Data Protection

Purpose and scope
Ferrovia Vigezzina-Centovalli, and henceforth referred to as the "Organization", undertakes to comply with the applicable laws and regulations regarding the protection of personal data in the countries where it operates, in this case the nLPD Switzerland

This policy sets out the fundamental principles according to which the organisation processes the personal data of customers, suppliers, business partners, employees and other individuals, and sets out the responsibilities of its departments and employees in the processing of personal data.

This policy applies to the organisation and its subsidiaries (directly or indirectly) operating within Switzerland, the European Economic Area or processing personal data of data subjects in that area.

The addressees of this procedure are all employees, temporary or permanent.

The principles of the nLPD
The data protection principles set out the basic responsibilities (accountability) for organisations processing personal data. "The controller shall be responsible for compliance with these principles and shall be able to demonstrate that its processing operations comply with these principles".

Lawfulness, fairness and transparency
Personal data must be processed lawfully, fairly and transparently in relation to the data subject.

Purpose limitation
Personal data must be collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.

Minimisation of data
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Where possible to reduce risks to data subjects, the organisation shall apply anonymisation or pseudonymisation to personal data.

Accuracy
Personal data shall be accurate and, where necessary, kept up to date; reasonable steps shall be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified in a timely manner.

Limitation of the storage period
Personal data shall be kept for no longer than is necessary for the purposes for which the personal data are processed.

Integrity and confidentiality
Taking into account the state of technology and other available security measures, the costs of implementation and the likelihood and severity of personal data risks, the organisation shall use appropriate technical or organisational measures to process personal data in such a way as to ensure appropriate security of personal data, including protection by appropriate technical and organisational measures against unauthorised or unlawful processing and accidental loss, destruction or damage.

Responsibility
The controller shall be responsible for compliance with those principles and shall be able to demonstrate that its processing operations comply with those principles.

Collection
The organisation must endeavour to collect as little personal data as possible. If personal data is collected by a third party, the Data Controller must ensure that personal data is collected in accordance with the law. 

Use, storage and disposal
The organisation must maintain the accuracy, integrity, confidentiality and relevance of personal data in relation to the purpose of the processing. Appropriate security mechanisms must be used to protect personal data to prevent it from being stolen or misused and to prevent personal data breaches. The Data Controller is responsible for compliance with the requirements listed in this section.

Disclosure to third parties
Whenever the organisation uses a third-party supplier or business partner to process personal data on its behalf, the Data Controller must ensure that this party provides adequate security measures to safeguard personal data in relation to the associated risks. For this purpose, a specific conformity questionnaire should be used.

The supplier or business partner must process personal data only for the purpose of fulfilling its contractual obligations towards the organisation or at the instructions of the organisation and not for other purposes. When the organisation processes personal data jointly with an independent third party, the organisation must explicitly specify their respective responsibilities in the respective contract or in any other legally binding document, such as the supplier's Data Processing Agreement.

Cross-border transfer of personal data
Before transferring personal data from the Swiss Confederation and the European Economic Area (EEA), appropriate safeguards must be used, including the signing of a data transfer agreement, as required by the European Union and, if necessary, the authorisation of the data protection authority must be obtained. The entity receiving the personal data shall comply with the principles of the processing of personal data set out in the Cross-Border Data Transfer Procedure.

Access rights of data subjects
When acting as data controller, the organisation is obliged to provide data subjects with a reasonable access mechanism allowing them to access their personal data and must allow them to update, correct, erase or transmit their personal data where appropriate or required by law. The access mechanism will be further detailed in the Procedure for requesting access to the data subject's data.

Data portability
Data subjects shall have the right to receive, upon request, a copy of the data they have provided, in a structured format, and to transmit such data to another Data Controller free of charge. The Data Controller shall be responsible for ensuring that such requests are processed within one month, are not excessive and do not affect the personal data rights of other persons.

Right to be forgotten
Upon request, the data subject has the right to obtain from the organisation, the erasure of his or her personal data. When the organisation acts as the data controller, the Data Controller must take the necessary steps (including technical measures) to inform third parties using or processing the data to comply with the request.

Organisation and responsibilities
Responsibility for ensuring the proper processing of personal data lies with any person working within or on behalf of the organisation who has access to the personal data processed by the organisation.

The Board of Directors makes decisions and approves the general strategies of the organisation with regard to the protection of personal data.

The DPO Data Protection Advisor (appointed internally or externally) or any other employee identified as the contact person for the PIMS Privacy Management System, is responsible for the management of the data protection program and for the development and promotion of end-to-end procedures for the protection of personal data.

The controller of this document is the Data Controller, who has the task of checking it and, if necessary, updating it, at least annually.