Data processing information

As of May 25, 2018

Rail Cargo Hungaria Zrt. as data Controller commits itself to comply with the provisions of this present data-processing information and the relevant legislation regarding its data processing activities performed during the visit of its homepage in connection with the personal data provided by the Users.

The purpose of this present information is to demonstrate the main principles and criteria of data processing in accordance in particular with the following:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation or GDPR),
  • Act CXII of 2011 on Information Self-determination and Freedom of Information
  • Civil Code

In the absence of contrary information the scope of this present Information does not cover data processing of webpages and providers which are linked to the homepage of the Controller; the Controller does not assume responsibility for such data processing.

Data processing information related to processing in connection with customer messages and job vacancies on the homepage are provided separately.

Data Controller

  • Name: Rail Cargo Hungaria Árufuvarozási Zártkörűen Működő Részvénytársaság
  • Seat: 1133 Budapest, Váci út 92.
  • Court of registration and registration number: Fővárosi Törvényszék Cégbírósága, Cg. 01-10-045318
  • Homepage: https://rch.railcargo.com/en (hereinafter: Homepage)

Scope of processed data

  • In case the User is visiting the Homepage, the Controller shall record the User’s
    • IP-address,
    • Furthermore the data of the User’s computer being generated during the visit of the Homepage shall be technically recorded. Those data are automatically logged by the system of the Controller.

Purpose of data processing

  • online content delivery on the Homepage,
  • technical development of the IT-system,
  • preparation of statistics and analyses,
  • protection of the rights of Users,
  • Enforcement of the Controller’s legitimate interests.

The Controller may not use the provided personal data for other purposes than for those specified in this section.

Nature and legal basis of data processing

When the User enters the Homepage, the system of the Controller records the User’s IP-address in regard to the legitimate interests of the Controller in order to provide services even without the separate consent of the User.  

The Controller performed a test of balance of interest in accordance with the relevant legal provision (GDPR) in order to substantiate that his legitimate interests for data processing override the liberties and rights of the Users (data subjects) in connection with data processing.  Upon request the Controller shall provide appropriate information about the substantiation of legal grounds.

The release of personal data to third parties or authorities is only possible under the decision of authorities or the under the prior express consent of applicants (unless otherwise provided in legislation).

Principles and means of data processing:

The Controller shall process personal data in accordance with the principles of good faith, fairness and transparency; the processing shall be carried out only for purposes set out in this present Information respectively in legislation.

In each case when the Controller wishes to use the personal data for purposes different from the original data collection he shall inform the applicant and shall obtain the applicant’s prior express consent therefor; respectively ensure that the applicant can prohibit the use of data.

The Controller shall inform the applicant concerned and all those, whom the personal data he transferred to beforehand about the rectification, restriction and erasure of personal data.  The information may be omitted if this in regard of the data processing does not prejudice the legitimate interest of the data subject.

The Controller shall take all technical and organisational measures which are laid down by relevant legislation for the security of data;

  • shall comply with the requirements set out in the rules of IT-security
  • shall submit the incoming set of data to virus checks and to other security screening
  • the Controller shall ensure that the personal data processed by him
    • are accessible only to persons entitled to their access,
    • remain authentic,
    • remain unchanged,
    • are protected against unauthorised access, use, change and distribution.

The Controller shall call each third party for the fulfilment of such obligations, who are recipients of data transfer.

The IT devices of the Controller are located in the server rooms at the Controller’s seat and sites.

Nature of data processing technology: data processing by IT-systems.

Data processing period: 5 years. After this period all personal data shall be erased by the Controller.

In case an authority our court orders the erasure of personal data in a final ruling the Controller shall execute the erasure. Instead of erasure the Controller, informing the User thereof, shall limit the process of personal data in case it was requested by the applicant or the erasure is likely to prejudice the legitimate interests of the User. The Controller shall not erase the personal data until the purpose of data processing which excludes the erasure of data still exists.

Source of data: data are being generated directly when the User is visiting the homepage

Data processor: none.

Transfer of data: not being made.

Rights of the User („data subject”) and means of exercise of rights

Right of access by the data subject
The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.

The data subject shall have the right to obtain information

  • whether his/her personal data is being processed
  • about the purposes of the processing
  • about the categories of personal data concerned
  • about the recipients to whom the personal data is going to be disclosed
  • about the period for which the personal data will be processed
  • about the right to lodge a complaint against the data processing
  • about the existence of automated decision-making, including profiling
  • whether personal data are transferred to a third country and where that is the case, about the appropriate safeguards

The Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form, unless requested otherwise by the data subject. For additional copies the Controller may charge a reasonable fee.

Right to rectification

The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. The data subject may request to have incomplete personal data completed.

Right to erasure (‘right to be forgotten’)

The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected,
  • the personal data have been unlawfully processed,
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;

Where the Controller has made the personal data public, he/she shall take reasonable steps to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The provisions above shall not apply, respectively the request for erasure may be denied to the extent that processing is necessary:

  • for exercising the right of freedom of expression and information ,
  • for compliance with a legal obligation  which requires processing by Union or Member State law, or in public interest,
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, 
  • for the establishment, exercise or defence of legal claims.

The Controller shall inform the data subject in every case about the refusal of his/her request for erasure, specifying the grounds for refusal.

Right to restriction of processing

The data subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;

b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject shall be informed by the Controller before the restriction of processing is lifted.

The Controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller shall inform the data subject about those recipients if the data subject requests it.

Right to object

The data subject shall have the right to object, at any time to processing of personal data concerning him/her:

  • if the processing is necessary for the performance of a task carried out for reasons of public interest;
  • if the data are processed for the purposes of direct marketing, public opinion research or scientific research;
  • if the processing is carried out solely in accordance with a legal obligation to which the Controller is subject , or for the purposes of the legitimate interests pursued by the Controller or by a third party.

The Controller shall examine the lawfulness of the objection of the data subject, and in case the objection is determined by the Controller as reasoned the data processing shall be terminated. The Controller shall inform all those parties about the objection and the measures taken upon it, to which the personal data subject to the objection were transferred.

Ensuring the enforcement of rights of the data subject

  • The Controller shall take appropriate measures to provide any information and communication in an easily accessible and legible form, using clear and plain language.
  • The Controller considers the request for information credible in case the data subject is clearly identifiable according to the request.  
  • The Controller shall assess the requests without undue delay but no longer than within one month of receipt of the request by electronic means, unless otherwise requested by the data subject.That period may be extended when duly justified.
  • Necessary information and actions shall be provided by the Controller free of charge, unless requests from a data subject are manifestly unfounded or excessive.
  • In case the data subject does not agree with the decision of the Controller, he shall have the right to apply to the courts within thirty days after the notification about the decision.

  • In case of infringement of the rights of the data subject he may apply to the court against the Controller, the assessment of the case falls into the competence of regional courts which shall assess the case with priority. The data subject may as well launch legal proceeding at a competent regional court within whose territory the place of residence of the data controller is located.

  • the data subject shall have the right seek judicial remedy and complaint at the Hungarian National Authority for Data Protection and Freedom of Information:

For further information concerning data processing under this present Information and possible complaints you can reach Rail Cargo Hungaria Zrt. at one of the following contacts:

  • via email: rch@railcargo.com
  • via registered mail with proof of receipt: Rail Cargo Hungaria Zrt. ICT szervezet, 1133 Budapest, Váci út 92.

Budapest, May 25, 2018.

Rail Cargo Hungaria Private Limited Company

 

Data protection declaration Rai Cargo Group