Privacy Policy

Privacy Policy

At UIC, we make it a point of honour to treat your personal data with the utmost confidentiality and security and in accordance with the European and French legislation in force, in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, the French Law ‘Informatique et Libertés’ of 1978, amended by the law of 20 June 2018 on the protection of personal data (hereinafter the “GDPR”).

This privacy policy is intended to inform you about the personal data we collect, the purpose for collecting it, the way we use it and the rights you have regarding the processing of such data.

1. WHO IS RESPONSIBLE FOR PROCESSING YOUR DATA AND HOW CAN YOU CONTACT US?

The Union Internationale des Chemins de fer, a French non-profit making association with its registered address at 16 rue Jean Rey, 75015 Paris, France and registered under SIRET number 784 601 841 00017 (hereinafter “UIC” or “we” or “us”), is the data controller of the personal data it collects from you. We are responsible for your personal information.

If you have any concerns, questions or comments about this privacy policy or your personal data, you can contact us by email at dpo at uic.org or by writing to us at UIC, 16 rue Jean Rey, 75015 Paris, France.

2. WHAT PERSONAL DATA DO WE COLLECT?

Our collection is systematically governed by the principle of minimisation. We may collect different types of personal information about you, depending on the reasons or purposes for which you provide us with your personal information (see section 3 below):

• General identifiable information such as your last name, first name, occupation, position, gender, language, job title, social media account (Facebook, LinkedIn and Twitter), fax, business address, photograph, telephone number, email address or similar;
• Where payment is required, your bank details (credit card number, IBAN and BIC/SWIFT) and billing details;
• Personal information that we are required to collect from you by law, such as any personal information that the law requires us to collect from our employees for social security, insurance, etc;
• Other categories of personal information, but only to the extent strictly necessary to achieve the purpose for which we collected it (for example, passport information is sometimes required for travel arrangements for certain events).

3. WHY DO WE COLLECT YOUR DATA?

We collect your information for different reasons:

3.1 For any reason related to our statutory purpose and core activities as described on our website www.uic.org, to keep you informed about UIC, our activities and relevant industry information and news, to invite you to and organise events, to properly perform the services you request from us, to improve the quality of our products and services where possible, to respond to your reasonable expectations and, more generally, to facilitate communication and cooperation with you where and when this is necessary or deemed useful.

3.2 We may also use your information for analysis and customer profiling.

3.3 We may also collect your personal data for purely administrative, organisational or operational purposes, for example, to identify you as a contact person, legal representative of a company or similar legal entity or for recruitment purposes.

3.4 We may also collect personal data to comply with any applicable law, regulation, legal process or enforceable governmental request and/or where necessary to prevent fraud.

4. ON WHAT LEGAL BASIS DO WE COLLECT YOUR DATA?

The legal basis for processing your personal data is

• Your consent,
• Performance of a contract,
• Compliance with a legal obligation to which we are subject, and
• In our legitimate interest, e.g. to keep you informed about UIC, our activities and relevant industry information and news, to invite you to and organise events, to properly perform the services you request from us, to improve the quality of our products and services where possible, to respond to your reasonable expectations and more generally to facilitate communication & cooperation with you where and when this is necessary or deemed useful. We may also use your information for analysis and customer profiling.

5. HOW DO WE COLLECT YOUR DATA?

5.1. Directly from you.

Most of the personal information we obtain from you will be through your active involvement. We may collect your personal data by e-mail or other electronic means, via our website, our collaborative platform “extranet”, by telephone, by post, or via your business card which you have given to one of our employees or representatives.

Where required by law, we will obtain your prior consent before processing your personal data.
We will not collect personal data directly from minors under the age of 16 unless we have the consent of an adult who has legal custody of the minor.

5.2 Indirectly via other sources.

We may collect personal data from you through other sources, such as platforms or databases where you have made your personal data available to the public (e.g. LinkedIn, etc.), through third parties, such as database providers, partners with whom we work, the employer you work for, your colleagues, public authorities and generally any other source other than you.

Where we obtain personal data from you from a source other than yourself, we will seek reasonable assurances from that source that your personal data has been collected by that third party in accordance with data protection legislation and that, where necessary, your consent has been obtained to share your personal data with us and to allow us to use it for the purposes we have in mind.

5.3. Automatically — Use of cookies.

Each time you access and browse one of our websites as a visitor and/or to use the services we offer through our website, we automatically collect personal data from you through the use of cookies.

A cookie is a small piece of data stored in your web browser while you are browsing on one of our websites. When you browse the website(s) again in the future, the data stored in the cookie can be retrieved to notify us of your previous activity.

Our cookies do not store personal information such as your name or your address. We use cookies to enhance the functionality of our websites by storing your preferences, for example. We also use cookies to improve the performance of our websites to provide you with a better user experience.

For more information about the cookies we use, the different types of cookies we use and the way you can manage them, please see our cookie policy at Cookies | UIC - International union of railways.

6. HOW DO WE PROTECT YOUR PERSONAL DATA?

We have invested in a state-of-the-art IT infrastructure that allows us to protect your personal data to the maximum extent possible against theft, loss and any illegal use.

Some of our websites (such as our collaborative Extranet platform) are hosted in a private cloud in France, in compliance with the highest IT (ISO 27001) and environmental (ISO 14001) standards.

We constantly develop and improve internal security and data protection policies, which contains strict guidelines and manuals for our personnel with regards to an appropriate treatment of personal data.

We regularly organize information and training sessions for our personnel.

7. HOW LONG DO WE STORE YOUR DATA?

We will delete or anonymize your personal data completely and irreversibly:

• as soon as the goal for which your personal data have been collected and processed is fully achieved and/or
• at your specific request (see in this respect section 9 below on your rights with regards to the processing of your personal data).

Unless we are required to keep your personal data longer to:

• Satisfy any applicable law, regulation, legal process or enforceable governmental request
• Detect, prevent or otherwise address fraud, security or technical issues.
• Protect against harm to the legal rights and interests of UIC or its members and stakeholders as required or permitted by law.

8. DO WE SHARE YOUR PERSONAL DATA WITH OTHERS?

8.1 For organizational, administrative and efficiency reasons

We might share personal data with certain external service providers and partners where we deem this necessary or useful to duly perform the services to you and/or organize and optimize the efficiency of our activities.

We may e.g. rely on – and share your personal data with – third parties for technical services, such as external IT hosting providers, cloud service providers, external IT maintenance providers or for organizational purposes such as event organizers, providers of platforms for e-mail surveys, travel agencies, etc.

8.2. For legal and/or security reasons

We might share your personal data with outside companies, organizations, authorities or individuals if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

• meet any applicable law, regulation, legal process or enforceable governmental request.
• detect, prevent, or otherwise address fraud, security or technical issues.
• protect against harm to the legal rights and interests of UIC or its members and stakeholder as required or permitted by law.

8.3. Not for third party’s commercial, promotional or marketing purposes

We will not disclose or share your personal data with third parties for their own commercial, marketing- or promotional purposes unless we would have obtained your consent thereto.
We will not share any sensitive data about you with third parties without your explicit consent.

9. ARE YOUR DATA SECURE WITH UIC’S EXTERNAL PARTNERS?

UIC always remains liable towards you for the secure processing of your personal data by external parties to whom it has granted access to the personal data it collected from you.
We only share your personal data with external parties who can evidence and commit to adequate protection of your personal data at the same – or at least at a similar – level as UIC and we will seek sufficient contractual guarantees to this effect.

We only transfer personal data to third parties in a non-EU country, only when that country provides an adequate level of protection within the meaning of the legislation in force, and, in particular the GDPR or within the limits permitted by the legislation in force, for example by ensuring the protection of data by appropriate contractual provisions. YOUR RIGHTS – OUR OBLIGATIONS: ACCESS, RECTIFICATION, ERASURE, RESTRICTION, PORTABILITY, OBJECTION OF AUTOMATED PROCESSING, COMPENSATION in case of DATA BREACH.

We take all reasonable steps to ensure that your personal data is kept accurate and up-to date for the purposes for which it was collected.

• You have the right to always be informed about your personal data, free of charge.
• You can at any time require access to your personal data, have them corrected and/or updated.

We will provide you with the ability to object to the processing of your personal data if such processing is not reasonably required for a legitimate business purpose as described in this policy or our compliance with law.

Where appropriate, we will also provide an opt-out box or- link if you do not longer want to be included in our database. For example, if you no longer want to receive our newsletter.
Requests to restrict the use of your personal data and/or to delete your personal data will be subject to any applicable legal and ethical reporting or document filing or retention obligations imposed on us.

You also have the right to ask us to transfer your personal data to another data controller.
You have the right to lodge a complaint with your national supervisory authority. In France, this authority is represented by CNIL https://www.cnil.fr/.

If you wish to contact us regarding our use of your personal data or object to the processing of your personal data, please contact us at dpo at uic.orgor in writing by sending a letter to UIC DPO, 16 rue Jean Rey 75015 Paris, France.

10. CHANGES AND UPDATES TO THIS PRIVACY POLICY

You are invited to carefully read this policy and to revisit this page periodically to stay aware of any changes to this privacy policy, which we may update from time to time to be able to comply with any changes in existing applicable legislation, decisions, recommendations, guidelines and best practices issued by the European Data Protection Board and/or other competent authorities with regard to the implementation or interpretation of applicable legislation.