1 Data privacy statement
The Flughafen Zürich AG (hereinafter referred to as "Zurich Airport") website is subject to Swiss data pro-tection law, especially in accordance with the Federal Act on Data Protection (FADP) and any applicable foreign data protection legislation such as the European Union’s General Data Protection Regulation (GDPR). The EU acknowledges that Swiss data protection law ensures appropriate data protection.
Access to our website is by transport encryption (SSL/TLS).
We very much welcome your interest in our company. Data privacy is extremely important to us. Zurich Airport websites can in principle be used without providing any personal data. If persons affected wish to avail themselves of particular services of the company via our website, however, it may become necessary to process their personal data. If the processing of personal data is necessary but there is no statutory basis for it, we generally obtain the consent of the person affected.
Personal data such as the name, address, e-mail address or telephone number of a person affected is always processed in accordance with statutory data protection rules. With this data privacy statement the compa-ny wishes to inform the public of the nature, extent and purpose of the personal data that we gather, use and process. Furthermore this data privacy statement explains the rights of persons affected to them.
As an entity responsible for processing, Zurich Airport has implemented numerous technical and organisa-tional measures to protect the personal data processed via this website to the maximum possible extent. In principle, however, internet-based data transfers may suffer from security loopholes, so total protection cannot be guaranteed. This is why any person affected is free to transfer personal data to us by alternative channels – by phone, for example.
Zurich Airport’s data privacy statement is based on the terms used by the European regulator and issuer of directives when enacting the General Data Protection Regulation (GDPR). Our data privacy statement must be easy to read and intelligible to the public, our customers and our business partners. To this end we shall now explain the terms used.
The terms used in this data privacy statement include the following:
a) Personal data
Personal data are all information relating to an identified or identifiable natural person (hereinafter re-ferred to as the "person affected"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, econom-ic, cultural or social identity of that natural person.
b) Person affected
A person affected is any identified or identifiable natural person whose personal data are processed by the entity responsible for processing.
Processing is any process carried out with or without the aid of automated procedures or any series of such processes in connection with personal data such as gathering, recording, organisation, sorting, storage, ad-justment or amendment, selection, retrieval, use, disclosure by transmission, dissemination or other form of provision, reconciliation, linking, restriction, deletion or destruction.
d) Restriction of processing
The restriction of processing is the flagging of stored personal data with the objective of restricting its future processing.
Profiling is any automated processing of personal data in which they are used to evaluate certain personal factors relating to natural persons, especially with regard to analysing or predicting their performance, eco-nomic situation, health, personal predilections, interests, reliability, conduct, place of residence or reloca-tion.
Pseudonymisation is the processing of personal data in a way in which they can no longer be associated with a specific person affected without referring to additional information, provided this additional information is preserved separately and is subject to technical and organisational measures ensuring that the personal data cannot be associated with an identified or identifiable natural person.
g) Responsible entity or entity responsible for processing
The responsible entity or entity responsible for processing is the natural person or legal entity, authority, agency or other body that decides on the purposes and means of processing personal data either alone or jointly with others.
A processor is a natural person or legal entity, authority, agency or other body that processes personal data on the instructions of the responsible entity.
A recipient is a natural person or legal entity, authority, agency or other body to which personal data are disclosed, regardless of whether or not it is a third party.
j) Third party
A third party is a natural person or legal entity, authority, agency or other body other than the person af-fected, the responsible entity, the processor and persons authorised on the direct responsibility of the re-sponsible entity or the processor to process personal data.
Consent is any informed, unequivocal statement of intent made voluntarily by persons affected for the case in point in the form of a declaration or other unambiguous affirmative act intimating that they agree to the processing of the personal data relating to them.
3 Name and address of the entity responsible for processing
Enquiries to the data protection officer from supervisory authorities or persons affected are generally sent by e-mail, but they can also be mailed to:
Flughafen Zürich AG
We have a data protection representative in the EU as an initial contact point for supervisory authorities and persons affected with regard to all questions in connection with EU data protection law, who can also be contacted either by e-mail or post:
VGS Datenschutzpartner UG
Am Kaiserkai 69
4 Information that you give us
This is information about you that you give us by:
- completing forms on our website (or other forms that we ask you to complete)
- giving us a business card (or similar)
- corresponding with us by phone, post, e-mail or otherwise
This may include your name, address, e-mail address and telephone number, information on your business relationship with us and information on your profession, background and interests.
5 Other information
We may also obtain certain information from other sources. For example:
- If we have a business relationship with the organisation you represent, your colleagues or other business contacts may give us information about you such as your contact details or details of your role in the business relationship.
- Sometimes we gather information from third-party providers or publicly accessible sources to com-bat money laundering, for background checks and for similar purposes in order to protect our busi-ness and comply with our statutory and regulatory obligations.
Users can at any time permanently prevent cookies from being set by our website by changing their internet browser settings. Furthermore cookies already placed can be deleted at any time using an internet browser or other software programs. Tracking pixels can be blocked at any time in the internet browser settings or with corresponding browser extensions. This is possible in all common internet browsers. If the person af-fected deactivates cookie settings and blocks tracking pixels, not all functions on our website may be fully usable.
7 Recording general data and information
The Zurich Airport website records a series of general data and information every time it is visited by a per-son affected or an automated system. These general data and information are stored in the server’s log files. The following details can be recorded: (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system arrives at our website (called the referrer), (4) the subpages visited on our website by an accessing system, (5) the date and time of an access to the website, (6) an internet protocol address (IP address), (7) the accessing system’s internet ser-vice provider and (8) other similar data and information serving to protect our IT systems from attacks.
When using these general data and information, Zurich Airport draws no conclusions about the person af-fected. Instead this information is required (1) to deliver our website content correctly, (2) to optimise our website content and the advertising for it, (3) to safeguard the long-term functionality of our IT systems and our website’s technology and (4) to provide law enforcement agencies with the information they need in the event of a cyberattack. These data and information are gathered anonymously, and are therefore analysed statistically by Zurich Airport with the objective of increasing data protection and data security within the company – in order ultimately to achieve an optimum level of protection for the personal data that we pro-cess. The anonymous data in the server log files are stored separately from all personal data provided by a person affected.
8 Registering on our website
Persons affected have the option of registering on the website of the entity responsible for processing, providing their personal data. Which personal data are transmitted to the entity responsible for processing depends on the input screen used for registration. The personal data input by the person affected are gath-ered and stored solely for the internal use of the entity responsible for processing and for its own purposes. The entity responsible for processing can pass the data to one or more processors, for example a package service provider who also uses the personal data solely for internal use attributable to the entity responsible for processing.
Registering on the website of the entity responsible for processing also stores the IP address allocated to the person affected by the internet service provider (ISP), and the date and the time of registration. These data are stored against the backdrop of the fact that this is the only way to prevent the misuse of our services, and if offences are committed these data make it possible to investigate them. To this extent the storage of these data is necessary to safeguard the entity responsible for processing. These data are not passed to third parties unless there is a statutory obligation to do so or it serves the purposes of criminal prosecution.
By registering and voluntarily providing personal data, the person affected enables the entity responsible for processing to offer the person affected content and services that in the nature of things can only be offered to registered users. Registered persons are free at any time to alter the personal data they provided when registering, or to have it entirely deleted from the database of the entity responsible for processing.
The entity responsible for processing gives persons affected on request at any time information on what personal data on them are stored. The entity responsible for processing also corrects or deletes personal data on request by the person affected, unless they are subject to preservation obligations. All the employ-ees of the entity responsible for processing are at the disposal of the person affected as contacts in this con-nection.
9 Newsletter subscriptions
Users of our Zurich Airport website have the option of subscribing to the company’s various Newsletters. Which personal data are provided to the entity responsible for processing when ordering Newsletters is a function of the input screen used for the purpose.
At regular intervals Zurich Airport notifies its customers, business partners and interest group representa-tives in its Newsletters of the company’s offers and other operating issues. The person affected can in prin-ciple only receive a company Newsletter if the person affected (1) has a valid e-mail address and (2) registers for its despatch. For legal reasons a confirmation e-mail is sent to the e-mail address entered by persons affected when they first subscribe. This is known as the double-opt-in procedure. This confirmation e-mail serves to verify whether the holder of the e-mail address as the person affected has authorised the despatch of the Newsletter.
When users subscribe to a Newsletter we also store the IP address allocated by the internet service provider (ISP) to the computer system of the person affected at the time of the registration, as well as the date and time of the registration. These data have to be gathered in order to be able to trace the (possible) misuse of the e-mail address of a person affected at a later time, and it therefore serves as legal protection for the entity responsible for processing.
The personal data gathered in the course of registering for Newsletters are used solely for their despatch. Furthermore subscribers to Newsletters could be sent information by e-mail if necessary for the operation of the Newsletter service or if registration is necessary, as could be the case in the event of changes to the range of Newsletters or following a change to technical circumstances. Personal data gathered in connec-tion with the Newsletter service is not passed to third parties. Subscriptions to our Newsletters can be can-celled by the person affected at any time. Consent to the storage of personal data given to us by the person affected for the despatch of Newsletters can be revoked at any time. Every Newsletter contains a link for the purposes of revoking consent. There is also the option of directly unsubscribing from the Newsletter on the website of the entity responsible for processing, or notifying the entity responsible for processing of this in some other way.
10 Newsletter tracking
Zurich Airport Newsletters contain what are known as tracking pixels. A tracking pixel is a miniature graphic that is embedded in e-mails sent in the HTML format in order to facilitate a log file record and a log file analysis. This enables a statistic analysis of the success (or lack of it) of online marketing campaigns to be conducted. The embedded tracking pixel enables Zurich Airport to recognise whether and when an e-mail of a person affected has been opened and which links in the e-mail were activated by the person affected.
Such personal data gathered via the tracking pixels contained in the Newsletters are stored and analysed by the entity responsible for processing in order to optimise the despatch of Newsletters, and also to ensure that future Newsletter content better reflects the interests of recipients. These personal data are not passed to third parties. Persons affected are entitled at any time to revoke the consent they gave in the separate double-opt-in procedure. Following a revocation these personal data are deleted by the entity responsible for processing. Zurich Airport automatically interprets unsubscribing from the Newsletter as revocation.
Zurich Airport employs the services of Schober Information Group (Schweiz) AG, Theaterstrasse 17, CH-8400 Winterthur to despatch and track its Newsletters.
11 Contact option via the website
In accordance with statutory regulations the Zurich Airport website contains information – including a gen-eral e-mail address – enabling the user to make rapid electronic contact with the company and communi-cate with us directly. If contact is made with the entity responsible for processing by e-mail or using a con-tact form, the personal data provided are automatically stored. The IP address is also recorded for security reasons. Personal data voluntarily supplied to the entity responsible for processing are stored for the pur-poses of processing or contacting the persons affected. They are not passed to third parties.
12 Use of Google Analytics
We use the Google Analytics service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA. This is a tool enabling website use to be analysed. Google Analytics employs various tech-niques, including placing cookies on your computer to store information on the use of our site that we then use to improve it.
As a rule the cookies used by Google Analytics are stored outside the EU/EFTA area. Google uses this infor-mation to analyse the use of the Zurich Airport website for us and prepare reports on website activity and internet use. Furthermore Google confirms that this information is passed to third parties in so far as this is prescribed by statute or if those third parties process the data on Google’s instructions. The IP address ob-tained by Google Analytics from the browser is kept separate from other data by Google. The storage of cookies can be prevented (see the foregoing section on "Cookies"). In addition, Google can be prevented from recording the data generated by the cookie relating to website use (including IP addresses) and pro-cessing that data by downloading and installing the browser plugin that is available via the following link. : https://tools.google.com/dlpage/gaoptout?hl=en
13 Use of Google Tag Manager
We use the Google Tag Manager service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA. Google Tag Manager gives marketers an interface for the management of website tags. The Tag Manager uses the tags, but not cookies – and it records no personal data. It triggers other tags, however, which may record data. Information about these third-party providers is contained in this data privacy statement. Google Tag Manager does not use these data, however. If you have deactivated cookies or placed other settings, this applies to all tracking tags used with Google Tag Manager. The tool does not alter your cookie settings.
Google may ask you for permission to pass some product data – your account information, for example – to other Google products in order to activate certain functions, such as simplifying the addition of new conver-sion tracking tags for AdWords. Also Google developers review information on product use from time to time in order to make the product even better. But Google will never pass this sort of data to other Google products without your consent.
14 Use of ADTECH
- browser and operating-system information
- device manufacturer and model
- the date and time when particular advertising was delivered
- a unique user ID (for the use of advertising frequencies, Postclick tracking and cookie targeting)
- IP address (stored in Adserver on a hashed basis and cannot be traced)
This enables ADTECH to measure the delivery of advertising, for example the number of clicks on an adver-tisement or how often a particular advertisement has been delivered to an individual user. ADTECH can then report these data to Zurich Airport. In some cases, ADTECH aggregates data gathered on individual net-works for internal statistical purposes. If this is your preference, simply click on the following link: http://optout.aboutads.info/?c=2&lang=EN
15 Use of NET-Metrix
16 Use of Google Maps
This website uses Google Maps API to present geographical information visually, and to calculate journey times with the Travel Planner. When Google Maps is used, Google also gathers, processes and uses data on the use of map functions by visitors. You can find more detailed information on data processing by Google in the Google data privacy statement. You can alter your personal data protection settings in Google’s data protection centre.
Detailed instructions on managing your own data in connection with Google products can be found here.
17 Use of ZEDO
18 Use of CloudFlare
19 Use of DoubleClick by Google
DoubleClick is a Google brand under which special facilities, mainly relating to online marketing, are mar-keted to advertising agencies and publishers. The company operating DoubleClick by Google is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
Data is transferred to the DoubleClick server with every impression, and also with clicks and other activities. Each of these data transfers triggers a cookie enquiry to the user’s browser. If the browser accepts it, Dou-bleClick places a cookie on the IT system of the person affected. The purpose of the cookie is to optimise and display advertising. Among other things, cookies are used to activate and display advertising that is relevant to the user and to compile reports on advertising campaigns or improve them. The cookie also serves to prevent the same advertising from being displayed repeatedly.
DoubleClick uses a cookie ID necessary for the technical procedure to be conducted. The cookie ID is needed to display an advertisement in a browser, for example. DoubleClick can also use the cookie ID to record which advertisements have already been displayed in a browser, in order to avoid duplication. The cookie ID also enables DoubleClick to record conversions, for example when DoubleClick advertisement has been dis-played to a user who then makes a purchase on the advertiser’s website with the same internet browser.
A DoubleClick cookie contains no personal data, though it may contain additional campaign identifiers. A campaign identifier serves to identify the campaigns with which the user has already been in contact.
Every visit to one of the individual pages of this website operated by the entity responsible for processing and into which a DoubleClick component has been integrated automatically makes the internet browser on the IT system of the person affected transfer data to Google for the purposes of online advertising and the crediting of commission. In the course of this technical procedure Google receives data that it uses to pre-pare commission statements. One of the things Google can detect is that the person affected has clicked on certain links on our website.
Persons affected can at any time permanently prevent cookies from being set by our website by changing their internet browser settings. This setting change would also prevent Google from placing a cookie on the IT system of the person affected. Furthermore, cookies already set by Google can be deleted with an inter-net browser or other software program.
Further information and the current data protection provisions of DoubleClick by Google can be found at https://www.google.com/intl/en/policies/.
20 Use of social plugIns
Social plugins ("plugins") of the Facebook social network are operated on our website by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA ("Facebook"). These plugins are marked with a Facebook logo or the identifier "Social plugin from Facebook" or "Facebook social plugin". You can find an overview of Facebook plugins and what they look like here: https://developers.facebook.com/docs/plugins.
When you visit a website of ours that contains one of these plugins, your browser sets up a direct link to the Facebook servers. The content of the plugin is transmitted directly to your browser by Facebook and added to the site. This link sends Facebook the information that your browser has visited the relevant page of our website, even if you have no Facebook profile or are not logged in to Facebook at the time. This in-formation (including your IP address) is sent directly by your browser to a Facebook server in the USA and stored there.
If you are logged in to Facebook, Facebook can add your visit to our website directly to your Facebook pro-file. If you interact with plugins, for example by pressing the "Like" button or making a comment, this in-formation is also sent directly to a Facebook server and stored there. The information is also published on your Facebook profile and displayed to your Facebook friends.
The purpose and scope of the gathering, further processing and use of the data by Facebook, as well as your rights in relation to it and your optional settings for the protection of your privacy, can be found in the Facebook data privacy statement: http://www.facebook.com/policy.php.
If you do not want Facebook to add the data gathered via our website directly to your Facebook profile, you must log out of Facebook before visiting our website. You can also entirely prevent Facebook plugins from loading with add-ons for your browser, e.g.
for Mozilla Firefox:
Social plugins ("plugins") of the Twitter microblogging services are operated on our website by Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA ("Twitter"). The plugins are marked with a Twit-ter logo, for example in the form of a blue "Twitter bird". You can find an overview of Twitter plugins and what they look like here: https://about.twitter.com/en_us/company/brand-resources.html.
When you visit a website of ours that contains one of these plugins, your browser sets up a direct link to the Twitter servers. The content of the plugin is transmitted directly to your browser by Twitter and added to the site. This link sends Twitter the information that your browser has visited the relevant page of our website, even if you have no profile with Twitter or are not logged in to Twitter at the time. This infor-mation (including your IP address) is sent directly by your browser to a Twitter server in the USA and stored there.
If you are logged in to Twitter, Twitter can add your visit to our website directly to your Twitter account. If you interact with plugins, for example by pressing the "Twitter" button, this information is also sent direct-ly to a Twitter server and stored there. The information is also published on your Twitter profile and dis-played to your contacts.
The purpose and scope of the gathering, further processing and use of the data by Twitter, as well as your rights in relation to it and your optional settings for the protection of your privacy, can be found in the Twit-ter data privacy statement: https://twitter.com/privacy.
If you do not want Twitter to add the data gathered via our website directly to your Twitter account, you must log out of Twitter before visiting our website. You can also entirely prevent Twitter plugins from load-ing with add-ons for your browser, e.g. with the "NoScript" script blocker (http://noscript.net/).
Instagram social plugins ("plugins") are operated on our website by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA ("Instagram"). The plugins are marked with an Instagram logo, for example in the form of an "Instagram camera". You can find an overview of Instagram plugins and what they look like here: http://blog.instagram.com/post/36222022872/introducing-instagram-badges.
When you visit a website of ours that contains one of these plugins, your browser sets up a direct link to the Instagram servers. The content of the plugin is transmitted directly to your browser by Instagram and added to the site. This link sends Instagram the information that your browser has visited the relevant page of our website, even if you have no Instagram profile or are not logged in to Instagram at the time. This information (including your IP address) is sent directly by your browser to an Instagram server in the USA and stored there.
If you are logged in to Instagram, Instagram can add your visit to our website directly to your Instagram account. If you interact with plugins, for example by pressing the "Instagram" button, this information is also sent directly to an Instagram server and stored there. The information is also published on your Insta-gram account and displayed to your contacts.
The purpose and scope of the gathering, further processing and use of the data by Instagram, as well as your rights in relation to it and your optional settings for the protection of your privacy, can be found in the Instagram data privacy statement: https://help.instagram.com/155833707900388/.
If you do not want Instagram to add the data gathered via our website directly to your Instagram account, you must log out of Instagram before visiting our website. You can also entirely prevent Instagram plugins from loading with add-ons for your browser, e.g. with the "NoScript" script blocker (http://noscript.net/).
YouTube social plugins ("plugins") are operated on our website by YouTube, LLC, 901 Cherry Ave., San Bru-no, CA 94066, USA ("YouTube"). YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. The plugins are marked with a YouTube logo, for example in the form of a "YouTube button".
Every visit to one of the individual pages of this website operated by the entity responsible for processing and into which a YouTube component (YouTube video) has been integrated automatically makes the inter-net browser on the IT system of the person affected download a display of the corresponding YouTube component from YouTube. Further information on YouTube can be found at https://www.youtube.com/yt/about/. As part of this technical procedure YouTube and Google gather in-formation on which specific page of our website the user is visiting.
If persons affected are logged into YouTube when they visit a website page containing a YouTube video, YouTube knows which specific page of our website they are visiting. This information is gathered by YouTube and Google and added to the YouTube account of the person affected.
The YouTube component always gives YouTube and Google information that persons affected have visited our website if they are logged into YouTube at the time, regardless of whether or not they click on a YouTube video. If persons affected do not want this information to be sent to YouTube and Google, they simply need to log out of their YouTube account before visiting our website.
YouTube’s published data privacy provisions, which are available at https://policies.google.com/privacy?hl=en&gl=de, give details of the gathering, processing and use of per-sonal data by YouTube and Google.
Our website uses what is known as a video widget, operated by yoveo AG, Sihlstrasse 59, 8001 Zurich, Switzerland ("yoveo"). The widget is part of the individual "Airport TV" page of the website. It contains videos that are clearly marked as such with play buttons when the cursor is moved over them. The "Airport TV" page that the widget is part of is operated by the entity responsible for processing, and every time it is accessed the widget automatically tells the browser on the IT system of the person affected to download an image of it. Further information on yoveo AG can be found at https://www.yoveo.ch/datenschutz/?lang=en. In the course of this technical process yoveo AG gathers information on how often and for how long the person affected visits the "Airport TV" page.
21 The routine deletion and blocking of personal data
The entity responsible for processing processes and stores the personal data of the person affected only for the period necessary to achieve the purpose of storing it or that is permitted by the European regulator and issuer of directives or other legislature in laws or regulations to which the entity responsible for processing is subject.
If the purpose of storing the data no longer applies or a period prescribed in laws or regulations by the Euro-pean regulator and issuer of directives or other legislature expires, the personal data are routinely blocked or deleted in accordance with statutory regulations.
22 Rights of the person affected
If you wish to exercise one of the following rights, please contact us as described in paragraph 3.
You can also complain about our processing of your personal data to the Federal Data Protection and Infor-mation Commissioner (FDPIC, http://www.edoeb.admin.ch).
a) Right to confirmation
Jede betroffene Person hat das vom Schweizerischen Gesetzgeber bzw. vom Europäischen Richtlinien- und Verordnungsgeber eingeräumte Recht, von dem für die Verarbeitung Verantwortlichen eine Bestätigung darüber zu verlangen, ob sie betreffende personenbezogene Daten verarbeitet werden. Möchte eine betroffene Person dieses Bestätigungsrecht in Anspruch nehmen, kann sie sich hierzu jederzeit an unseren Datenschutzbeauftragten wenden.
b) Right to information
The Swiss legislature and the European regulator and issuer of directives guarantee all persons affected by the processing of their personal data the right to call on the entity responsible for processing for information about the stored personal data relating to them, and to provide them with a copy of that information, free of charge. The European regulator and issuer of directives also gives persons affected the right to the follow-ing information:
- the purposes of processing
- the categories of personal data being processed
- the recipients or categories of recipients to whom personal data has been or is being disclosed, es-pecially where recipients are in third countries or are international organisations
- where possible the period for which the personal data are to be stored, or if this is not possible the criteria for determining that period
- the existence of a right to the correction or deletion of their personal data or to the restriction of its processing by the responsible entity or to a right of objection to its processing
- the existence of a right to complain to a supervisory authority
- if the personal data are not obtained from the person affected: all available information on the origin of the data
- the existence of automated individual decision making including profiling in accordance with Art. 22 (1) and (4) of the General Data Protection Regulation (GDPR) and – in these cases at least – mean-ingful information on the logic involved and the implications for and the intended effects on the per-son affected of such processing
- persons affected are also entitled to information on whether their personal data have been trans-mitted to a third country or an international organisation. If this is the case, the person affected is also entitled to information on appropriate guarantees in connection with the transmission.
Persons affected who wish to exercise this right can apply to our data protection officer at any time.
c) Right of correction
The Swiss legislature and the European regulator and issuer of directives guarantee all persons affected by the processing of their personal data the right to call for incorrect personal data relating to them to be cor-rected without delay. Furthermore persons affected are entitled, taking the purposes of processing into account, to call for their incomplete personal data to be completed, if necessary by means of a supplemen-tary statement.
Persons affected who wish to exercise this right can apply to our data protection officer at any time.
d) Right of deletion (right to be forgotten)
The European regulator and issuer of directives guarantees all persons affected by the processing of their personal data the right to call on the responsible entity to delete their personal data without delay if one of the following reasons applies and processing is not necessary:
- The personal data were obtained or otherwise processed for purposes for which they are no longer necessary.
- The person affected revokes the consent on which the processing was based in accordance with Art. 6 (1) (a) or Art. 9 (2) (a) GDPR, and processing lacks any other legal basis.
- The person affected objects to processing in accordance with Art. 21 (1) GDPR and there are no overriding reasons for it, or lodges an objection to processing in accordance with Art. 21 (2) GDPR.
- The personal data have been unlawfully processed.
- The deletion of the personal data is required in order to meet a statutory obligation under EU law or that of member states to which the responsible entity is subject.
- The personal data were obtained in relation to information society services offered in accordance with Art. 8 (1) GDPR.
- If one of the reasons listed above applies and persons affected wish their personal data held by Zur-ich Airport to be deleted, they can apply to our data protection officer at any time.
If personal data have been made public by Zurich Airport and the company is obliged as the responsible enti-ty within the meaning of Art. 17 (1) GDPR to delete them, Zurich Airport, taking account of available tech-nology and the implementation costs, takes appropriate measures, including technical measures, to make other persons responsible for data processing who process the personal data concerned aware that the person affected has called on these other persons responsible for data processing to delete all links to these personal data or copies or duplicates of these personal data if processing is not necessary. In individual cases our data protection officer will give the necessary instructions.
e) Right to restrict processing
The European regulator and issuer of directives guarantees all persons affected by the processing of their personal data the right to call on the responsible entity to restrict processing if one of the following condi-tions is met:
- The person affected disputes the correctness of personal data for a period enabling the responsible entity to verify their correctness.
- The processing is unlawful, the person affected rejects the deletion of the personal data and calls in-stead for their use to be restricted.
- The responsible entity no longer needs the personal data for the purposes of processing, but the person affected needs them to assert, exercise or defend legal entitlements.
- The person affected has lodged an objection to processing in accordance with Art. 21 (1) GDPR and it is not yet clear whether the reasons of the responsible entity outweigh those of the person af-fected.
- If one of the preconditions listed above is met and persons affected wish their personal data held by Zurich Airport to be restricted, they can apply to our data protection officer at any time.
f) Right to data transferability
The European regulator and issuer of directives guarantees all persons affected by the processing of their personal data the right to be supplied with the personal data relating to them that was given to a responsi-ble entity by the person affected in a structured, standard, machine-readable format. Such persons are also entitled to transmit these data to another responsible entity without hindrance by the responsible entity to whom the personal data were supplied, provided that processing is based on consent in accordance with Art. 6 (1) (a) or Art. 9 (2) (a) GDPR or on a contract in accordance with Art. 6 (1) (b) GDPR and processing is conducted with the aid of automated processes if processing is not necessary for the fulfilment of a task in the public interest or in the exercise of official authority transferred to the responsible entity.
Furthermore the person affected, in exercising the right to data transferability in accordance with Art. 20 (1) GDPR, is entitled to effect the direct transfer of personal data from one responsible entity to another, provided that this is technically feasible and that no rights and liberties of other persons are infringed.
Persons affected wishing to assert the right to data transferability can apply to our data protection officer at any time.
g) Right of objection
The European regulator and issuer of directives guarantees all persons affected by the processing of their personal data the right to object at any time, for reasons arising from their personal situation, to the pro-cessing of personal data relating to them for reasons based on Art. 6 (1) (e) or (f) GDPR. This also applies to profiling based on these provisions.
In the event of an objection Zurich Airport no longer processes personal data unless we can show that we have legitimate reasons for doing so that outweigh the interests, rights and liberties of the person affected, or that processing serves the assertion, exercise or defence of legal entitlements.
If Zurich Airport processes personal data in order to engage in direct advertising, the person affected is enti-tled at any time to object to processing of personal data for the purposes of such advertising. This also ap-plies to profiling that is connected with such direct advertising. If persons affected object to processing by Zurich Airport for the purposes of direct advertising, we shall no longer process their personal data for these purposes.
In addition persons affected are entitled to object to the processing of their personal data conducted by Zurich Airport for the purposes of scientific or historical research or for statistical purposes in accordance with Art. 89 (1) GDPR for reasons arising from their personal situation, unless such processing is necessary in order to perform a task in the public interest.
Persons affected wishing to assert the right to object can apply directly to our data protection officer. Not-withstanding Regulation 2002/58/EC, persons affected are also entitled to exercise their right of objection in connection with the use of the services of the information society by means of an automated process mak-ing use of technical specifications.
h) Automated decisions in individual cases including profiling
The European regulator and issuer of directives guarantees all persons affected by the processing of their personal data the right not to be subject to a decision based solely on automated processing – including profiling – that has legal effects on them or similarly compromises them to a significant degree, unless the decision (1) is necessary for the conclusion or fulfilment of a contract between the person affected and the responsible entity or (2) is permitted in accordance with legislation of the European Union or its member states to which the responsible entity is subject and this legislation contains appropriate measures to safe-guard the rights, liberties and legitimate interests of the person affected or (3) has the express consent of the person affected.
If the decision (1) is necessary for the conclusion or fulfilment of a contract between the person affected and the responsible entity or (2) for the conclusion or fulfilment of a contract between the person affected and the responsible entity necessary or (2) has the express consent of the person affected, Zurich Airport takes appropriate measures to safeguard the rights, liberties and legitimate interests of the person affected, in-cluding at least the right to effect the intervention of a person on the part of the responsible entity, to pre-sent their own standpoint and to contest the decision.
If persons affected wish to assert their rights with regard to automated decisions, they can apply to our data protection officer at any time.
i) Right of revocation of consent under data protection law
The Swiss legislature and the European regulator and issuer of directives guarantee all persons affected by the processing of their personal data the right to revoke their consent to the processing of personal data at any time.
If persons affected wish to assert their right to revoke consent, they can apply to our data protection officer at any time.
23 The legal basis of processing
The company relies on Art. 6 (I) (a) GDPR as the legal basis for processing in which we obtain consent for a defined processing purpose. If the processing of personal data is necessary for the fulfilment of a contract to which the person affected is a party, as is the case, for example, with processing necessary for a delivery of goods, a service or a consideration, then processing is based on Art. 6 (I) (b) GDPR. The same applies to pro-cessing necessary for the performance of precontractual measures, for example in cases of enquiries about our products or services. If the company is subject to a legal obligation necessitating the processing of per-sonal data – in order to meet fiscal obligations, for example – then processing is based on Art. 6 (I) (c) GDPR. In rare cases the processing of personal data could become necessary in order to protect the vital interests of the person affected or another natural person. This would be the case, for example, if a visitor to the airport were injured and his name, age, health insurance details or other vital information had to be passed to a doctor, a hospital or other third parties. Processing would then be based on Art. 6 (I) (d) GDPR. Finally processing could be based on Art. 6 (I) (f) GDPR. This is the legal basis for processing not covered by any of the aforementioned legal bases if the processing is necessary in order to safeguard the legitimate interests of the company or a third party, unless these are outweighed by the interests, basic rights and fundamental liberties of the person affected. We are especially permitted to carry out such processing because European legislation specifically mentions it, taking the view that a legitimate interest may have to be assumed if the person affected is a customer of the responsible entity (recital 47 clause 2 GDPR).
24 Legitimate interests in processing by the responsible entity or a third party
If the processing of personal data is based on Art. 6 (I) (f) GDPR, our legitimate interest is the conduct of our business activity for the wellbeing of all our employees and our shareholders.
25 How long personal data are stored
The criterion for how long personal data are stored is the relevant statutory preservation period. On the expiry of this period the corresponding data are routinely deleted unless they are still required for the initia-tion or fulfilment of a contract.
26 Statutory or contractual regulations on the provision of personal data; requirement for the conclusion of a contract; obligation of the person affected to provide personal data; possible consequences of failure to provide them.
We inform you that the provision of personal data is sometimes prescribed by statute (e.g. tax regulations), and it may also arise from contractual provisions (e.g. information on the contractual partner). It may also be necessary for the conclusion of a contract for a person affected to provide us with personal data that we are subsequently required to process. Persons affected are obliged, for example, to provide us with personal data if the company concludes a contract with them. The failure to provide personal data would prevent the conclusion of the contract with them. Before providing personal data the person affected must apply to one of our employees, who explains on the basis of the individual case whether the provision of personal data is prescribed by statute or contractually or is necessary for the conclusion of a contract, whether an obligation to provide personal data exists, and what consequences would follow a failure to provide personal data.
27 Existence of automated decision making
As a responsible company we make no use of automatic decision making or profiling.
28 Adaption of this Data privacy statement
We may adjust our data privacy statement at any time by publishing it on this website.
Zurich Airport, May 2018