General information notice on personal data protection
0 results for «»
Personal data protection
Introduction
The customer is placed at the centre of CFL's concerns.
For this reason, naturally, the protection of your personal data is a priority for the CFL (for each entity of the CFL Group structure respectively, which may process your personal data for the purposes of its activity).
This information notice provides you with the necessary information and explains to you how we collect, use, share, store and protect your personal information. It also informs you of your rights and how to exercise them.
1. Who is the controller?
The Société Nationale des Chemins de Fer Luxembourgeois (Luxembourg National Railway Company, CFL), 16 boulevard d'Avranches – L-1160 Luxembourg, registered with the Luxembourg Trade and Companies Register under number B 59025 is the Controller of your personal data processed by us.
In this capacity, we are responsible for the way in which we collect, use, share, store and protect your personal data.
2. Which categories of personal data are processed and for what purposes?
The task of the Société Nationale des Chemins de Fer Luxembourgeois (CFL) is to transport passengers, manage the infrastructures and direct investments in rolling stock and in the field of the modernisation of its infrastructures. In addition, the CFL accord top priority to the efforts enabling the highest possible level of security to be guaranteed for all customers.
To carry out these tasks, we collect and process some of your personal data.
Depending on the type of purpose pursued, the data categories are the following:
- Identification data (surname, first name, address(es), telephone number(s), etc.)
- Personal characteristics data (date of birth, gender, nationality, identity card and/or other identifying administrative documents, etc.),
- Electronic identification data in the case of access to a CFL application (IP address, cookies, e-mail address, etc.),
- Financial data (credit card or bank account numbers) relating to your service purchase,
- Data relating to your household composition for the purchase of certain tickets, transport cards,
- Data relating to your profession, job
- Pictures, photos, sounds for processing relating to the security of infrastructures or rolling stock,
In certain cases, we also process specific categories of personal data, also known as sensitive data:
- Data relating to offences or convictions,
- Health data.
In all cases, the CFL undertake to ensure that the data are collected for the specific purposes and that the processing is adequate, relevant and limited to what is necessary for the purpose for which they are processed.
The purposes pursued are the following:
- management of the services provided by the CFL,
- management of our contractual relationships,
- management of subscriptions and all transport tickets,
- commercial management of passengers and prospects,
- business development and marketing,
- management of complaints and incidents,
- analysis of passenger needs,
- compilation of statistics,
- prevention and handling of offences,
- management of litigation and pre-litigation of the CFL, management of cash-out requests, management of reminders and debt collection,
- personalisation of your access to the system,
- accompaniment of passengers with disabilities or reduced mobility.
3. How do we collect, process and use your data?
We collect and use the personal data that you provide when you use our services.
The personal information may also be gathered using cookies, web beacons and other similar technologies.
For each purpose described above, the collection and processing of your data are:
- in accordance with the current regulations on the protection of personal data, including the GDPR (European Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the possessing of personal data and on the free movement of such data, and repealing Directive 95/46/EC), the related Guidelines and the national laws implementing the GDPR, where appropriate,
- legally justified
- by the fact that the processing of your personal data is necessary for the performance of a contract to which you are a party or for the performance of pre-contractual measures undertaken at your request,
- or on the basis of your consent,
- or by the fact that the processing is necessary for compliance with a legal obligation to which we are subject as controller,
- or by an interest recognised as legitimate,
- or when the processing of your data is necessary for the performance of a task of general public interest with which we are entrusted (passenger and staff safety, protection of property, prevention and identification of offences, etc.)
4. Who has access to your data?
We ensure that your personal data are processed with due regard for the purposes indicated above.
These data are shared with some of our in-house departments, subject to strict observance of the tasks assigned to these departments.
5. Where are your data processed? Are your data transferred?
Your data are processed by the CFL which take all the appropriate technical and organisational measures to protect the security of your personal data and first and foremost the confidentiality, integrity and availability of your personal data.
Within the strict framework of the purposes referred to above and whenever it is necessary, we share your personal data with the coach operators of the national network RGTR (Régime Générale des Transports Routiers) and other railway undertakings (SNCF, SNCB, etc.), Luxembourg tourism associations and partners (Entente touristique de la Moselle, Château de Vianden, Coopération Witz,...) and foreign tourist offices, our auditors, our legal advisers, the Luxembourg authorities or the competent foreign authorities.
CFL may transfer your personal data outside the European Union. In this case, we contractually impose on service providers guarantees of security and confidentiality concerning your personal data by means of appropriate technical and organisational measures, such as standard contractual clauses, in accordance with European regulations, and we ensure that these guarantees are respected.
We acknowledge the invalidation of the privacy shield. We are taking the necessary steps to ensure that the level of protection of your personal data to the United States remains adequate.
6. How long do we store your data?
We store your personal data for as long as they are needed to carry out the purposes of their processing and for the time necessary for us to fulfil our obligations arising from limitation periods and/or any other legal provisions.
7. What are your rights in relation to your personal data?
Under the conditions provided for in the regulations, you have the right:
- of access to the personal data we hold concerning you,
- of rectification of the data if they are inaccurate or incomplete,
- of erasure in certain cases, such as, for example, whenever your data are no longer necessary for the purpose pursued and we don't have any contractual or legal obligation to store the data anymore,
- to request the restriction of processing of your personal data, such as for example the restriction of processing of data of which you contest the accuracy, for the period enabling us to verify your request,
- to request the portability of your personal data in order to transmit your personal data to you in a structured, commonly used, readable format or to have them transferred to another controller,
- to withdraw your consent at any time to the processing of your personal data without this affecting the lawfulness of processing based on the consent given prior to withdrawal (unless the processing has a legal basis other than your consent),
- to object to the processing of your data based solely on the pursuit of our legitimate interests or to prohibit us from processing them, including for direct marketing,
- to lodge a complaint with the competent personal data protection authority of your country and/or the Grand Duchy of Luxembourg (Commission Nationale Pour la Protection des Données – CNPD, located at 1, avenue du Rock’n’Roll, L-4361 Esch-sur-Alzette – www.cnpd.public.lu).
8. How do you contact us and exercise your rights?
You can send your questions relating to the processing of your personal data and/or exercise your rights set out above for the attention of the Data Protection Officer (DPO) of the CFL:
- on our website www.cfl.lu by clinking the link gdpr.cfl.lu under the tab “data protection” at the bottom of the page,
- or by post for the attention of the Data Protection Officer (DPO), Société Nationale des Chemins de Fer Luxembourgeois, 9 place de la gare – L-1616 Luxembourg
Any complaint relating to the processing of your personal data can be addressed to the postal address above or to the supervisory authority of the Grand Duchy of Luxembourg, the Commission Nationale Pour la Protection des Données – CNPD, located at 1, avenue du Rock’n’Roll, L-4361 Esch-sur-Alzette – www.cnpd.public.lu).
9. How do we update this information notice?
To ensure optimum compliance with the current regulations, we undertake to update the present information notice whenever necessary.
The latest version in force is placed online on our website.