1. Contact addresses
Responsible in the sense of data protection law is:
Basler Personenschifffahrt AG
Westquaistrasse 62
4057 Basel
Switzerland
[email protected]
In individual cases, third parties may be responsible for processing personal data or there may be joint responsibility with third parties. We are happy to provide affected individuals with information about the respective responsibility upon request.
1.1 Data protection officer or data protection consultant
We have the following data protection officer or the following data protection consultant as a point of contact for affected individuals and authorities regarding inquiries related to data protection:
Data protection officer
Basler Personenschifffahrt AG
Westquaistrasse 62
4057 Basel
[email protected]
1.2 Data protection representation in the European Economic Area (EEA)
We have the following data protection representation according to Art. 27 GDPR:
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
[email protected]
The data protection representation serves affected persons and authorities in the European Union (EU) and in the rest of the European Economic Area (EEA) as an additional point of contact for inquiries related to the GDPR.
2. Terms and Legal Bases
2.1 Terms
Affected person: Natural person whose personal data we process.
Personal data: All information relating to an identified or identifiable natural person.
Particularly sensitive personal data: Data concerning trade union, political, religious or philosophical beliefs and activities, data concerning health, the intimate sphere or belonging to an ethnicity or race, genetic data, biometric data that uniquely identify a natural person, data concerning criminal and administrative sanctions or prosecutions, and data concerning measures of social assistance.
Editing: Any handling of personal data, regardless of the means and methods used, such as querying, matching, adjusting, archiving, storing, reading out, disclosing, obtaining, capturing, collecting, deleting, revealing, organizing, managing, saving, modifying, disseminating, linking, destroying, and using personal data.
European Economic Area (EEA): Member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway.
2.2 Legal bases
We process personal data in accordance with Swiss law, particularly the Federal Act on Data Protection (Data Protection Act, DPA) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).
We process – insofar as and to the extent that the European General Data Protection Regulation (GDPR) is applicable – personal data or personal information according to at least one of the following legal bases:
Art. 6 para. 1 lit. b GDPR for the necessary processing of personal data to fulfill a contract with the data subject as well as to carry out pre-contractual measures.
Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data to safeguard legitimate interests – including the legitimate interests of third parties – provided that the fundamental freedoms and rights as well as the interests of the data subject do not prevail. Such interests include in particular the sustainable, humane, secure, and reliable exercise of our activities and operations, the assurance of information security, protection against abuse, enforcement of our legal claims, and compliance with Swiss law.
Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject under any applicable law of member states in the European Economic Area (EEA).
Art. 6 para. 1 lit e GDPR for the necessary processing of personal data to perform a task that is in the public interest.
Art. 6 para. 1 lit. a GDPR for the processing of personal data with the consent of the data subject.
Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data to protect vital interests of the data subject or another natural person.
Art. 9 para. 2 et seq. GDPR for the processing of special categories of personal data, in particular with the consent of the data subjects.
The European General Data Protection Regulation (GDPR) refers to the processing of personal data as processing of personal data and the processing of particularly sensitive personal data as processing of special categories of personal data (Art. 9 GDPR).
3. Type, scope and purpose of the processing of personal data
We process those personal data that are necessary to carry out our activities and operations in a sustainable, user-friendly, safe and reliable manner. The processed personal data may include, in particular, categories of browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data, and payment data. The personal data may also represent particularly sensitive personal data.
We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect in the course of our activities and operations, provided that such processing is permissible.
We process personal data, where necessary, with the consent of the affected individuals. We can process personal data in many cases without consent, for example, to fulfill legal obligations or to safeguard overriding interests. We may also ask affected individuals for their consent when their consent is not required.
We process personal data for the duration necessary for the respective purpose. We anonymize or delete personal data, particularly depending on legal retention and limitation periods.
4. Disclosure of personal data
We may disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties may include specialized providers whose services we utilize.
We may disclose personal data as part of our activities and operations, particularly to banks and other financial service providers, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and economic information agencies, logistics and shipping companies, marketing and advertising agencies, media, parent, sister, and subsidiary companies, organizations and associations, social institutions, telecommunications companies, insurance companies, and payment service providers.
5. Communication
We process personal data to communicate with individuals as well as with authorities, organizations, and companies. In doing so, we particularly process data that an affected person provides to us when contacting us, for example, by mail or email. We may store such data in an address book or with comparable tools.
Third parties that provide us with data about other individuals are obliged to ensure the data protection of these affected individuals independently. They must particularly ensure that such data is accurate and may be transmitted.
We use selected services from suitable providers to enable and improve communication with individual persons and other communication partners. With such services, we can also manage and process the data of the affected persons beyond direct communication.
6. Applications
We process personal data about applicants as far as it is necessary for assessing their suitability for an employment relationship or for the subsequent execution of an employment contract. The required personal data particularly arises from the requested information, for example, in the context of a job advertisement. We can publish job advertisements with the help of suitable third parties, for example, in electronic and printed media or on job portals and job platforms.
We also process those personal data that applicants voluntarily provide or publish, particularly as part of cover letters, resumes, and other application documents as well as online profiles.
We process – as far as and to the extent that the General Data Protection Regulation (GDPR) is applicable – personal data about applicants particularly according to Art. 9 para. 2 lit. b GDPR.
We use selected services from suitable third parties to advertise positions through e-recruitment and to enable and manage applications.
7. Data security
We take appropriate technical and organizational measures to ensure a level of data security that is appropriate to the respective risk. With our measures, we ensure in particular the confidentiality, availability, traceability, and integrity of the processed personal data, without being able to guarantee absolute data security.
Accessing our website and our other digital presence is done via transport encryption (SSL / TLS, especially with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers warn against visiting a website without transport encryption.
Our digital communication is subject – like basically any digital communication – to mass surveillance without cause and suspicion by security authorities in Switzerland, in the rest of Europe, in the United States of America (USA), and in other countries. We cannot directly influence the corresponding processing of personal data by intelligence services, police stations, and other security authorities. We also cannot rule out that an affected person is being specifically monitored.
8. Personal data abroad
We process personal data primarily in Switzerland and in the European Economic Area (EEA). However, we can also export or transmit personal data to other countries, especially to process it there or have it processed.
We can export personal data to all countries on Earth and elsewhere in the universe, provided that the local law ensures adequate data protection according to the decision of the Swiss Federal Council and – to the extent that the General Data Protection Regulation (GDPR) is applicable – also according to the decision of the European Commission.
We can transmit personal data to countries whose laws do not ensure adequate data protection, provided that data protection is guaranteed for other reasons, especially based on standard data protection clauses or with other suitable guarantees. Exceptionally, we may export personal data to countries without adequate or suitable data protection if the specific data protection legal requirements are met, for example, the explicit consent of the affected persons or a direct connection with the conclusion or execution of a contract. We are happy to provide affected persons with information about any guarantees upon request or provide a copy of any guarantees.
9. Rights of affected persons
9.1 Data protection legal claims
We grant affected individuals all claims according to applicable law. Affected individuals have the following rights in particular:
Information: Affected individuals can request information on whether we process personal data about them, and if so, which personal data it concerns. Affected individuals also receive the information necessary to assert their data protection legal claims and to ensure transparency. This includes the processed personal data as such, but also information on the purpose of processing, the duration of storage, any disclosure or potential export of data to other countries, and the source of the personal data.
Correction and restriction: Affected individuals can correct inaccurate personal data, complete incomplete data, and request the restriction of the processing of their data.
Opportunity for own viewpoint and human review: Affected individuals can present their own viewpoint in decisions that are based solely on automated processing of personal data and that have legal effects for them or significantly affect them (automated individual decisions), and request a review by a human.
Deletion and objection: Affected individuals can have personal data deleted ('right to be forgotten') and object to the processing of their data with effect for the future.
Data access and data transfer: Affected individuals can request the release of personal data or the transfer of their data to another controller.
We may postpone, restrict, or deny the exercise of the rights of affected persons within the legally permissible framework. We may inform affected persons of any prerequisites that may need to be fulfilled for the exercise of their data protection rights. For example, we may refuse to provide information in whole or in part, citing confidentiality obligations, overriding interests, or the protection of other persons. We may also refuse the deletion of personal data, particularly citing legal retention obligations, in whole or in part.
We may exceptionally provide for costs for the exercise of rights. We inform affected persons in advance about any potential costs.
We are obliged to identify affected persons who request information or assert other rights with appropriate measures. Affected persons are obliged to cooperate.
9.2 Legal Protection
Affected persons have the right to enforce their data protection claims through legal channels or to file a complaint with a data protection supervisory authority.
The data protection supervisory authority for private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (EDÖB).
European data protection supervisory authorities are organized as members of the European Data Protection Board (EDPB). In some member states in the European Economic Area (EEA), the data protection supervisory authorities are federally structured, particularly in Germany.
10. Use of the Website
10.1 Cookies
We may use cookies. Cookies – both first-party cookies and third-party cookies from services we use – are data stored in the browser. Such stored data do not have to be limited to traditional cookies in text form.
Cookies can be temporarily stored in the browser as 'Session Cookies' or for a specific period as so-called permanent cookies. 'Session Cookies' are automatically deleted when the browser is closed. Permanent cookies have a specific storage duration. Cookies allow, in particular, to recognize a browser on the next visit to our website and thus, for example, to measure the reach of our website. However, permanent cookies can also be used for online marketing.
Cookies can be fully or partially disabled, restricted, or deleted at any time in the browser settings. The browser settings often also allow for automated deletion and other management of cookies. Without cookies, our website may not be fully available. We request – at least to the extent required by applicable law – explicit consent for the use of cookies.
For cookies used for success and reach measurement or for advertising, a general objection ('Opt-out') is possible for numerous services via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).
10.2 Logging
We can log at least the following information for each access to our website and our other digital presence, provided that this information is typically determined or transmitted during such accesses to our digital infrastructure: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, accessed individual subpage of our website including transmitted data volume, last accessed webpage in the same browser window (referrer).
We log such information, which may also represent personal data, in log files. The information is necessary to provide our digital presence permanently, user-friendly, and reliably. The information is also necessary to ensure data security – even through third parties or with the help of third parties.
10.3 Tracking Pixels
We can integrate tracking pixels into our digital presence. Tracking pixels are also referred to as web beacons. Tracking pixels – including those from third parties whose services we use – are usually small, invisible images or scripts formulated in JavaScript that are automatically retrieved when accessing our digital presence. Tracking pixels can capture at least the same information as logging in log files.
11. Notifications and Messages
11.1 Success and Reach Measurement
Notifications and messages may contain web links or tracking pixels that capture whether a single message has been opened and which web links were clicked. Such web links and tracking pixels may also capture the use of notifications and messages on a personal basis. We need this statistical capture of usage for success and reach measurement to effectively and user-friendly send notifications and messages based on the needs and reading habits of the recipients in a permanent, secure, and reliable manner.
11.2 Consent and Objection
You must generally consent to the use of your email address and other contact addresses, unless the use is permissible for other legal reasons. For obtaining a double-confirmed consent, we may use the 'Double Opt-in' procedure. In this case, you will receive a notification with instructions for the double confirmation. We may log obtained consents including IP address and timestamp for proof and security reasons.
You can generally object to receiving notifications and messages such as newsletters at any time. With such an objection, you can simultaneously object to the statistical collection of usage for success and reach measurement. Required notifications and messages related to our activities and operations remain reserved.
11.3 Service providers for notifications and messages
We send notifications and messages using specialized service providers.
We particularly use:
Brevo: Building and maintaining relationships with customers and users, particularly via email and instant messaging; provider: Sendinblue GmbH (Germany); data protection information: 'Data protection and data security', data protection declaration, 'Security and data protection'.
12. Social Media
We are present on social media platforms and other online platforms to communicate with interested persons and to inform about our activities and operations. In connection with such platforms, personal data may also be processed outside of Switzerland and the European Economic Area (EEA).
The General Terms and Conditions (GTC) and Terms of Use as well as Privacy Policies and other provisions of the individual operators of such platforms also apply. These provisions inform particularly about the rights of affected persons directly towards the respective platform, which includes, for example, the right to information.
For our social media presence on Facebook, including the so-called Page Insights, we are – insofar as the General Data Protection Regulation (GDPR) is applicable – jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta companies (among others in the USA). The Page Insights provide information about how visitors interact with our Facebook presence. We use Page Insights to effectively and user-friendly provide our social media presence on Facebook.
Further information on the type, scope, and purpose of data processing, information on the rights of affected persons, as well as the contact details of Facebook and the data protection officer of Facebook can be found in Facebook's privacy policy. We have concluded the so-called 'Addendum for Controllers' with Facebook and thus particularly agreed that Facebook is responsible for ensuring the rights of affected persons. For the so-called Page Insights, the corresponding information can be found on the page 'Information on Page Insights' including 'Information on Page Insights Data'.
13. Services from Third Parties
We use services from specialized third parties to carry out our activities and operations permanently, user-friendly, securely, and reliably. With such services, we can embed functions and content into our website. When embedding, the services used temporarily collect the IP addresses of users for technical reasons.
For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities and operations in an aggregated, anonymized, or pseudonymized manner. This includes, for example, performance or usage data in order to provide the respective service.
We use in particular:
Services from Google: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) partially for users in the European Economic Area (EEA) and in Switzerland; General information on data protection: «Handling of data protection & protective measures», privacy policy, «More information on how Google uses personal data», «Google is committed to complying with applicable data protection laws», «Guide to data protection in Google products», «How we use data from websites or apps where our services are used», cookie policy, «Advertising you can influence» (settings for personalized advertising).
13.1 Digital Infrastructure
We use services from specialized third parties to utilize the necessary digital infrastructure in connection with our activities and operations. This includes, for example, hosting and storage services from selected providers.
13.2 Automation and Integration of Apps and Services
We use specialized platforms to integrate and connect existing apps and services from third parties. We can also automate processes and activities with apps and services from third parties using such «no-code» platforms.
We use in particular:
Make: platform for the automation and integration of apps, services, devices, and systems; Provider: Celonis Inc. (USA); Information on data protection: privacy policy.
13.3 Scheduling
We use services from specialized third parties to schedule appointments online, for example for meetings. In addition to this privacy policy, any directly visible conditions of the services used, such as terms of use or privacy policies, also apply.
13.4 Map Material
We use services from third parties to embed maps into our website.
We specifically use:
OpenStreetMap (OSM): map service; provider: OpenStreetMap Foundation (United Kingdom); data protection information: privacy policy.
13.5 Digital Content
We use services from specialized third parties to integrate digital content into our website. Digital content includes, in particular, image and video material, music, and podcasts.
We specifically use:
Vimeo: video platform; provider: Vimeo Inc. (USA); data protection information: privacy policy, «Private Video Hosting».
YouTube: video platform; provider: Google; YouTube-specific information: «Data Protection and Security Center», «My Data on YouTube».
13.6 Documents
We use services from third parties to embed documents into our website. Such documents may include PDF files, presentations, spreadsheets, and text documents. We can enable not only viewing but also editing or commenting on such documents.
We specifically use:
Canva: digital documents; provider: Canva Pty Ltd (Australia); data protection information: privacy policy, «Trust», «Security at Canva», cookie policy.
Google Docs: documents, presentations, and spreadsheets; provider: Google; Google Docs-specific information: «Data protection in Google Docs, Google Sheets, and Google Slides».
13.7 E-Commerce
We operate E-Commerce and use third-party services to successfully offer services, content, or goods.
13.8 Payments
We use specialized service providers to process payments securely and reliably. The processing of payments is additionally subject to the legal texts of the individual service providers, such as General Terms and Conditions (AGB) or privacy statements.
We particularly use:
Adyen: Payment processing; provider: Adyen NV (Netherlands); data protection information: privacy statement, cookie policy.
Apple Pay: Payment processing; providers: Apple Inc. (USA) / Apple Distribution International Limited (Ireland); data protection information: privacy statement, «data protection regulation», «Apple Pay & data protection».
PayPal (including Braintree): Payment processing; providers: PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) / PayPal Pte. Ltd. (Singapore); data protection information: privacy statement, «statement on cookies and tracking technologies».
PostFinance: Payment processing; provider: PostFinance AG (Switzerland); data protection information: «Legal notices and accessibility», «data protection» (including privacy statements).
TWINT: Payment processing in Switzerland; provider: TWINT AG (Switzerland); data protection information: privacy statement, «security according to Swiss standards».
13.9 Advertising
We use the opportunity to display targeted advertising with third parties such as social media platforms and search engines for our activities and operations.
We want to reach individuals with such advertising, particularly those who are already interested in our activities and services or who might be interested (Remarketing and Targeting). For this purpose, we may transmit corresponding – possibly also personal – information to third parties that enable such advertising. We can also determine whether our advertising is successful, specifically whether it leads to visits to our website (Conversion Tracking).
Third parties where we advertise and where you as a user are registered may possibly associate your use of our website with your profile there.
14. Extensions for the Website
We use extensions for our website to utilize additional functions. We can use selected services from suitable providers or use such extensions on our own digital infrastructure.
15. Success and Reach Measurement
We try to measure the success and reach of our activities and services. In this context, we can also measure the impact of third-party notices or check how different parts or versions of our digital presence are used ("A/B testing" method). Based on the results of the success and reach measurement, we can particularly fix errors, strengthen popular content, or make improvements.
For success and reach measurement, in most cases, the IP addresses of individual users are recorded. In this case, IP addresses are generally shortened ("IP masking") to follow the principle of data minimization through the corresponding pseudonymization.
In measuring success and reach, cookies may be used and user profiles may be created. Any created user profiles may include, for example, the individual pages visited or content viewed on our digital presence, information about the size of the screen or browser window, and the – at least approximate – location. In principle, any user profiles are created exclusively in a pseudonymized manner and are not used to identify individual users. Individual services from third parties, where users are registered, may possibly associate the use of our online offerings with the user account or user profile at the respective service.
We use in particular:
Google Tag Manager: Integration and management of services from Google and third parties, particularly for measuring success and reach; provider: Google; Google Tag Manager-specific information: Privacy policy for Google Tag Manager; further information on data protection can be found with the individual integrated and managed services.
16. Video surveillance
We use video surveillance to prevent crimes, to secure evidence in the event of crimes, to exercise and assert our own legal claims, to defend against third-party legal claims, and to exercise our house rights. This involves – as far as and to the extent that the General Data Protection Regulation (GDPR) is applicable – predominantly legitimate interests according to Art. 6 para. 1 lit. f GDPR, with reference to particularly sensitive personal data according to Art. 9 para. 2 lit. f GDPR.
We store recordings from our video surveillance as long as they are necessary for securing evidence or another stated purpose.
We may secure recordings from our video surveillance and transmit them to responsible authorities, particularly courts or law enforcement agencies, if the transmission is necessary for a stated purpose, in our other legitimate predominant interest, or due to legal obligations.
17. Final notes on the privacy policy
We have created this privacy policy using the privacy policy generator from Privacy Partner.
We can update this privacy policy at any time. We will inform about updates in an appropriate manner, particularly by publishing the current privacy policy on our website.
