1. General

The Rail Cargo Group (“RCG” or “we”) – Rail Cargo Austria AG, 1100 Vienna, Am Hauptbahnhof 2, FN 248731g and its subsidiaries – takes the protection of your personal data and the processing of this data in compliance with data protection regulations very seriously. In this data privacy statement, we explain how we as the data controller collect, potentially pass on and use personal data about you and how you can exercise your rights as a data subject.

1.1 If you have any questions regarding the use of your personal data by us, please contact us via our data protection officer at datenschutz@railcargo.com or by post to “Rail Cargo Austria AG, Legal Affairs, Attn: Data Protection Officer, Am Hauptbahnhof 2, 1100 Vienna”. 
 

2. Types of personal data and purposes of processing

2.1 Personal data which you provided to us on a voluntary basis

2.1.1 If we require any further personal data, we will inform you accordingly about the types and respective purposes of processing upon collection of such data

2.2 Personal data which we collect automatically, cookies and similar technolog

2.2.1 Please refer to our terms of use for our website regarding personal data, which we may collect in the course of your visit of our website or the use of cookies and similar technology.

2.2.2 The systems made available to your customers and business partners by RCG record system and application logs to the extent customary and only for the performance of any error analysis. Relevant personal data include the IP-address and, depending on the used system, the user’s browser, if applicable. The legal basis for the processing of such personal data is RCG’s legitimate interest in ensuring network and data security as well as the functioning of the systems which is not overridden by the interests or any fundamental rights and freedoms of the data subject (Art 6 para 1 lit f General Data Protection Regulation (“GDPR”).

2.3 Personal data obtained from external sources

2.3.1 From time to time, We may obtain personal data from external sources (such as personal data from publicly available registers, e.g. the business or land register, from any information published on your company’s or organisation’s website, or if you contact one of ÖBB’s group companies with any request/complaint forwarded to us by the respective group company). In this regard We will review whether such third parties have obtained your consent or are lawfully entitled or legally required to disclose any such personal data.

2.3.2 The types of personal data collected by us include personal data disclosed in public registers or your contact details obtained from other publicly available sources such as company websites. We will use the personal data received from such third parties for the following purposes:

• to maintain and improve the accuracy of our records of your personal data,
• to process any request/complaint relating to us.

3. Recipients of personal data

3.1 We use an internal Group matrix organisation (Rail Cargo Group) comprising Rail Cargo Austria AG, Rail Cargo Logistics – Austria GmbH, Rail Cargo Logistics – Environmental Solutions GmbH, Rail Cargo Logistics GmbH and Rail Cargo Operator – Austria GmbH as well as our international subsidiaries within which customer and supplier data is exchanged.  

3.1.1 Customer data is exchanged between companies within the Group matrix organisation in order to respond to enquiries and submit offers; this takes place as part of joint customer relationship management (CRM) as a shared responsibility (Art. 26 GDPR). 

3.1.2 Supplier data and the purchasing conditions at the respective supplier are stored centrally and can be viewed within the Group matrix organisation in order to obtain a Group-wide overview of the purchasing volume at the respective supplier and to submit combined offers to customers, including suppliers as subcontractors.  

3.1.3 Access by individual employees to the data transmitted within the Group matrix organisation is limited to the extent necessary for their work. All employees who have access are informed that the information in the CRM may be personal data and/or current or future-relevant information of strategic importance and may only be used for the purpose of performing the respective tasks in the functional area and, in particular, that it may not be transmitted to (or otherwise made available to) unauthorised persons or bodies. 

3.2 Irrespective of this data exchange within the Group matrix organisation, we may transfer your personal data to the following categories of recipients: 

3.2.1 Our group companies, processors and partners who provide data processing services to us or who otherwise process personal data for the purposes described in this Data Privacy Statement or of whom you are notified when we collect your personal data. Our central contract processor for information technology services (e.g., operation of IT systems, technical maintenance and fault clearance) is ÖBB-Business Competence Center GmbH, Lassallestraße 5, 1020 Vienna, FN 248730 f, a company of the ÖBB Group. The data processors may only process the data provided to them according to our instructions and to the extent necessary to provide services for us. We contractually oblige these processors to guarantee the confidentiality and security of the personal data processed as part of the contract. A list of the most important companies in the ÖBB Group can be found here. 

3.2.2 A competent law enforcement authority, a supervisory authority or government agency, a court or other third party whenever disclosure is necessary (i) to comply with applicable laws or regulations, (ii) for the exercise, protection or defence of our legal rights, or (iii) for the protection of your vital interests or the vital interests of another person 

3.2.3 A prospective buyer (and its agents and advisers) in connection with a proposed purchase, merger or acquisition of our company (or any part of it), provided that we inform the buyer that it may only use your personal data for the purposes set out in this privacy notice 

3.2.4 Any other person, provided that you consent to the disclosure 

3.3 The level of data protection in other countries outside the EEA may not be the same as within the EEA. However, we will only transfer your personal data within the EEA and to countries for which the European Commission has decided that they have an adequate level of data protection, or we will take measures to ensure that all recipients in third countries guarantee an adequate level of data protection. One possible way that we will do this is by concluding the standard contractual clauses issued by the European Commission with these recipients.  

4. Legal basis for the processing of personal data

4.1 The legal basis for collecting and processing personal data depends on the specific context in which we collect it. 

4.2  As a rule, we will only process your personal data if we have your consent to do so (Article 6 (1) (a) GDPR), if we need the personal data to fulfil a contract with you (Article 6 (1) (b) GDPR) or if we have a legitimate interest in processing it that is not overridden by your data protection interests or fundamental rights and freedoms (Article 6 (1) (f) GDPR). In some cases, it may be necessary to process your personal data in order to fulfil a legal obligation to which we are bound (Article 6 (1) (c) GDPR), such as statutory retention obligations. A more detailed description of which data will be processed for which purpose and on which legal basis can be found in the table under point 2.1 of this Data Privacy Statement.

4.3  If we process your personal data on the basis of other legitimate interests not mentioned above (or those of a third party), we will inform you of these legitimate interests at the appropriate time.

5. Retention of personal data

5.1  We store your personal data for as long as is necessary to fulfil the purpose or as long as contractual or legal obligations or legitimate interests exist (e.g. to provide a service you have requested, to comply with statutory retention obligations or to assert legal claims).

5.2  We will store the personal “customer data” referred to in point 2.1 for as long as this is necessary for providing our service and performing our pre-contractual measures, for as long as RCA has a legitimate interest or for as long as this is necessary for the pursuit or defence of legal claims or for the fulfilment of statutory retention obligations.   

5.3  We will store the personal “supplier data” referred to in point 2.1 for as long as this is necessary for providing our service and performing our pre-contractual measures or for as long as this is necessary for the pursuit or defence of legal claims or for the fulfilment of statutory retention obligations.   

5.4  Once there are no legitimate purposes for the further storage of personal data, it will either be deleted or anonymised. If this is not possible (because your personal data has been stored in backup archives, for example), we will store your personal data securely and not make it accessible for further processing until deletion is possible. 

6. Rights of data subjects

6.1  In accordance with the statutory provisions, you have the right to be informed about the data concerning you, have it rectified or erased, restrict its processing or object to its processing, to have it provided on a portable data carrier and to lodge a complaint with a supervisory authority. The data protection authority responsible for this is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, which you can contact at +43 1 52152 0 or by e-mail at dsb@dsb.gv.at.

6.2  If we process your personal data on the basis of your consent, you may withdraw your consent at any time. The withdrawal of your consent will have no effect on the lawfulness of the processing prior to your withdrawal.

6.3  If personal data is processed for direct marketing purposes not based on your consent, you have the right to object at any time to the processing of your personal data for such advertising; this also applies to profiling insofar as it is associated with such direct advertising.

6.4  To exercise these rights, please write to us at datenschutz@railcargo.com or by post to “Rail Cargo Austria AG, Legal Affairs Attn Data Protection Officer, Am Hauptbahnhof 2, 1100 Wien”. We will check your enquiry and respond accordingly.

6.5  You may also unsubscribe from any marketing communications that we send you. To do so, please click on the unsubscribe link in the marketing e-mails that we send you or unsubscribe from this mailing list by sending an e-mail to the e-mail address provided in the respective marketing e-mail. To unsubscribe from other types of marketing communication (e.g., by post or telephone), please contact us by post at “Rail Cargo Austria AG, Legal Affairs Attn Data Protection Officer, Am Hauptbahnhof 2, 1100 Vienna”.

7. Amendments of this Data protection declaration

7.1 We may update this Data protection declaration from time to time in light of legal, technical or business developments. Whenever we update our Data protection declaration, we will take appropriate measures to inform you depending on the importance of the changes made. We will obtain your consent for any substantial change we make to the Data protection declaration if and to the extent required by applicable data protection laws.