Privacy Policy of RAILPOOL GmbH

Welcome to our website. 

As the operator of these pages, we take the protection of your personal data very seriously. We therefore treat your personal data as confidential and in accordance with the statutory data protection regulations and this Privacy Policy.

It is generally possible to use our website without providing personal data. The collection of personal data (such as name, address or e-mail address) on our website is always on a voluntary basis, whenever possible. These data will not be passed on to third parties without your express consent. Please be aware that there are inherent security risks in transferring data via the Internet (e.g. e-mail communication). It is not possible to safeguard data completely against unauthorised access by third parties.

The processing of personal data, such as the name, address, e-mail address or telephone number of a data subject, is always carried out in accordance with the applicable country-specific data protection regulations and in compliance with the EU General Data Protection Regulation. 

With this Privacy Policy, we would like to inform you as the data subject about the rights to which you are entitled. In addition, as part of our responsibility for processing, we have implemented extensive technical and organisational measures to ensure that the protection of personal data processed via this website is as complete as possible. Nevertheless, Internet-based data transfers can have security gaps, meaning that absolute protection cannot be guaranteed. For this reason, every data subject is free to transfer personal data to us by alternative means, for example by telephone.

Consent to processing 

The user of our website and our range of services consents, through the voluntary use of such, to the processing of his personal data by us for one of the purposes described below. 
RAILPOOL GmbHprovides the following services in the interest of its customers:
-Full-service rail vehicle rental, including maintenance, spare parts procurement, workshop organisation and insurance.
In order to enable and implement these services in all areas, the user agrees that RAILPOOL GmbH maycollect the information necessary for this and, if necessary, pass it on to the partner companies named above for them to perform the services for the purposes mentioned.The personal data provided (in particular name, address, telephone number, bank details) are necessary and required solely for the purpose of providing the service range and a potential contractual relationship and are collected on the basis of legal authorisations. For any further use of personal data and the collection of additional information, the consent of the data subject is generally required. Further details – in particular the right of withdrawal – are explained under the following points.

 

1. Definition of terms

This Privacy Policy is based on the terms used in the EU General Data Protection Regulation (GDPR) and the new Federal Data Protection Act (Datenschutz-Anpassungs- und -Umsetzungsgesetzes EU–DSAnpUG-EU - in short: BDSG-neu). Our Privacy Policy should be easy to read and understand both for the public and for our customers and business partners. To ensure this, we would like to start by explaining the terms used.

We use the following terms, among others, in this Privacy Policy:

a) Personal data

Personal data are all information relating to an identified or identifiable natural person (hereinafter “data subject”). A natural person is deemed identifiable if he can be identified directly or indirectly, in particular by assignment to an identifier such as a name, an identification number, location data, an online identifier or one or more particular characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.

b) Data subject

The data subject is any identified or identifiable natural person whose personal data are processed by the controller.

c) Processing

Processing means any operation or series of operations carried out with or without the aid of automated procedures in relation to personal data, such as the collection, recording, organisation, sorting, storage, adaptation or alteration, reading, retrieval, use, disclosure by transfer, dissemination or any other form of provision, comparison or linking, restriction, erasure or destruction.

d) Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of restricting their future processing.

e) Profiling

Profiling is any form of automated processing of personal data involving the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the performance of work, economic situation, health, personal preferences, interests, reliability, behaviour, location or relocation of that natural person.

f) Pseudonymisation

Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data are not assigned to an identified or identifiable natural person.

g) Controller

The controller is the natural or legal person, public authority, institution or other body which alone or jointly with others decides on the purposes and means of the processing of personal data. Where the purposes and means of such processing are laid down by Union or Member State law, the controller or certain criteria of his appointment may be designated according to Union or Member State law.

h) Processor

A processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller.

i) Recipient

A recipient is a natural or legal person, authority, institution or other body to which personal data are disclosed, regardless of whether the recipient is a third party or not. However, authorities that receive personal data under Union or Member State law within the framework of a particular investigation are not regarded as recipients.

j) Third party

A third party is a natural or legal person, authority, institution or other body other than the data subject, the controller, the processor and the persons authorised to process personal data under the direct responsibility of the controller or the processor.

k) Consent

Consent means any informed and unambiguous expression of will voluntarily given by the data subject in the particular case in the form of a declaration or other clear, affirmative act by which the data subject indicates that he agrees to the processing of his personal data. 

 

2. Name and address of the controller

The controller as defined by the General Data Protection Regulation, other data protection laws in force in the Member States of the European Union and other provisions of a data protection nature is:

RAILPOOL GmbH

Torsten Lehnert (responsible MD pursuant to the EU GDPR)

RAILPOOL GmbH
Seidlstrasse 23
80335 Munich
Germany
Telephone: +49 (0)89 510 85 77-0
Fax: +49 (0)89 510 85 77-222
E-mail: sales@railpool.eu

 

3. Cookies

The website uses so-called cookies. Cookies do not cause any damage to your computer and do not contain any viruses. Cookies serve to make our website more user-friendly, effective and secure. Cookies are small text files which are placed on a computer system via an Internet browser and stored by the browser. 

Many websites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a character string through which websites and servers can be assigned to the specific Internet browser in which the cookie was stored. This enables the visited websites and servers to distinguish the individual browser of the data subject from other Internet browsers that contain other cookies. A particular Internet browser can be recognised and identified by its unique cookie ID.

Most of the cookies we use are so-called “session cookies”. These are automatically deleted at the end of your visit. Other cookies remain stored on your device until you delete them. These cookies enable us to recognise your browser the next time you visit our website.

You can set your browser so that you are informed about the placement of cookies and only allow cookies in individual cases, prevent the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when you close the browser. You may also prevent the placement of cookies by our website at any time by changing the settings of the Internet browser used, thus permanently objecting to the placement of cookies. When cookies are deactivated, the functionality of this website may be limited.

 

4. Server log files 

Every time a data subject or an automated system visits the website, the site provider collects a series of general data and information and automatically stores information in so-called server log files, which your browser automatically transfers to us. These are:

·      Browser type and browser version

·      Operating system used

·      Referrer URL

·      Host name of the accessing computer

·      Time of the server request 

·      Other similar data and information used for security purposes in the event of attacks on our IT systems.

These data cannot be assigned to specific persons. These data are not combined with other data sources. We reserve the right to check these data subsequently if we become aware of concrete indications of illegal use. The anonymous data in the server log files are stored separately from all personal data provided by a data subject.

 

5. Registering on our website

As a data subject, you have the option of registering on the controller’s website and in doing so providing personal data. The personal data transferred to the controller are determined by the input mask used for registration. The personal data entered by the data subject are collected and stored exclusively for internal use by the controller and for our own purposes. The controller may, where justified, arrange for the data to be passed on to one or more processors, who also use the personal data exclusively for internal use attributable to the controller.

Furthermore, the IP address assigned by the Internet Service Provider (ISP) to the data subject, the date and the time of registration are stored when the data subject registers on the controller’s website. These data are stored because this is the only way to prevent misuse of our services and, if necessary, to enable us to investigate criminal offences committed. In this respect, the storage of these data is necessary to protect the controller. These data will not be passed on to third parties unless there is a legal obligation to do so or this is for the purpose of criminal prosecution.

Registration by the data subject with the voluntary provision of personal data allows the controller to offer the data subject content or services which, by their nature, can only be offered to registered users. Registered persons are free to modify the personal data provided during registration at any time or to have them completely erased from the controller’s database.

The controller will at any time, upon request, inform each data subject of which personal data relating to that data subject are stored. Furthermore, the controller will correct or erase personal data at the request or notice of the data subject, provided that there is no legal obligation to store such data. 

 

6. Contact via the website

Due to legal regulations, our website contains information that allows you to contact our company quickly and electronically and to communicate directly with us, which also includes a general e-mail address. Where a data subject contacts the controller via e-mail or a contact form, the personal data transferred by the data subject will be stored automatically. Such personal data provided voluntarily by a data subject to the controller will be stored for the purpose of processing or contacting the data subject. These personal data are not passed on to third parties.

 

7. Google Analytics

This website uses features of the web analysis service Google Analytics. The provider is Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.

Google Analytics uses so-called “cookies”. These are text files that are stored on your computer and allow an analysis of the way in which you use this website. The information generated by the cookie about your use of this website is generally transmitted to a Google server in the USA and stored there.

Browser plug-in

You can change the settings of your browser software to prevent cookies being stored. However, we must point out that doing so may mean that you can no longer use the full features of our website. Furthermore, you may prevent the collection of the data generated by the cookie relating to your use of the website (including your IP address) by Google and the processing of these data by Google by downloading and installing the browser plug-in available under the following link https://tools.google.com/dlpage/gaoptout?hl=de

Objection to data collection

You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie is placed which prevents the collection of your data when you visit this website in the future: Deactivate Google Analytics

More information on how Google Analytics handles user data can be found in Google’s privacy policy: https://support.google.com/analytics/answer/6004245?hl=de

 

8. SSL encryption

This site uses SSL encryption for security reasons and to protect the transfer of confidential content, such as requests that you send to us as the site operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

When SSL encryption is activated, the data you transmit to us cannot be read by third parties.

 

9. Routine erasure and blocking of personal data

The controller will only process and store the personal data of the data subject for the time necessary to achieve the purpose of the data storage or to the extent required by the European body issuing directives or regulations or other legislator in laws or regulations to which the controller is subject.

If the storage purpose ceases to apply or if a storage period required by the European body issuing directives or regulations or another responsible legislator expires, the personal data are routinely blocked or erased in accordance with the statutory regulations.

 

10. Rights of the data subject to information, rectification, erasure and blocking

a) Right to confirmation

Every data subject has the right granted by the European body issuing directives or regulations to request a confirmation from the controller of whether personal data concerning him are processed. If a data subject wishes to exercise this right to confirmation, he may contact our Data Protection Officer or another employee of the controller at any time.

b) Right to information

Every data subject whose personal data are processed has the right granted by the European body issuing directives and regulations to obtain, at any time and free of charge, information from the controller about his stored personal data and a copy of such information. Furthermore, the European body issuing directives and regulations has granted the data subject the right to the following information:

  • The processing purposes
  • The categories of personal data processed
  • The recipients or categories of recipients to whom the personal data have been or are still being disclosed, in particular recipients in third countries or international organisations
  • If possible, the planned duration of the personal data storage or, if this is not possible, the criteria for determining this duration
  • The existence of a right to rectification or erasure of the data subject’s personal data, a right to restriction of processing by the controller or a right to object to such processing
  • The existence of a right to lodge a complaint with a supervisory authority
  • Where the personal data are not collected from the data subject: all available information about the origin of the data
  • The existence of automated decision-making, including profiling, pursuant to Art. 22 (1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved as well as the significance and envisaged consequences of such processing for the data subject.

Furthermore, the data subject has a right to information as to whether personal data have been transferred to a third country or to an international organisation. Where this is the case, the data subject also has the right to obtain information about the appropriate guarantees in connection with the transfer.

If a data subject wishes to exercise this right to information, he may contact our Data Protection Officer or another employee of the controller at any time.

c) Right to rectification

Every data subject whose personal data are processed has the right granted by the European body issuing directives and regulations to request the immediate rectification of incorrect personal data concerning him. Furthermore, taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration.

If a data subject wishes to exercise this right to rectification, he may contact our Data Protection Officer or another employee of the controller at any time.

d) Right to erasure (right to be forgotten)

Every data subject whose personal data are processed has the right granted by the European body issuing directives and regulations to request that the controller erase his personal data immediately, provided that one of the following reasons applies and to the extent that the processing is not necessary:

  • The personal data have been collected or otherwise processed for purposes for which they are no longer necessary.
  • The data subject withdraws his consent on which the processing pursuant to Art. 6 (1) a) GDPR or Art. 9 (2) a) GDPR was based and there is no other legal basis for processing.
  • The data subject lodges an objection to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or the data subject lodges an objection to the processing pursuant to Art. 21 (2) GDPR.
  • The personal data have been processed unlawfully.
  • The erasure of personal data is necessary to fulfil a legal obligation under Union or Member State law to which the controller is subject.
  • The personal data have been collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.

Where one of the above-mentioned reasons applies and a data subject wishes to have personal data stored by us erased, he may contact our Data Protection Officer or another employee of the controller at any time. Our Data Protection Officer or another employee will arrange for the erasure request to be complied with immediately.

Where the personal data have been made public by our company and our company as the controller is obliged to erase the personal data pursuant to Art. 17 (1) GDPR, we will take reasonable steps, including technical measures, taking into account the available technology and the implementation costs, to inform other controllers who process the published personal data that the data subject has requested the erasure of all links to these personal data or of copies or replications of these personal data by these other controllers, provided that processing is not necessary. Our Data Protection Officer or another employee will take the necessary steps on a case-by-case basis.

e) Right to restriction of processing

Every data subject whose personal data are processed has the right granted by the European body issuing directives and regulations to ask the controller to restrict the processing if one of the following conditions is met:

  • The accuracy of the personal data is disputed by the data subject for a period of time that enables the controller to verify the accuracy of the personal data.
  • The processing is unlawful, the data subject rejects the erasure of the personal data and instead requests that the use of the personal data be restricted.
  • The controller no longer needs the personal data for the processing purposes, but the data subject needs them to establish, exercise or defend legal claims.
  • The data subject has lodged an objection to the processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether the controller’s legitimate reasons outweigh those of the data subject.

If one of the above-mentioned conditions applies and a data subject wishes to have personal data stored by us restricted, he may contact our Data Protection Officer or another employee of the controller at any time. Our Data Protection Officer or another employee will initiate the restriction of processing.

f) Right to data portability

Every data subject whose personal data are processed has the right granted by the European body issuing directives and regulations to receive the personal data relating to him that he provided to a controller in a structured, common and machine-readable format. In addition, the data subject has the right to pass these data on to another controller without obstruction by the controller to whom the personal data were provided, provided that the processing is based on the consent pursuant to Art. 6 (1) a) GDPR or Art. 9 (2) a) GDPR or on a contract pursuant to Art. 6 (1) b) GDPR and that the processing is carried out using automated methods, provided that the processing is not necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller.

Furthermore, in exercising his right to data portability pursuant to Art. 20 (1) GDPR, the data subject has the right to request that the personal data be transferred directly from one controller to another controller, to the extent that this is technically feasible and provided that this does not affect the rights and freedoms of other persons.

To exercise the right to data portability, the data subject may contact the Data Protection Officer appointed by us or another employee at any time.

g) Right to object

Every data subject whose personal data are processed has the right granted by the European body issuing directives and regulations, for reasons arising from his particular situation, to object at any time to the processing of his personal data, which are processed pursuant to Art. 6 (1) e) or f) GDPR. This also applies to profiling based on these provisions.

In the event of an objection, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves to establish, exercise or defend legal claims.

Where we process personal data in order to carry out direct marketing, the data subject has the right to object at any time to the processing of personal data for the purpose of such marketing. This also applies to profiling to the extent that it is connected with such direct marketing. If the data subject objects to processing by us for direct marketing purposes, we will no longer process the personal data for these purposes.

In addition, the data subject has the right, for reasons arising from his particular situation, to object to the processing of his personal data which we carry out for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR, unless such processing is necessary to fulfil a task in the public interest.

To exercise the right to object, the data subject may contact our Data Protection Officer directly or another employee. Furthermore, the data subject may exercise his right to object in connection with the use of information society services, Directive 2002/58/EC notwithstanding, by means of automated procedures using technical specifications.

h) Automated decisions in individual cases including profiling

Every data subject whose personal data are processed has the right granted by the European body issuing directives and regulations not to be subject to a decision based exclusively on automated processing – including profiling – which has legal effect against him or significantly affects him in a similar manner, provided that the decision is not necessary for the conclusion or fulfilment of a contract between the data subject and the controller, or is admissible under Union or Member State law to which the controller is subject, and that such law contains appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject or is made with the data subject’s express consent.

Where a decision is necessary for the conclusion or fulfilment of a contract between the data subject and the controller or is made with the express consent of the data subject, we will take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention on the part of the controller, to express his point of view and to contest the decision.

If the data subject wishes to exercise rights with regard to automated decisions, he may contact our Data Protection Officer or another employee of the controller at any time.

i) Right to withdraw the data protection consent 

Every data subject whose personal data are processed has the right granted by the European body issuing directives and regulations to withdraw consent to the processing of personal data at any time.

If the data subject wishes to exercise his right to withdraw consent, he may contact our Data Protection Officer or another employee of the controller at any time.

j) Right to call the Federal Commissioner for Data Protection

Every data subject whose personal data are processed also has the right to call the Federal Commissioner for Data Protection. His current contact details are:

The Federal Commissioner for Data Protection and Freedom of Information, P.O. Box 14 68, 53004 Bonn, Germany
Street address: Husarenstrasse 30, 53117 Bonn Tel. +49 (0) 228 997799-0, Fax +49 (0) 228 997799-550, 
E-mail: referat11@bfdi.bund.de, Internet: http://www.datenschutz.bund.de  

 

11. Data protection in applications and in the application process

The controller collects and processes the personal data of applicants for the purpose of executing the application procedure. Processing may also be carried out electronically. This is particularly the case if an applicant sends application documents to the controller by electronic means, for example by e-mail or via a web form on the website. If the controller concludes an employment contract with an applicant, the data transferred will be stored for the purpose of executing the employment relationship, in compliance with statutory regulations. If the controller does not conclude an employment contract with the applicant, the application documents will be automatically erased six months after notification of the rejection, provided that the controller has no other legitimate interests that would prevent erasure. Another legitimate interest in this regard is, for example, a burden of proof in proceedings under the General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz – AGG).

 

12. Legal basis of processing

Art. 6 (1) a) GDPR serves our company as a legal basis for processing where we obtain consent for a specific processing purpose. Where the processing of personal data is necessary for the fulfilment of a contract to which the data subject is a party, as is the case, for example, with processing necessary for the delivery of goods or the provision of other services or rewards, the processing is based on Art. 6 (1) b) GDPR. The same applies to such processing that is necessary to carry out pre-contractual measures, for example in the case of enquiries about our services. Where our company is subject to a legal obligation which requires the processing of personal data, for example to fulfil tax obligations, the processing is based on Art. 6 (1) c) GDPR. In rare cases, the processing of personal data may become necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured on our premises and his name, age, health insurance information or other vital information had to be passed on to a doctor, a hospital or other third party. The processing would then be based on Art. 6 (1) d) GDPR. Finally, processing can be based on Art. 6 (1) f) GDPR. Processing which is not covered by any of the aforementioned legal bases is based on this legal basis if processing is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not outweigh these. We are permitted to carry out such processing in particular because it has been specifically mentioned by the European legislator, which took the view that a legitimate interest could be assumed if the data subject is a customer of the controller (Recital 47, Sentence 2 GDPR). 

 

13. Legitimate interests in the processing pursued by the controller or a third party

If the processing of personal data is based on Art 6. (1) f) GDPR, it is in our legitimate interest to conduct our business for the well-being of all of our employees and our shareholders.

 

14. Duration for which personal data are stored

The criterion for the duration of the storage of personal data is the respective legal retention period. After the expiry of this period, the data will be routinely erased, provided that they are no longer required for the fulfilment or initiation of the contract.

 

15. Recipient of personal data / transfer to third countries

Pursuant to Art. 4 (9) GDPR, only the company and, in individual cases, any entitled recipients such as public authorities or partner companies or suppliers (e.g. website providers) are deemed recipients of personal data collected. 

No transfer of personal data to a third country will takes place, with the exception of the information mentioned under point 9 “Google Analytics”. 

 

16. Legal or contractual regulations on the provision of personal data; necessity for the conclusion of the contract; obligation of the data subject to provide personal data; possible consequences of failure to provide personal data

The provision of personal data may be required by law (e.g. tax regulations) or may result from contractual regulations (e.g. information about the contractual partner). In some cases, a data subject may need to provide us with personal data, which must subsequently be processed by us, for the conclusion of a contract. For example, the data subject is obliged to provide us with personal data if our company enters into a contract with him. Failure to provide personal data would mean that the contract could not be concluded with the data subject. Prior to the provision of personal data by the data subject, the data subject may contact our Data Protection Officer. Our Data Protection Officer will inform the data subject on a case-by-case basis whether the provision of personal data is required by law or contract or necessary for the conclusion of the contract, whether there is an obligation to provide the personal data and what consequences the failure to provide personal data would have. 

 

17. Existence of automated decision-making

As a responsible company, we do not carry out automatic decision-making or profiling.

 

18. Data Protection Officer

You can contact our Data Protection Officer by e-mail at dsb@railpool.eu or by telephone: +49 (0)89 51 08 57 71 13.

 

 

Source: Gerrman Society for Data Protection https://dg-datenschutz.de and eRecht24 www.e-recht24.de

 

 

Privacy Policy last updated: 20/04/2018.