Data Privacy Statement of Cosa Travel Ltd with registered office at Utoquai 55, 8008 Zurich, Switzerland
1. Purpose of the Privacy Statement
1.1. With a view to Swiss data protection law (DSG) and – insofar as applicable – the European General Data Protection Regulation (GDPR), this data protection declaration sets out which personal data we process, how and for what purposes. To ensure a uniformly high level of data protection for our customers whose personal data we process, we have aligned this data protection declaration with the GDPR, provided and to the extent that the FADP does not provide for stricter rules in your favour. It is important to us that you are fully informed about the processing of your personal data. With this data privacy statement, we are therefore informing you how and why we collect, process and use your personal data. It is important to us that you understand:
- which personal data we collect and process about you
- when we collect your personal data
- for what purpose we use your personal data
- how long we keep your personal data
- who has access to your personal data
- what rights you have in relation to your personal data
1.2. You will find relevant information and explanations below. If you have any questions, please feel free to contact us at any time. You will find our contact details under margin no. 2.
2. Responsibilities for the Protection of your Data
2.1. The following company (“we” or, as the case may be, “us”) is responsible for data processing in accordance with this data protection declaration: Cosa Travel Ltd, Utoquai 55, 8008 Zürich
2.2. In certain cases we are not responsible, but another company:
- If you are in contact with a service provider, e.g. if you contact customer service, this company is responsible for this data processing – unless this data protection declaration provides otherwise for the processing in question.
- In certain cases, we pass on your personal data to other third parties so that they, as recipients, can process your personal data for their own purposes and not on our behalf. This can also include authorities and courts. In such cases, the respective recipient of your personal data is considered responsible. Further information can be found in this data protection declaration under margin no. 6.
3. What is “Personal Data” and what does “Processing” mean?
3.1. Data protection law regulates the processing of personal data. “Personal data” (or “da-ta related to a person”) is any information that can be linked to a specific natural person, i.e. to a human being. This may include, for example, the following information:
- Contact information (e.g. name, postal address, email address, telephone number);
- Other personal information (e.g. gender, birthday and age, marital status, nationality, hobbies, interests);
- Passport details etc.;
- Travel information such as travel dates, itinerary/destination, airline, hotel, price, customer requests, information about your fellow travellers, or information about fellow travellers;
- Health data (e.g. information about special health-related needs or illnesses and accidents during a trip);
- Financial information (e.g. payment information, credit card number, bank account information, creditworthiness, assets and income);
- Records of your visits to websites;
- Information you provide to us when communicating with us;
3.2. In addition, information that relates to a specific legal entity (e.g. information about a contract with a company) is also considered personal data. We generally collect your personal data directly from you, e.g. when you communicate with us or visit our website. However, they can also be collected indirectly, e.g. if a traveller sends us information about fellow travellers or if other people are mentioned in communication with us or through the purchase of additional information from third-party data sources (e.g. from social media or from address dealers). We do not necessarily process all of them in this margin. mentioned categories of personal data. Specific information on the personal data we process can be found under margin no. 5.
3.3. “Processing” (or “editing”) then means any handling of your personal data. This includes, for example, the following actions:
- The collection and storage
- The application and use
- Sharing and disclosure
- Deleting and destroying
4. Who and what is this privacy notice for?
This data protection declaration applies to our processing of personal data in all our business areas. You can find more information in our General Terms and Conditions (GTC). It is applicable to the processing of both personal data that has already been collected and future personal data. Additional data protection provisions may also apply to certain services. Our data processing may affect the following persons in particular (“data subjects”):
- People who write to us or otherwise contact us, or who are named in communications with us;
- People who book trips or events with us;
- Fellow passengers;
- Persons using other services from us or benefit from our services;
- Persons who use services from us;
- Visitors to our website and social media channels;
- Recipients of information and marketing communications;
- Contact persons of our suppliers, customers and other business partners;
- Job applicants;
5. What Personal Data do we process for what purposes?
Depending on the occasion and purpose, we process very different personal data. You will find more detailed information on this in this section and in our General Terms and Conditions (GTC). Among other things, we process personal data – possibly also sensitive personal data – in the following situations for the following purposes:
We process personal data when you contact us or we contact you, e.g. when you contact our Cosa team and when you write to us or call us. As a rule, information such as name and contact details and the content and time of the relevant notifications are sufficient for us. We use this data so that we can provide you with information or notifications, process your request and communicate with you, as well as for quality assurance and training. We also forward messages within the company to the responsible company departments or other companies affiliated with us, e.g. if your request concerns another company or its involvement in order processing.
5.2. Booking Travel and Events
We process personal data when you use our services, e.g. when you book a trip directly with us. In doing so, we process your personal data (in particular the information on trips mentioned in para. 3) e.g. in the context of processing the booking or for invoicing. We also collect and process personal data in connection with your creditworthiness and your shopping and payment behavior. For example, we use creditworthiness information to decide which payment terms we offer you. We also process information about your bookings to derive details about your preferences and affinities in order to optimize our offer and your trip. This information helps us to inform you specifically about other offers, to tailor our offer more closely to demand and to personalize the service.
5.3. Visiting Websites
5.4. Services for Analysis
5.5. Functions of other Providers
We may also include features from other providers, such as Metaverse, which may result in that provider receiving data about you. In most of these cases, however, we do not know the name of the website visitor.
5.6. Information and Direct Marketing
We process personal data (in particular your name and e-mail address) for marketing purposes or to send information and advertising messages. In the case of e-mails, we also process information about your use of the communications (e.g. whether you have opened an e-mail and downloaded images embedded in it) in order to tailor our offers more precisely to you and to be able to generally improve them. You can block the processing of usage data in your e-mail program if you do not agree to this. If you do not wish to receive informational or promotional communications, please contact us. You will also find a link in every informational and promotional e-mail with which you can unsubscribe.
5.7. Business Partner
We work with various companies and business partners, e.g. with airlines, transport companies, hotels, other service providers and providers, travel agencies, car and motorhome rental companies, etc., with cooperation partners and with service providers (e.g. IT service providers). We also process personal data about the contact persons in these companies for contract initiation and processing, for planning, for accounting purposes, for training purposes, for customer or supplier relationship management and for other purposes related to the contract (e.g. name, position, title and communication with us). Depending on the area of activity, we are also required to examine the company and its employees in more detail (e.g. through a security check). In this case, we collect and process further information. We can also process personal data to improve our customer orientation, customer satisfaction and customer loyalty.
We process personal data for our own administration and for internal group administration. We also process personal data for accounting and archiving purposes and generally for checking and improving internal processes.
5.9. Corporate Transactions
We may also process personal data to prepare and process company takeovers and sales and the purchase or sale of assets. The subject and scope of the data collected or transmitted depend on the stage and subject of the transaction.
5.10. Job applications
We also process personal data when you apply to us in order to check your suitability for the position in question, to talk to you about a possible employment and, if necessary, to prepare and conclude a contract. For this we usually need the usual information and documents mentioned in a job advertisement (e.g. application, marital status, children, residence status, curriculum vitae, knowledge and skills, interests, references, qualifications, certificates). This may also include personal data that is particularly worthy of protection (e.g. health data).
5.11. Compliance with legal requirements
We process personal data in order to comply with legal requirements (e.g. ensuring compliance with legal obligations including orders from a court or an authority, to ensure compliance and to detect and clarify misuse). This is the case, for example, when we receive and process complaints and reports, or when an authority requests documents containing your name and contact details, or conducts an investigation on our premises. It is also possible that we carry out internal investigations, during which your personal data can also be viewed and processed.
5.12. Protection of rights
We process personal data in different constellations in order to protect our rights, e.g. to assess claims from us, from affiliated companies, from employees or from contractual and business partners and, if necessary, in court or out of court and before authorities at home and abroad enforce or defend ourselves against claims. For example, we can have process prospects clarified or submit documents to an authority. We can process your personal data or pass it on to third parties at home and abroad, insofar as this is necessary and permissible.
6. Transfer of personal data to third parties
Our employees and third parties engaged by us to process the order have access to your personal data insofar as this is necessary for the purposes described and the work of the employees concerned. You act according to our instructions and are obliged to maintain confidentiality and secrecy when handling your personal data. We can also pass on your personal data to other companies within the Cosa Travel Group for group-internal administration and for various processing purposes. This means that your personal data can also be processed and linked with personal data from other companies in the Cosa Travel Group for the respective purposes. We can pass on your personal data to third parties if we want to use their services (“order data processors”). This includes, for example, services in the following areas:
- IT services (e.g. services in the areas of data storage (hosting), cloud services, sending e-mail newsletters, data analysis and processing).
- Business administration services (e.g. bookkeeping or asset management).
- By selecting the order data processors and by means of suitable contractual agreements, we ensure that data protection is also guaranteed by third parties throughout the processing of your personal data. Our order data processors are obliged to process personal data exclusively on our behalf and according to our instructions.
- It is also possible for personal data to be passed on to other companies (also) for their own purposes. In these cases, the recipient of the data is responsible un-der data protection law. This applies, for example, to the following cases: If you book travel with us, we pass on personal data to transport companies (e.g. train, ship, airlines), accommodation providers (e.g. hotels and guesthouses), local organizers (e.g. concert halls) depending on the subject of the booking or city guide) and other service providers (e.g. car and motorhome rental companies).
- Specific when traveling by air: At the request of the authorities of certain coun-tries, it may be necessary to transmit specific data about your journey to and from these countries for security and immigration reasons to these authorities. You au-thorize us or the respective airline to transmit personal data about you as a pas-senger, so-called “Passenger Name Record (PNR)” data, to these authorities for these purposes, insofar as this information is available. This includes e.g. your full name, date of birth, your full residential address, telephone numbers, information about your fellow passengers, date of booking/ticketing and intended travel date, all types of payment information, your travel status and itinerary, frequent flyer number, Information about your baggage, any PNR changes in the past. You acknowledge that this data can be transmitted to countries in which data protection does not correspond to the level of protection of Swiss data protection legislation (see paragraph 7).
- When we arrange a trip, we pass on personal data to the respective tour operator. Please note the data protection regulations of the respective tour operator.
- When considering or conducting transactions such as a business combination or the acquisition or sale of parts of a company or its assets, we may need to trans-fer personal data to another company in connection with this. In these cases we will inform you in good time and try to process as little personal data as possible.
- We can disclose your personal data to third parties (e.g. authorities in Switzerland and abroad) if this is required by law. We also reserve the right to process your personal data in order to comply with court orders and decisions or to assert or defend against legal claims or if we consider it necessary.
- We may share personal information about you with former employers if you apply to us and have consented to reference information, or to prospective employers if you apply for a new job and we are authorized to provide reference information.
- If we transfer claims against you to other companies (e.g. a collection agency) or commission such companies to assert them.
7. Disclosure of personal data abroad
7.1. The recipients of your personal data (see paragraph 6) can also be located abroad. The countries concerned may not have laws that protect your personal data to the same extent as in Switzerland or in the EU or EEA. If we transfer your personal data to such a state, we are obliged to ensure the protection of your personal data in an appropriate manner. One way to do this is to conclude data transmission contracts with the recipients of your personal data in third countries, which ensure the necessary data protection. These include contracts that have been approved, issued or recognized by the competent authorities, so-called standard contrac-tual clauses. Transmission to recipients who are subject to the so-called “US Privacy Shield Program” is also permitted. In addition, we can assume that you have consented to the trans-fer of data abroad, even if there is no adequate protection of your personal data in the respec-tive recipient country, if and to the extent that this is necessary for order processing (e.g. passing on health data to your mountain guide in Tibet). Please contact us if you require de-tailed information. In exceptional cases, the transfer to countries without adequate protection is also permitted in other cases.
8. Privacy measures
We take appropriate security measures of a technical nature (e.g. encryption, pseudonymization, logging, access restriction, data backup, etc.) and organizational nature (e.g. instructions to our employees, confidentiality agreements, checks, etc.) to protect the security of your personal data to protect them against unauthorized or unlawful pro-cessing and to counteract the risk of loss, unintentional modification, unintentional disclosure or unauthorized access. However, security risks cannot generally be ruled out entirely; certain residual risks are mostly unavoidable.
9. Retention period
We store your personal data for as long as it is necessary for the specific purpose for which we collected it, usually at least for the duration of the contractual relationship in the case of contracts. We also store personal data if there is a legal obligation to do so or if we have a legitimate interest in storing it. This can be the case in particular if we need personal data to enforce or ward off claims, for archiving purposes, to ensure IT security or if limitation periods for contractual or non-contractual claims are running. A statute of limitations of 10 years, for example, often applies, in some cases 5 years or one year. We also store your personal data as long as they are subject to a statutory retention obligation. For example, a ten-year retention period applies to certain data. Short retention periods apply to other data (e.g. for recordings from video surveillance or for recordings of certain processes on the Internet [log data]). After the specified periods have expired, we will delete or anonymize your personal data.
10. Your rights in connection with the processing of your personal data
You can object to data processing at any time (e.g. in the case of data processing in connection with direct advertising [e.g. against advertising e-mails]). You also have the following rights:
a. Right to information: You have the right to request access to your personal data stored by us at any time if we are processing it. This gives you the opportunity to check which personal data we process about you and that we use it in accordance with the applicable data protection regulations.
b. Right to rectification: You have the right to have incorrect or incomplete personal data rectified and to be informed of the rectification. In this case, we will inform the recipients of the data concerned about the adjustments made, unless this is impossible or involves disproportionate effort.
c. Right to deletion: You have the right to have your personal data erased under certain circumstances. In individual cases, the right to erasure may be excluded.
d. Right to restriction of processing: Under certain conditions, you have the right to demand that the processing of your personal data be restricted.
e. Right to data portability: Under certain circumstances, you have the right to receive from us, free of charge, the personal data that you have provided to us in a readable format.
f. Right of appeal: You have the right to lodge a complaint with a competent supervisory authority against the way your personal data is processed.
g. Right of withdrawal: In principle, you have the right to withdraw your consent at any time. However, processing activities based on your consent in the past will not become unlawful as a result of your revocation.
11. Principles of data processing
When processing your personal data, we rely in particular on the following principles:
– The performance of a contract with the data subject or for pre-contractual measures at their request;
– Legitimate Interests: This includes our own legitimate interests and the interests of third parties. They are very diverse and include, for example, interest
a. in good customer care, maintaining contacts and other communication with customers outside of a contract. In advertising and marketing activities, also to get to know our customers and other people better;
c. improve products and services and develop new ones;
d. in the group-internal administration and the group-internal traffic, which is necessary in a group with work-sharing cooperation;
e. in the fight against fraud and the prevention and investigation of crime;
f. protecting our customers, employees and other people and data, se-crets and assets or those of our affiliated companies;
g. in ensuring IT security, especially in connection with the use of web-sites, apps and other IT infrastructure;
h. in ensuring and organizing business operations, including the operation and further development of websites and other systems;
i. in corporate governance and development;
j. in the sale or purchase of companies, parts of companies and other assets;
k. in the enforcement or defense of legal claims; and in compliance with Swiss law and internal rules; to consent if we ask you for consent separately;
A requirement for legal compliance. As a rule, there is no obligation to disclose personal data to us, unless you have a contractual relationship with us that justi-fies such an obligation. However, we will have to collect and process the personal data that is necessary or required by law for the establishment and processing of a contractual relationship and for the fulfillment of the associated obligations and protection of rights. Otherwise we cannot conclude or continue the contract in question. The processing of certain data is also mandatory when using websites. You can prevent cookies here (you will find further information on this in this data protection declaration). However, the logging of certain (usually but not personal data such as your IP address) cannot be prevented for technical reasons. When communicating with us, we must at least process the personal data that you transmit to us or that we transmit to you. If you provide us with personal data, you must ensure that this personal data is correct, complete and truthful. Under certain circumstances, you may also want or have to send us personal data from third parties (e.g. from fellow travelers). We would like to point out that in this case you are obliged to inform the persons concerned in advance about this data transfer and about this data protection declaration, to obtain their consent and to ensure the correctness of the personal data concerned.
12. Changes to this privacy statement
This privacy statement may be amended over time, particularly when we change our da-ta practices or when new legislation becomes applicable. In general, the data protection declaration applies to data processing in the version current at the start of the relevant processing.
Only the German version Datenschutzerklärung Cosa Travel Ltd is valid, all translations like this Data Privacy Statement Cosa Travel Ltd are not considered a valid version and also cannot be used to interpret the contractual agreements made in German.