storage services from selected providers.

13.2 Automation and integration of apps and services

We use specialized platforms to integrate and connect existing apps and services from third parties. We can also automate processes and activities with apps and services from third parties using such «no-code» platforms.

We use in particular:
Make: platform for the automation and integration of apps, services, devices, and systems; Provider: Celonis Inc. (USA); Information on data protection: privacy policy.

13.3 Scheduling

We use services from specialized third parties to schedule appointments online, for example for meetings. In addition to this privacy policy, any directly visible terms of the services used, such as terms of use or privacy policies, also apply.

13.4 Map material

We use third-party services to embed maps into our website.

We particularly use:
OpenStreetMap (OSM): map service; provider: OpenStreetMap Foundation (United Kingdom); data protection information: privacy policy.

13.5 Digital Content

We use services from specialized third parties to integrate digital content into our website. Digital content includes, in particular, image and video material, music, and podcasts.

We particularly use:
Vimeo: video platform; provider: Vimeo Inc. (USA); data protection information: privacy policy, «Private Video Hosting».

YouTube: video platform; provider: Google; YouTube-specific information: «Data Protection and Security Center», «My Data on YouTube».

13.6 Documents

We use services from third parties to integrate documents into our website. Such documents may include PDF files, presentations, spreadsheets, and text documents. We can enable not only viewing but also editing or commenting on such documents.

We particularly use:
Canva: digital documents; provider: Canva Pty Ltd (Australia); data protection information: privacy policy, «Trust», «Security at Canva», cookie policy.

Google Docs: documents, presentations, and spreadsheets; provider: Google; Google Docs-specific information: «Data Protection in Google Docs, Google Sheets, and Google Slides».

13.7 E-Commerce

We operate e-commerce and use third-party services to successfully offer services, content, or goods.

13.8 Payments

We use specialized service providers to process payments securely and reliably. The processing of payments is additionally subject to the legal texts of the individual service providers, such as General Terms and Conditions (GTC) or privacy statements.

We particularly use:
Adyen: Payment processing; provider: Adyen NV (Netherlands); data protection information: privacy statement, cookie policy.

Apple Pay: Payment processing; providers: Apple Inc. (USA) / Apple Distribution International Limited (Ireland); data protection information: privacy statement, ‘data protection regulation’, ‘Apple Pay & data protection’.

PayPal (including Braintree): Payment processing; providers: PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) / PayPal Pte. Ltd. (Singapore); data protection information: privacy statement, ‘statement on cookies and tracking technologies’.

PostFinance: Payment processing; provider: PostFinance AG (Switzerland); data protection information: ‘Legal notices and accessibility’, ‘data protection’ (including privacy statements).

TWINT: Payment processing in Switzerland; provider: TWINT AG (Switzerland); data protection information: privacy statement, ‘security according to Swiss standards’.

13.9 Advertising

We use the opportunity to specifically display advertising with third parties such as social media platforms and search engines for our activities and operations.

We want to reach people with such advertising, in particular those who are already interested in our activities and services or who might be interested (Remarketing and Targeting). For this purpose, we may transmit corresponding – possibly also personal – information to third parties that enable such advertising. We can also determine whether our advertising is successful, meaning in particular whether it leads to visits to our website (Conversion Tracking).

Third parties with whom we advertise and with whom you as a user are registered may possibly associate your use of our website with your profile there.

14. Extensions for the Website

We use extensions for our website to utilize additional functions. We may use selected services from suitable providers or use such extensions on our own digital infrastructure.

15. Success and Reach Measurement

We try to measure the success and reach of our activities and services. In this context, we can also measure the impact of third-party notices or check how different parts or versions of our digital presence are used ("A/B testing" method). Based on the results of the success and reach measurement, we can in particular fix errors, strengthen popular content, or make improvements.

For success and reach measurement, in most cases the IP addresses of individual users are recorded. In this case, IP addresses are generally shortened ("IP masking") to follow the principle of data minimization through the corresponding pseudonymization.

In the measurement of success and reach, cookies may be used and user profiles created. Any created user profiles may include, for example, the individual pages visited or content viewed on our digital presence, information about the size of the screen or the browser window, and the – at least approximate – location. In principle, any user profiles are created exclusively in a pseudonymized manner and are not used to identify individual users. Individual services from third parties, where users are registered, may possibly assign the use of our online offerings to the user account or user profile with the respective service.

We primarily use:
Google Tag Manager: Integration and management of services from Google and third parties, particularly for the measurement of success and reach; provider: Google; Google Tag Manager-specific information: Privacy policy for Google Tag Manager; further information on data protection can be found with the individual integrated and managed services.

16. Video surveillance

We use video surveillance to prevent crimes, to secure evidence in the case of crimes, to exercise and assert our own legal claims, to defend against foreign legal claims, and to exercise our house rights. This involves – as far as and to the extent that the General Data Protection Regulation (GDPR) is applicable – predominant legitimate interests according to Art. 6 para. 1 lit. f GDPR, particularly concerning sensitive personal data with reference to Art. 9 para. 2 lit. f GDPR.

We store recordings from our video surveillance as long as they are necessary for securing evidence or another stated purpose.

We may secure recordings from our video surveillance and transmit them to responsible authorities, such as particularly courts or law enforcement agencies, provided that the transmission is necessary for a stated purpose, in our other legitimate predominant interest, or due to legal obligations.

17. Final notes on the privacy policy

We have created this privacy policy using the privacy policy generator from privacy partner created.

We can update this privacy policy at any time. We will inform about updates in an appropriate manner, particularly by publishing the current privacy policy on our website.