Rail Cargo Hungaria Zrt. as data Controller commits itself to comply with the provisions of this present data-processing information and the relevant legislation regarding its data processing activities performed during the visit of its homepage in connection with the personal data provided by the Users.

The purpose of this present information is to demonstrate the main principles and criteria of data processing in accordance in particular with the following:

• Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation or GDPR),
• Act CXII of 2011 on Information Self-determination and Freedom of Information
• Civil Code

In the absence of contrary information the scope of this present Information does not cover data processing of webpages and providers which are linked to the homepage of the Controller; the Controller does not assume responsibility for such data processing.

Data processing information related to processing in connection with customer messages and job vacancies on the homepage are provided separately.

Data Controller

• Name: Rail Cargo Hungaria Árufuvarozási Zártkörűen Működő Részvénytársaság
• Seat: 1133 Budapest, Váci út 92.
• Court of registration and registration number: Fővárosi Törvényszék Cégbírósága, Cg. 01-10-045318
• Homepage: https://rch.railcargo.com/en (hereinafter: Homepage)

Scope of processed data

• In case the User is visiting the Homepage, the Controller shall record the User’s
  • IP-address,
  • Furthermore the data of the User’s computer being generated during the visit of the Homepage shall be technically recorded. Those data are automatically logged by the system of the Controller.

Purpose of data processing

• online content delivery on the Homepage,
• technical development of the IT-system,
• preparation of statistics and analyses,
• protection of the rights of Users,
• Enforcement of the Controller’s legitimate interests.

The Controller may not use the provided personal data for other purposes than for those specified in this section.

Nature and legal basis of data processing

When the User enters the Homepage, the system of the Controller records the User’s IP-address in regard to the legitimate interests of the Controller in order to provide services even without the separate consent of the User.  

The Controller performed a test of balance of interest in accordance with the relevant legal provision (GDPR) in order to substantiate that his legitimate interests for data processing override the liberties and rights of the Users (data subjects) in connection with data processing.  Upon request the Controller shall provide appropriate information about the substantiation of legal grounds.

The release of personal data to third parties or authorities is only possible under the decision of authorities or the under the prior express consent of applicants (unless otherwise provided in legislation).

Principles and means of data processing:

The Controller shall process personal data in accordance with the principles of good faith, fairness and transparency; the processing shall be carried out only for purposes set out in this present Information respectively in legislation.

In each case when the Controller wishes to use the personal data for purposes different from the original data collection he shall inform the applicant and shall obtain the applicant’s prior express consent therefor; respectively ensure that the applicant can prohibit the use of data.

The Controller shall inform the applicant concerned and all those, whom the personal data he transferred to beforehand about the rectification, restriction and erasure of personal data.  The information may be omitted if this in regard of the data processing does not prejudice the legitimate interest of the data subject.

The Controller shall take all technical and organisational measures which are laid down by relevant legislation for the security of data;

• shall comply with the requirements set out in the rules of IT-security
• shall submit the incoming set of data to virus checks and to other security screening
• the Controller shall ensure that the personal data processed by him
  • are accessible only to persons entitled to their access,
  • remain authentic,
  • remain unchanged,
  • are protected against unauthorised access, use, change and distribution.

The Controller shall call each third party for the fulfilment of such obligations, who are recipients of data transfer.

The IT devices of the Controller are located in the server rooms at the Controller’s seat and sites.

Nature of data processing technology: data processing by IT-systems.

Data processing period: 5 years. After this period all personal data shall be erased by the Controller.

In case an authority our court orders the erasure of personal data in a final ruling the Controller shall execute the erasure. Instead of erasure the Controller, informing the User thereof, shall limit the process of personal data in case it was requested by the applicant or the erasure is likely to prejudice the legitimate interests of the User. The Controller shall not erase the personal data until the purpose of data processing which excludes the erasure of data still exists.

Source of data: data are being generated directly when the User is visiting the homepage

Data processor: none.

Transfer of data: not being made.

Rights of the User („data subject”) and means of exercise of rights

Ensuring the enforcement of rights of the data subject

• The Controller shall take appropriate measures to provide any information and communication in an easily accessible and legible form, using clear and plain language.
• The Controller considers the request for information credible in case the data subject is clearly identifiable according to the request.  
• The Controller shall assess the requests without undue delay but no longer than within one month of receipt of the request by electronic means, unless otherwise requested by the data subject.That period may be extended when duly justified.
• Necessary information and actions shall be provided by the Controller free of charge, unless requests from a data subject are manifestly unfounded or excessive.
• In case the data subject does not agree with the decision of the Controller, he shall have the right to apply to the courts within thirty days after the notification about the decision.
   
• In case of infringement of the rights of the data subject he may apply to the court against the Controller, the assessment of the case falls into the competence of regional courts which shall assess the case with priority. The data subject may as well launch legal proceeding at a competent regional court within whose territory the place of residence of the data controller is located.
   
• the data subject shall have the right seek judicial remedy and complaint at the Hungarian National Authority for Data Protection and Freedom of Information:
  • seat: 1055 Budapest, Falk Miksa utca 9.-11.,
  • phone: +36-1+391-1400
  • e-mail: ugyfelszolgalat@naih.hu
  • www.naih.hu

For further information concerning data processing under this present Information and possible complaints you can reach Rail Cargo Hungaria Zrt. at one of the following contacts:

• via email: adatvedelem.rch.hu@railcargo.com
• via registered mail with proof of receipt: Rail Cargo Hungaria Zrt., 1133 Budapest, Váci út 92.
• Data protection officer: Dr. Nagy Dóra Adriána

Budapest, January 21, 2025.

Rail Cargo Hungaria Private Limited Company

Data protection declaration Rai Cargo Group