Data Protection Policy

This Data Protection Policy applies to Ferrovia Luganesi SA (FLP), via Stazione 8, 6982 Agno

The processing carried out by Ferrovia Luganesi SA (FLP) is performed in compliance with the principles of fairness, lawfulness, transparency, and protection of confidentiality and the rights of each website user.
This Data Protection Policy provides an overview of how data collected through the website www.flpsa.ch is processed and on the rights of each data subject, in accordance with the applicable data protection laws and regulations.

Public transport companies manage customer data on a basis of trust.

The protection of personal rights and privacy is very important for us as public transport companies. We ensure that personal data is processed in accordance with the law and in line with the applicable provisions of data protection law.

With the following principles, public transport companies open a new way of managing data based on trust.

You decide how your personal data is processed.

You may refuse data processing at any time within the legal framework or revoke your consent, or request deletion of your data. You always have the possibility to travel anonymously, so without the collection of your personal data.

We provide added value in the processing of your data.

Public transport companies use your data exclusively in the context of providing services and to offer you added value along the mobility chain (e.g. tailored offers and information, assistance or compensation in the event of disruption). Your data is therefore only used for the development, provision, optimization and evaluation of our services or for customer relationship management.

Your data is not sold.

Your data will only be shared with selected third parties listed in this Data Protection Policy and only for the purposes expressly stated. Where we entrust data processing to third parties, they are contractually obliged to comply with our standards under data protection law.

We guarantee security and protection of your data.

Public transport companies ensure careful management of customer data as well as the security and protection of your data. We implement the necessary technical and organizational measures for this purpose.

Contents

Who is responsible for data processing?

Why do we collect personal data?

Which data is stored and for what purpose is it used?

How long is data stored?

Where is data stored?

Which data is processed in relation to marketing activities?

Which data is processed for market research purposes?

What are the rights in relation to personal data?

What does “joint responsibility” mean?

Is personal data transmitted to third parties?

How are tracking tools used?

What are cookies and when are they used?

Data security

Who is the data controller?

FLP is the controller of personal data. As a public transport company, we are legally obliged to provide the so-called Direct Services (DS). To this end, certain data is exchanged between transport companies (TC) and public transport communities, as well as with third parties that distribute the public transport (PT) range, and it is stored centrally in databases operated jointly by all TCs and public transport communities. We are therefore responsible for individual data processing activities together with these TC and communities. More information on individual data processing activities can be found in the section “What does joint responsibility in public transport mean?”.
For questions and suggestions regarding data protection, you can contact us at any time: referente.privacy@flpsa.ch

Why do we collect personal data?

We are aware of how important careful and responsible management of personal data is for individuals. All data processing activities are carried out only for specific purposes, such as technical or contractual needs, legal requirements, overriding interests, legitimate reasons, or based on your explicit consent (meaning the interested person). More detailed information on which data is processed and for which purposes is provided in the following sections.

Which data is stored and for what purpose is it used?

Purchase of services

For contractual reasons, the acquisition of the customer’s personal data is necessary in order to finalise the purchase of certain products and services, to provide our services and to establish the contractual relationship (e.g. purchase of a subscription). Within the framework of the purchase of personalised services we collect the following data depending on the product or service, where mandatory data are marked with an asterisk (*) in the corresponding form:

Personal photo

First and last name and full date of birth

Postal address and email address of the purchaser or traveler

Telephone number

Means/method of payment

Name, surname, and curator’s mandate document (in case of curatorship)

Acceptance of General Terms and Conditions (GTC)

In order to establish the contractual relationship, we also collect data relating to the services purchased (“service data”). This includes – depending on the product or service – the following data:
type of product or service purchased;

price;

place, date and time of purchase;

purchase channel (Internet, vending machine, sales counter, etc.);

date of travel or duration of validity and time of departure;

place of departure and destination.

The legal basis for these data processing activities is the overriding interest and the need to execute a contract.
Where EU Regulation 679/2016 (GDPR) applies, the legal basis for processing is legitimate interest and the need to execute a contract.

Park & Ride (P+R) subscriptions purchase

For the purchase of tickets granting access and use at the P+R, we collect the following data

personal data:

Personal photo (passport size)

First and last name

Employer and address

Contact details

Address

License plate number

Name, surname, and curator’s mandate document (in case of curatorship)

Payment method

The legal basis for these data processing activities is the overriding interest and the need to execute a contract.
Where EU Regulation 679/2016 (GDPR) applies, the legal basis for processing is legitimate interest and the need to execute a contract.

Use of Internet presence – browsing data [www.flpsa.ch]:

When visiting our Internet pages, our hosting provider ticino.com temporarily records each access in a log file. For more information, please visit page: https://ticino.com/protezione-dati/

Use of the form Request for authorisation to work near the railway:

When filling in the authorisation request, the following personal data must be provided:

surname and first name

telephone number

e-mail address

map number

We use this data and other freely given data only to respond to the request for authorisation.

The legal basis for these data processing activities is the overriding interest.

Where EU Regulation 679/2016 (GDPR) applies, the legal basis for processing is legitimate interest.

Use of our App “FLP Real Time”

During the use of our app, the servers of our hosting provider temporarily record each access in a log file. The following technical data is collected:

IP address

date and time of access

searches carried out (time, general search functions, etc.)

The collection and processing of this data is carried out solely for internal purposes of statistics, which allow us to optimise our offer. Furthermore, in this way we can customise our pages according to target groups, i.e. include targeted information and content that may be of interest to the user.

Telephone contact with our switchboard:

In the event of telephone contact with our switchboard, only the telephone number of the caller, the date, time and duration of the call will be recorded. Data processing is carried out solely for statistical purposes and, more specifically, for the purpose of gathering information on the company’s activities in order to improve the services offered.

The legal basis for these data processing activities is the overriding interest and the need to execute a contract, if the contact is aimed at the conclusion of the contract.

If EU Regulation 679/2016 (GDPR) is applicable, the legal basis for processing is legitimate interest and the need to execute a contract.

Creation of a SwissPass customer login/account at www.swisspass.ch:

It is possible to create a customer account on swisspass.ch. To do so, you will need the following data:
surname and first name

date of birth

address (street, postcode, town and country)

customer number (if you already have a public transport pass)

e-mail address and password (login data)

Registration gives you the opportunity to use your login details (known as SwissPass login) to access numerous online services (webshop and app) offered by public transport companies and communities and to purchase these services without having to go through a lengthy additional registration process each time. Services purchased using the SwissPass login (in particular public transport tickets/travelcards) are recorded in the user account and in a central database (‘DS database’). These data processing activities are necessary for the performance of the contract on the use of the SwissPass and are therefore based on this legal basis. Further information on this can be found in the sections on joint responsibility in public transport and on disclosure to third parties in this data protection policy, as well as in the data protection policy at swisspass.ch.

Voluntary sending of data to the e-mail address on the site:

The optional, explicit and voluntary sending of electronic mail to the addresses indicated on this site, entails the subsequent acquisition of the sender’s address, which is necessary to reply to requests, as well as any other personal data included in the message.

The legal basis for these data processing activities is the overriding interest and possibly the need to execute a contract.

If EU Regulation 679/2016 (GDPR) is applicable, the legal basis for the processing is legitimate interest and possibly the need to execute a contract.

If you are interested in one of the job positions listed in the ‘Work with us’ section, if you send your CV by email as an attached file, this, together with any further information you provide will be processed by FLP in order to evaluate your application.

If the application is unsuccessful, such personal data will be deleted seven days after receipt of the application.
The legal basis for these data processing activities is the overriding interest and the need to implement an employment relationship in the event of a successful application.

Customer satisfaction questionnaire:

The personal data and the answers to the questions collected by means of the questionnaire, accessible by means of printed postcards and posters bearing a QR code leading to the survey, are processed by the Controller with the sole objective of measuring the degree of satisfaction of Users with respect to the use of FLP’s services, in order to further improve the Services and Products offered by the company to its customers.

The filling in of the questionnaire is in any case entirely optional, therefore the failure
to communicate the data to FLP through questionnaire does not entail any type of consequence for the Users.

The processing of Data for the above-mentioned purposes does not require specific consent as it is necessary to execute the User’s free consent to fill in the questionnaire, for the sole purpose of assessing the quality of FLP’s services and for the pursuit of a preponderant interest of the Data Controller.

The questionnaire is anonymous, but if the User wishes to participate in the prize draw
indicated in the questionnaire (optional participation) he/she will be required to indicate his/her e-mail address. In such cases, the personal data acquired (e-mail) will be immediately removed from the process of statistical analysis of User satisfaction and will be used by FLP personnel, duly authorised, exclusively to allow the User to participate in the prize draw, in accordance with the Terms of the Competition.

Personal data (e-mails) will be stored for the period of time necessary to pursue the stated purposes and in any case no longer than 30 days.

How long is data stored?

We only retain personal data for as long as is necessary to provide the services requested or for which consent has been given, within the limits set out in this Data Protection Notice;

to use the tracking services (cookies) mentioned in this Data Protection Notice as part of our legitimate interest.
Contractual data are retained for the time prescribed by the retention obligations by law. The retention obligations that require us to retain the data arise from the provisions on the preparation of accounts and the provisions of tax law. This data will be blocked when we no longer need it for the provision of services. This means that the data may then only be used to fulfil our obligations of conservation.

Where is data stored?

In principle, data is stored in databases in Switzerland. In some cases listed in this Data Protection Notice, however, data are also transferred to third parties that are based outside Switzerland. If the country concerned does not have an adequate level of data protection, we ensure that the data is protected in an appropriate manner at such companies by concluding contractual clauses with these companies.

What are the rights in relation to personal data?

You are granted the following rights in connection with your personal data:

Request information on saved personal data.

Request the rectification, supplementation, blocking or deletion of personal data. If legal impediments stand in the way of deletion, the data will be blocked (e.g. by virtue of statutory retention obligations).

Object to the use of data.

Withdraw consent at any time with effect in the future.

Request data portability.

To exercise the above rights, simply:

write to the e-mail address: referente.privacy@flpsa.ch.

If you would like information on data processing in the context of the report “on co-ownership in the PTs’ “ or a deletion of your personal data at the level of all PTs in accordance with the law on data protection, you may apply in writing to SBB. The request for information or deletion should be addressed to:

SBB AG, Law and Compliance,
Data Protection specialized service,
Hilfikerstrasse 1,
3000 Bern 65.

In addition, you are granted the right to file a complaint at any time with a data protection authority.

What does “joint responsibility in public transport” mean?

FLP is the controller of personal data. As a public transport company, we are obliged
by law to provide certain transport services together with other transport companies and
communities (“Direct Transport”, Sections 16 and 17 of the Passenger Transport Act). To this end, for example, data obtained from the contacting or purchasing of services are transmitted to national level within the National Direct Service (NDS), a union of more than 240 public transport companies (TC) and public transport communities. The individual TC and communities are listed here.

The data are stored in the central NOVA (network-wide PT interface) database, which is managed by SBB on behalf of the NDS and for which we are responsible together with the other NDS companies and communities. NOVA is a technical platform for the distribution of public transport offers. It contains all central elements for the sale of public transport services, such as for example the customer database. Access to the common database by the individual transport and community companies is governed by a collective agreement. The transmission linked to central storage and data processing by the transport companies and communities are limited to the following purposes:

Provision of transport services

In order for the journey to run smoothly, data on journeys and purchases are transmitted internally to the NDS.

Execution of contracts

This data is processed for the purpose of initiating, managing and executing contractual relationships.

Customer relationship management and customer care

The data is processed for purposes related to customer communication, in particular for answering questions and exercising rights, as well as to identify customers across PTs and to assist them in the best possible way in the event of queries or difficulties, as well as to process any claims for damages.

Control of transport tickets and revenue assurance

Customer and subscription data are requested and processed for the purpose of securing revenue (checking validity of tickets or reductions, collection, combating misuse).

The national register of unticketed travellers can be used to register cases of journeys without a valid ticket or with a partially valid ticket.

Revenue sharing

The Alliance SwissPass Secretariat, led by ch-integral, fulfils the legal mandate defined in the Federal Act on the Transport of Passengers to collect travel data for the purpose of a correct revenue sharing. In this context, the secretariat acts as an agent for revenue sharing in the National Direct Service on behalf of the NDS member companies.

Identification within the scope of SwissPass login authentication (SSO)

In the case of services purchased using the SwissPass login, the data will be stored in the central customer database (NOVA). In order to enable the so-called Single Sign-On (SSO) (a single login for all applications that offer the use of their services with the SwissPass login), within the scope of authentication, the login, card, customer and service data mentioned are exchanged between us and the central SwissPass login infrastructure.

Joint marketing and market research activities

Furthermore, in certain cases, data collected when purchasing PT services are also processed for marketing purposes. If consent has been given and processing or contact for this purpose takes place this will in principle only be done by the TC or community from which the corresponding PT service was purchased. A processing or contact by the other TC and communities participating in the NDS will only take place in exceptional cases and in compliance with strict rules, and only if an analysis of the data shows that a particular public transport service could bring added value to the customer. An exception is the processing and contacting by SBB. SBB handles the marketing mandate for the NDS’s services (e.g. GS and half-price) on behalf of the NDS, and in this role they can make regular contact with customers. In addition, they process customer data for market research purposes, to improve our performance and for product development.

Further development of PT systems with anonymous data

Data are analysed anonymously in order to further develop the global PT system in a needs-oriented manner.

Customer information

In the case of cross-border travel, we will inform you by e-mail or SMS about the upcoming trip and any delays or cancellations. You can unsubscribe from such notifications. In the case of group travel we inform you by SMS about group bookings and any delays or cancellations. When booking a group trip, you can choose whether or not receive such notifications.

Are personal data passed on to third parties?

We do not sell the personal data we process. A transfer of personal data to third parties therefore only takes place with selected service providers and only to the extent necessary for the provision of the service. This is the case, for example, with IT service providers, subscription card issuers, shipping service providers (e.g. Swiss Post), service providers entrusted with the allocation of traffic revenues among the transport companies concerned (in particular within the framework of the creation of so-called allocation keys in accordance with the Federal Law on Passenger Transport), our hosting providers (see the section ‘Use of the presence on Internet’) and the providers mentioned in the sections on tracking tools and advertising space. With regard to service providers based abroad, please also consider the information in the section “Where data is stored”.

Furthermore, a transfer of personal data may take place if we are legally obliged to do so or if this is necessary for the exercise of our rights, in particular our claims arising from the relationship with you.

In the case of cross-border travel bookings, a transmission to the respective foreign providers will therefore also take place. However, this will only take place to the extent necessary for checking the validity of tickets and for the prevention of abuse.

The basis for the data processing activities mentioned here is our legitimate interest.

Personal data will not be disclosed to third parties outside of public transport. The only exceptions are (to the extent described below) SwissPass partners and companies that have been granted authorisation to mediate public transport services on the basis of a contractual agreement. These intermediaries will have access to the personal data if you intend to purchase a public transport service through these intermediaries and you have granted them access authorisation. Even in this case, their access to the data will be limited to the extent necessary to establish whether you already have tickets or subscriptions for the planned travel period that are relevant to the trip and to the third-party service requested by the data subject. The basis for such data processing activities is therefore consent, which may be revoked at any time with effect for the future.

If the person concerned makes use of the offers of a SwissPass partner by virtue of the use of his/her ownSwissPass, the data relating to any services purchased from us (e.g. a GS, half-fare or community route subscription) may be forwarded to the partner SwissPass in order to check whether the person concerned can take advantage of a specific offer of the SwissPass partner (e.g. discount for GA travelcard holders). In the event of loss, theft, misuse or forgery or replacement of the card after the purchase of a service, the partner concerned shall be informed. These data processing activities are necessary for the execution of the contract on the use of the SwissPass and are therefore based on this legal basis. Further information can be found in the Data Protection Notice on swisspass.ch and in the Data Protection Notice of the respective SwissPass partner.

What are cookies and when are they used?

Cookies are lines of text acting as computer markers sent by a server (in this case, that of the Website) to a user’s device (generally to the Internet browser) at the time when the user accesses a given page of a website; cookies are stored automatically by the user’s browser and retransmitted to the server that generated them each time the user accesses the same Internet page.

In this way, for example, cookies allow and/or facilitate access to certain Internet pages in order to improve the user’s navigation (i.e. allow the storage of visited pages and other specific information, etc.), or in some cases allow profiling activities.

For more information on cookies, please read the relevant Cookie Policy Data security.

Safety of data

We take appropriate technical and organisational security measures to protect the personal data stored with us from misuse, partial or complete loss and from access by unauthorised third parties. Our security measures are constantly updated in line with technological progress.

We also take data protection within the company very seriously. Our in-house staff and external service providers commissioned by us are subject to confidentiality and compliance with data protection regulations.

We take appropriate security measures to protect data. However, the transmission of information via the Internet and other electronic means always involves certain risks, therefore we cannot provide any guarantee for the security of information transmitted in this way.

Changes to the Data Protection Notice

FLP reserves the right to change or simply update the content of this Notice, in part or in full, including due to changes in applicable law. Such changes will be binding as soon as they are published on the Website. If the User continues to access or use the service after such publication, it is assumed that they have expressly accepted these changes. FLP therefore invites the User to regularly visit this section to take cognizance of the most recent and updated version of the Policy in order to be always up to date on the data collected and FLP’s use thereof.

Last update:
28 July 2025