Information note on personal data protection - Whistleblowers

Personal data protection

Introduction 1. Who is the controller? 2. Which categories of personal data are processed and for what purposes? 3. How do we collect, process and use your data? 4. Who has access to your data? 5. Where are your data processed? Are your data transferred? 6. How long do we store your data? 7. What are your rights in relation to your personal data? 8. How do you contact us and exercise your rights? 9. How do we update this information notice?
Introduction 1. Who is the controller? 2. Which categories of personal data are processed and for what purposes ? 3. How do we collect, process, and use your data? 4. Who has access to your data? 5. Where are your data processed? Are your data transferred? 6. How long we retain your data ? 7. What are your rights in relation to your personal data? 8. How do you contact us and exercise your rights? 9. How do we update this information notice?
Introduction 1. Qui est le responsable du traitement ? 2. Quelles catégories de données à caractère personnel sont traitées et pour quelles finalités ? 3. Comment collectons, traitons, utilisons-nous vos données ? 4. Qui a accès à vos données ? 5. Où vos données sont-elles traitées, vos données sont-elles transférées ? 6. Pendant combien de temps conservons-nous vos données ? 7. Quels sont vos droits à l’égard de vos données à caractère personnel ? 8. Comment nous contacter et exercer vos droits ? 9. Comment mettons-nous à jour la présente notice d’information ?
Introduction 1. Who is the controller? 2. What categories of personal data are processed and for what purpose? 3. How do we collect, process and use your data? 4. How long do we keep your data? 5. Who can access your data? 6. Where do we process your data and where do we transfer them? 7. What are your rights regarding your personal data? 8. How to contact us and how to exercise your rights? 9. How do we update this information note?
Introduction 1. Qui est le responsable du traitement ? 2. Quelles catégories de données à caractère personnel sont traitées et pour quelles finalités ? 3. Comment collectons, traitons, utilisons-nous vos données ? 4. Où vos données sont-elles traitées ? Vos données sont-elles transférées ? 5. Pendant combien de temps conservons-nous vos données ? 6. Quels sont vos droits à l'égard de vos données à caractère personnel ? 7. Comment nous contacter et exercer vos droits ?
Modify your choice relating to cookies Information note on personal data protection - Cookies 1. What is a cookie? 2. Who is the controller? 3. Which are the cookies used and for what purposes are they in place? 4. Where do we process your data and where do we transfer them? 5. What are your rights? 6. How to contact us and how to exercise your rights ?

Introduction

The protection of your personal data is a priority for the CFL (for each entity of the CFL Group structure respectively, which may process your personal data for the purposes of its activity).

This information notice provides you with the necessary information and explains how we collect, use, share, store and protect your personal information. It also informs you of your rights and how to exercise them.

1. Who is the controller?

The Société Nationale des Chemins de Fer Luxembourgeois (Luxembourg National Railway Company, CFL), 16 boulevard d'Avranches, L-1160 Luxembourg, registered with the Luxembourg Trade and Companies Register under number B59025, is the Controller of your personal data processed by us.

The CFL may be considered as controller only in the context of internal reporting. In the context of external reporting, please refer to the competent authority to which you made the report.

In this capacity, we are responsible for the way in which we collect, use, share, store and protect your personal data.

2. Which categories of personal data are processed and for what purposes ?

An internal reporting system has been set up within the CFL Group and its Luxembourg subsidiaries in application of the law of 16 May 2023 transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law. The purpose of this mechanism is to allow internal reporting of breaches of Union law or national law.

To carry out these tasks, we collect and process some of your personal data.

Depending on the type of purpose pursued, the data categories are the following:

Identification data (surname, first name, address(es), telephone number(s), e-mail address, etc.) except in the case of anonymous reporting,
Data relating to your profession, job, except in the case of anonymous reporting,
Minutes including your statements,
Data relating to the reports you submit (all data you voluntarily provide in your report, which may include any personal data).

The CFL undertake to ensure that the data are collected for specific purposes and that the processing is adequate, relevant and limited to what is necessary for the purpose for which they are processed.
The purpose pursued is the following:

Processing (analysis and investigation) and management of an internal report in the framework of the whistleblowing procedure.

3. How do we collect, process, and use your data?

We collect and use the personal data you submit when reporting internally.
For each purpose described above, collection and processing of your data are:

performed in accordance with the current regulations on the protection of personal data, including the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC), the related Guidelines and the national laws implementing the GDPR, where appropriate,
legally based on the fact that the processing is necessary for compliance with a legal obligation to which we are subject as controller ((in this case the law of 16 May 2023 transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.

4. Who has access to your data?

We ensure that your personal data are processed with due regard for the purposes indicated above.

With due respect for the confidentiality of the whistleblower, some of your data may be shared with some of our in-house departments, subject to strict observance of the tasks assigned to these departments, to perform the necessary investigations after receipt of an internal report.

The department which may process your data is the “Internal Audit” department.

5. Where are your data processed? Are your data transferred?

Your data are processed by the CFL which take all the appropriate technical and organisational measures to protect the security of your personal data and first and foremost the confidentiality, integrity and availability of your personal data.

Within the strict framework of the purposes referred to above and whenever it is necessary, some of your personal data could be shared with law enforcement or judicial authorities.

6. How long we retain your data ?

We keep your personal data for a maximum of 5 years from the closure of the investigation.

7. What are your rights in relation to your personal data?

Under the conditions provided for in the regulations, you have the right:

of access to the personal data we hold concerning you,
of rectification of the data if they are inaccurate or incomplete,
of erasure in certain cases, such as, for example, whenever your data are no longer necessary for the purpose pursued and we don't have any contractual or legal obligation to store data anymore,
to request the restriction of processing your personal data, such as for example the restriction of processing data of which you contest the accuracy, for the period enabling us to verify your request,
to request the portability of your personal data in order to transmit your personal data to you in a structured, commonly used, readable format or to have them transferred to another controller,
to withdraw your consent at any time to the processing of your personal data without this affecting the lawfulness of processing based on the consent given prior to withdrawal (unless the processing has a legal basis other than your consent),
to object to the processing of your data based solely on the pursuit of our legitimate interests or to prohibit us from processing them, including for direct marketing,
to lodge a complaint with the competent personal data protection authority of your country and/or the Grand Duchy of Luxembourg (Commission Nationale Pour la Protection des Données – CNPD, 15, boulevard du Jazz, L-4370 Belvaux – https://cnpd.public.lu/en).

8. How do you contact us and exercise your rights?

You can send your questions relating to the processing of your personal data and/or exercise your rights set out above for the attention of the Data Protection Officer (DPO) of the CFL:

on our website www.cfl.lu by clinking the link gdpr.cfl.lu,
or by post for the attention of the Data Protection Officer (DPO), Société Nationale des Chemins de Fer Luxembourgeois, 16 boulevard d’Avranches, L-1160 Luxembourg.

Any complaint relating to the processing of your personal data can be addressed to postal address above or to the supervisory authority of the Grand Duchy of Luxembourg, the Commission Nationale Pour la Protection des Données – CNPD, located at 15, boulevard du Jazz L-4370 Belvaux – https://cnpd.public.lu/en.

9. How do we update this information notice?

To ensure optimum compliance with the current regulations, we undertake to update the present information notice whenever necessary. The latest version in force is placed online on our website.