Information note on personal data protection - Sale of international tickets or passes

Personal data protection

Introduction 1. Who is the controller? 2. Which categories of personal data are processed and for what purposes? 3. How do we collect, process and use your data? 4. Who has access to your data? 5. Where are your data processed? Are your data transferred? 6. How long do we store your data? 7. What are your rights in relation to your personal data? 8. How do you contact us and exercise your rights? 9. How do we update this information notice?
Introduction 1. Qui est le responsable du traitement ? 2. Quelles catégories de données à caractère personnel sont traitées et pour quelles finalités ? 3. Comment collectons, traitons, utilisons-nous vos données ? 4. Qui a accès à vos données ? 5. Où vos données sont-elles traitées, vos données sont-elles transférées ? 6. Pendant combien de temps conservons-nous vos données ? 7. Quels sont vos droits à l’égard de vos données à caractère personnel ? 8. Comment nous contacter et exercer vos droits ? 9. Comment mettons-nous à jour la présente notice d’information ?
Introduction 1. Qui est le responsable du traitement ? 2. Quelles catégories de données à caractère personnel sont traitées et pour quelles finalités ? 3. Comment collectons, traitons, utilisons-nous vos données ? 4. Qui a accès à vos données ? 5. Où vos données sont-elles traitées, vos données sont-elles transférées ? 6. Pendant combien de temps conservons-nous vos données ? 7. Quels sont vos droits à l’égard de vos données à caractère personnel ? 8. Comment nous contacter et exercer vos droits ? 9. Comment mettons-nous à jour la présente notice d’information ?
Introduction 1. Who is the controller? 2. What categories of personal data are processed and for what purpose? 3. How do we collect, process and use your data? 4. How long do we keep your data? 5. Who can access your data? 6. Where do we process your data and where do we transfer them? 7. What are your rights regarding your personal data? 8. How to contact us and how to exercise your rights? 9. How do we update this information note?
Introduction 1. Qui est responsable du traitement ? 2. Quelles catégories de données à caractère personnel sont traitées et pour quelles finalités ? 3. Comment collectons, traitons, utilisons-nous vos données ? 4. Qui a accès à vos données ? 5. Pendant combien de temps conservons-nous vos données ? 6. Quels sont vos droits à l'égard de vos données à caractère personnel ? 7. Comment nous contacter et exercer vos droits ? 8. Comment mettons-nous à jour la présente notice d'information ?
Introduction 1. Who is the controller? 2. What categories of personal data are processed and for what purpose? 3. How do we collect, process and use your data? 4. Who can access your data? 5. How long do we keep your data? 6. What are your rights regarding your personal data? 7. How to contact us and how to exercise your rights? 8. How do we update this information note?
Introduction 1. Who is the controller? 2. Which categories of personal data are processed and for what purposes? 3. How do we collect, process and use your data? 4. How long do we store your data? 5. Who can access your data? 6. Where do we process your data? Is your data transferred? 7. What are your rights in relation to your personal data? 8. How do you contact us and exercise your rights? 9. How do we update this information notice?
Introduction 1. Qui est le responsable du traitement ? 2. Quelles catégories de données à caractère personnel sont traitées et pour quelles finalités ? 3. Comment collectons, traitons, utilisons-nous vos données ? 4. Pendant combien de temps conservons-nous vos données ? 5. Où vos données sont-elles traitées ? Vos données sont-elles transférées ? 6. Quels sont vos droits à l'égard de vos données à caractère personnel ? 7. Comment nous contacter et exercer vos droits ?
Introduction 1. Who is the controller? 2. Which categories of personal data are processed and for what purposes? 3. How do we collect, process and use your data? 4. How long do we keep your data? 5. Who can access your data? 6. What are your rights regarding your personal data? 7. How to contact us and how to exercice your rights?
Introduction 1. Who is the controller? 2. What categories of personal data are processed and for what purpose? 3. How do we collect, process, and use your data? 4. Who can access your data? 5. How long do we keep your data? 6. What are your rights regarding your personal data? 7. How to contact us and how to exercise your rights?
Modify your choice relating to cookies Information note on personal data protection - Cookies 1. What is a cookie? 2. Who is the controller? 3. Which are the cookies used and for what purposes are they in place? 4. Where do we process your data and where do we transfer them? 5. What are your rights? 6. How to contact us and how to exercise your rights

Introduction

The CFL care about their customers.
Thus, the protection of your personal data naturally constitutes a priority for the CFL, or any entity of the CFL group who has to process your personal data for the purpose of its activities.
This note provides you with the necessary information and explains to you how we collect, use, share, store and protect your personal details. It also informs you on your rights and on how to exercise them.

1. Who is the controller?

The controller differs according to the purchased product.

Trips to or from France

The controller is the SNCF. For more information on the processing of your data by the SNCF, you may consult its information notes available online:

- https://www.sncf-connect.com/en-en/legal-information/privacy
- https://www.ter.sncf.com/grand-est/conditions-de-vente [in French].

The CFL act as a processor of the SNCF and will therefore transmit your personal data to the SNCF for the issuance of the tickets.

Trips with Eurail – Interrail Pass

The controller is Eurail. For more information on the processing of your data, we invite you to consult its information note available online: https://www.interrail.eu/en/terms-conditions/privacy-and-cookie-statement .

Trips to and from Belgium, Germany, Austria, England, Switzerland, Denmark, France (for specific tickets) and the Netherlands

The CFL are the controller for the processing of personal data in this context.

In some cases, we share your personal data with other transportation companies, which also become controllers as soon as they receive your data.
For example, if you book a trip from Luxembourg to London with the CFL, you will travel on a service provided by the CFL/SNCB (Belgian rail company) until Brussels, and then on a Eurostar service to your final destination. We are thus compelled to transmit your personal data to the operators carrying out the different trips in order for you to benefit from the requested service.
In this case, Eurostar is also controller.

2. What categories of personal data are processed and for what purpose?

The mission of the Société Nationale des Chemins de Fer Luxembourgeois (CFL) is to ensure passenger transportation. Moreover, the CFL give priority to efforts made to guarantee the highest possible level of security to all their clients.
To fulfil these missions, we collect and process some of your personal data.
According to the type of intended purpose and according to the requested ticket or pass, the categories of personal data are the following:

surname, first name, address, phone number, e-mail address,
birth date,
number of the ID or any other administrative document enabling identification,
credit card or bank account numbers in connection with the purchase of a service,
data on the composition of your household,
information on the trip.

The CFL undertake to ensure that the data are collected for the determined purposes and that they are processed in an adequate and relevant way, and only to the extent necessary as regards the intended purpose.
The intended purposes are the following:

managing the products and services you have subscribed to,
invoicing and accounting,
control the regularity of tickets (fight against fraud and ensure the identity of the passenger).

3. How do we collect, process and use your data?

We collect and use the personal data you provide us with when using our services.
For each purpose described above, the collection and processing

are performed in compliance with applicable laws and regulations regarding the protection of personal data, including the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)), the related guidelines as well as the national laws implementing the GDPR, as the case may be,

are legally justified

by the fact that it is necessary to process your personal data for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract,
on the basis of your consent,
by the fact that the processing is necessary for compliance with a legal obligation to which we are subject in our quality as controller,
by an interest that is recognised as legitimate, or
by the fact that the processing of your data is necessary to carry out a mission of public interest we have been entrusted with (public transportation).

4. Who can access your data?

We make sure that your personal data are processed in accordance with the above-mentioned purposes.
The data will be shared with some of our internal departments in strict compliance with the missions these departments have been entrusted with:

Directorate for Travel Activities (Direction Activités Voyageurs),
Directorate for Administration and Finance (Direction Administratif et Financier),
Unit Legal affairs and Insurances (Division Juridique et Assurances).

CFL may transfer your personal data outside the European Union. In this case, we contractually impose on service providers guarantees of security and confidentiality concerning your personal data by means of appropriate technical and organisational measures, such as standard contractual clauses, in accordance with European regulations, and we ensure that these guarantees are respected.

We acknowledge the invalidation of the privacy shield. We are taking the necessary steps to ensure that the level of protection of your personal data to the United States remains adequate

5. How long do we keep your data?

We keep your personal data as long as they are necessary to achieve the purpose of their processing and as long as it is necessary for us to fulfil our obligations resulting from any statute of limitations and/or any other legal provision.

6. What are your rights regarding your personal data?

Under the conditions foreseen by regulation, you can

access to the personal data we hold on you,
have the data rectified if they are inaccurate or incomplete,
have the data erased, in some cases, such as, for example, each time your data are not necessary for the intended purpose, and we do not have the contractual or legal obligation to keep them,
ask for the restriction of the processing of your personal data, such as the restriction of the processing of an item whose accuracy you deny and for the time we need to verify your request,
ask for the portability of your personal data in order to have your personal data transmitted to you in a structured, commonly used and readable format, or to have it transmitted to another controller,
withdraw your consent to the processing of your personal data at any time (unless the processing is based on a legal ground other than your consent), without affecting the lawfulness of the processing based on your consent given before its withdrawal,
object to the processing of your data based on the sole pursuit of our legitimate interests and prohibit us from processing them, including for direct marketing,
file a complaint with the authority in charge of the protection of personal data in your country and/or in the Grand Duchy of Luxembourg (Commission Nationale pour la Protection des Données – CNPD, established in 15, boulevard du Jazz, L‑4370 Belvaux – https://cnpd.public.lu/en).

7. How to contact us and how to exercise your rights?

You may address your questions relating to the processing of your personal data and/or a request regarding the exercise of your rights mentioned above to the Data Protection Officer (DPO) of the CFL:

on our website www.cfl.lu by clicking on the link gdpr.cfl.lu,
or by regular mail for the attention of the Data Protection Officer (DPO), Société Nationale des Chemins de Fer Luxembourgeois (CFL), 16 boulevard d'Avranches, BP 1803, L-1160 Luxembourg.

Any complaint relating to the processing of your personal data can be sent to the postal address above, or to the Luxembourgish supervisory authority, the Commission Nationale pour la Protection des Données – CNPD, established in 15, boulevard du Jazz, L‑4370 Belvaux – https://cnpd.public.lu/en.

8. How do we update this information note?

In order to best comply with applicable regulation, the CFL undertake to update this information note as often as it is necessary.
The last effective version of the information note is always available when you come to the CFL ticket counters and can also be consulted on the CFL website (www.cfl.lu).