Privacy Policy

PRIVACY POLICY OF PERSONAL DATA

Users' personal data is subject to processing under the responsibility of Marie-Hélène Bonneau, Head of UIC Security Division.

UIC has appointed a representative for data protection. The representative may be contacted at: dpo@uic.org

 

Collected data is intended for UIC usage only and may be communicated only to the following recipients: AKABIA and OVH in their capacity as subcontractors, and users of the platform.

Some of these recipients are situated outside of the European Union, most notably the following: users of the platform located in a country outside of the European Union. The following data is communicated to such recipients: surname, first name and company, full contact details and biography. This data is transmitted to recipients located outside of the European Union in order to facilitate communication between the users of the platform. The following safeguards have been implemented to ensure a sufficient level of protection of personal data: contractual conditions for data storage agreed with the subcontractors, AKABIA and OVH (see also above, paragraph on Data security).

 

Which personal data are collected and How? On which legal basis?

The International Union of Railways shall only process personal data collected from users. It shall collect the following information, required for the website’s proper functioning, at a minimum: Surname/First Name/Company/Professional email address/Country

The user also has the option of providing the following additional information: Role/Department/Office Landline/Professional Mobile Phone/Professional Address/Professional Interests, Areas of expertise, Biography, Social media profiles URLs (X, LinkedIn), as well as an image/photograph. This data is obtained from the voluntary disclosure made by the natural person concerned, and may be modified by the user at any time in his or her personal account under “My profile”.

Personal data are collected from users on the legal basis of content and execution of a contract. Collection of such personal data from users enables users, in particular, to:

  • create a user area and complete and make changes to it at any time,
  • obtain access to, information on UIC and UIC Security Division
  • access groups, registered companies and users' profiles
  • read news and discussion threads, consult event calendars, download files, have access to links and all of the information provided in groups,
  • be contacted by UIC Security Division,
  • contact UIC in relation to the Rail Security Hub’s functionalities.

For what purpose?

Data is processed in order

The voluntary participation of UIC members and partners in the Security Platform serves as the legal basis for data processing.

You may withdraw your consent at any time, bearing in mind that withdrawal of consent cannot be applied retrospectively to data that has already been processed.

The personal data is processed by the International Union of Railways and its subcontractors Akabia (maintenance) and OVH France (servers) for the following purposes:

  • To manage authorizations and rights of access to information
  • To enable communication between users of the platform.
  • To allow users to subscribe to groups,
  • For sending notifications to users in relation to events, news, files and, more generally, all information requested by the user. The user may choose to no longer receive such notifications at any time by going to “My Notifications” in his/her “My Bookmarks” area.
  • To ensure the general proper functioning of the Rail Security Hub as a collaborative tool.
  • This personal data may be used by the International Union of Railways to send promotional material or information on events to users on a non-for-profit basis, and also for statistical purposes.

It is specified that the data are consulted in the European Union and outside the European Union given the international nature of the association. The owners of personal data consent to this use, including outside the European Union, without which it is not possible to fulfill the contract that binds them to the UIC in the context of the extranet.

Right to rectification, restriction and erasure

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereafter referred to as the “European General Data Protection Regulation” or GPDR), as well as French law no. 2018-493 of 20 June 2018 on the protection of personal data, the user has the right to access, modify or delete information pertaining to him/her. Please note that withdrawal of consent cannot be applied retrospectively to data that has already been processed.

To exercise this right, simply log in to your user account to modify your personal information. You can also ask for processing and portability of your data to be limited, object to processing of your data, and request that your data be deleted in full by contacting us at. security@uic.org or dpo@uic.org.

You can also lodge a complaint with the French data protection supervisory authority, the Commission Nationale Informatique et Libertés (CNIL).

Data retention periods

The personal data described above is stored for as long as is necessary for proper functioning of the application. Such data shall be retained for as long as your user account is active. If there is no activity on your user account for a full year, your data will be deleted.

You can create a new account at any time by filling out the online form, which is accessible via the homepage: https://railsecurityhub.org

Liability

The International Union of Railways cannot be held liable in the event of transmission by the user of his/her access codes to third parties, whether intentional or unintentional. The user must keep such codes in a safe place. Use of the codes by a third party may result in the disclosure, alternation or deletion of the user’s personal data.

The International Union of Railways undertakes to guarantee that personal data is kept confidential and to ensure that persons authorised to process personal data:

  • undertake to respect confidentiality or be subject to an appropriate legal obligation of confidentiality,
  • receive the required training on protection of personal data,
  • take account of the principles of data protection by default.

Data security

In addition, the International Union of Railways has engaged AKABIA/OVH to host its website(s) in order to ensure the security of the personal data provided by its clients.

  • Our users’ data is stored exclusively in France or in the European Union.
  • The servers used are located in data centres certified in accordance with environmental standards (ISO 14001), quality standards (ISO 9001) and information security standards (ISO 27001).
  • The software and physical infrastructure used to host our websites are designed to guarantee absolute data security (antivirus, switches, routers, servers and redundant firewalls).
  • Native encryption of passwords is performed by the application. Administrators do not have access to passwords. If the user loses his/her password, he/she can reset it using the “Lost Password” button on the Extranet homepage. In the event of unauthorised access to your account, contact the administrator immediately at security@uic.org
  • the application is backed up daily over 14 days, monthly over 12 months and annually over 5 years. It is therefore possible to request a restoration of the file(s) under certain conditions. To do so, contact security@uic.org  

Article 8: Cookies

When you consult the International Union of Railways websites, data on traffic and cookies files is stored on your computer in order to analyse visits to the website’s information pages internally so that we can improve content and to compile statistics (pages visited, time visited, etc.). These data are anonymised according to the French and European legislation. They are deleted 1 month after visit.


You can manage the settings for storing cookies from your browser, or clicking on this link

 

The voluntary participation of UIC members and partners in the Security Platform serves as the legal basis for data processing.

In addition, if you believe that your data has been processed in a way that constitutes a breach of regulations, you have the right to file a complaint with the CNIL (the French Data Protection Authority) or the supervisory authority in the State in which you habitually reside, your workplace or the location in which the breach of regulations is believed to have taken place.