Data processing information

As of June 13, 2025

This Privacy Notice (hereinafter referred to as the “Privacy Notice” or the “Notice”) describes the characteristics of data processing, in particular the collection, storage and use of data, on the https://rch.railcargo.com/hu/adatvedelem website (hereinafter referred to as the “Website”) operated by Rail Cargo Hungaria Zrt. (registered office: 1133 Budapest, Váci út 92., company registration number: 01-10-045318, hereinafter referred to as the “Data Controller”).

This Privacy Notice is effective from 13 June 2025. The Data Controller will make the up-to-date version of the Privacy Notice available on its Website.

This Privacy Notice has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as “GDPR”) and its definitions are those set out in Article 4 of the GDPR.

Issues not addressed in this Privacy Notice shall be governed by the rules of the GDPR.  

Please read the following Notice carefully and only provide any of your personal data if you agree to the terms set out below.

1. Data Controller

  • Name: Rail Cargo Hungaria Árufuvarozási Zártkörűen Működő Részvénytársaság
  • Seat: 1133 Budapest, Váci út 92.
  • Court of registration and registration number: Fővárosi Törvényszék Cégbírósága, Cg. 01-10-045318
  • Name of Data Protection Officer: dr. Nagy Dóra Adriána
  • Contact details of Data Protection Officer: adatvedelem.rch.hu@railcargo.com 
  • Homepage: https://rch.railcargo.com/en (hereinafter: Homepage)

2.    CONCEPTS RELATING TO DATA PROCESSING

The concepts and definitions in the Privacy Notice are the same as those set out in Article 4 of the GDPR. Therefore:

Data Processor: a natural or legal person or unincorporated entity that processes data on the basis of a contract, including a contract concluded pursuant to a legal provision. The data processors used by the Data Controller are specified in Section 6 of this Privacy Notice.

Data processing: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Controller: the legal person, as defined in Section 1 of this Privacy Notice that determines the purposes of data processing independently, takes and executes decisions regarding data processing or has them executed by the Data Processor.

Destruction of data: the total physical destruction of the storage medium containing the data.

Erasure of data: rendering the data unrecognisable in a way that it is no longer possible to restore it.

Data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

EEA Member State: a Member State of the European Union, another State party to the Agreement on the European Economic Area as well as a State whose nationals enjoy the same legal status as nationals of a State party to the Agreement on the European Economic Area under an international treaty between the European Union and its Member States and a State not party to the Agreement on the European Economic Area.

Data Subject: any natural person who is or may be identified, directly or indirectly, on the basis of the personal data. 

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Personal Data: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Objection: a statement by the data subject objecting to the processing of his or her personal data and requesting the discontinuation of processing or the deletion of the data.

3.    DATA PROCESSING PRINCIPLES

The Data Controller shall take special care in its activities to protect personal data, to comply with mandatory legal provisions and to ensure secure and fair processing. The Data Controller shall treat the personal data provided to it confidentially, pursuant to the provisions of Section 4 of the Privacy Notice.

As informational self-determination is a fundamental right of every natural person under the Fundamental Law, the Data Controller considers it of utmost importance that its processing and the procedures for processing are only and exclusively carried out pursuant to, and practices are designed to comply with, the provisions of the applicable laws, also bearing in mind the following principles:

  • With regard to the principles of lawfulness, fairness and transparency, the Data Controller shall process personal data lawfully, fairly and in a manner transparent to the data subject for the purpose of exercising a right or fulfilling an obligation. The Data Controller strictly prohibits the use of personal data processed by the Data Controller for private purposes.
  • With regard to the principle of purpose limitation, the Data Controller shall only collect and process personal data for specified, explicit and legitimate purposes to the minimum extent and for the minimum period necessary to achieve those purposes, and shall not process them in a manner that is incompatible with those purposes. Accordingly, the Data Controller shall use the personal data of data subjects only for the purposes stated at the time of collection or for other appropriate purposes in accordance with the law.

The Data Controller shall pay particular attention to ensuring that its processing complies at all times with the principle of purpose limitation and that the data are erased where the purpose for which they were processed has ceased to exist or the processing is otherwise unlawful. If the personal data are no longer necessary, the Data Controller shall destroy them.

  • With regard to the principle of data quality (data minimisation and accuracy), the Data Controller shall only process and collect personal data that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Furthermore, the Data Controller shall take reasonable steps to ensure that personal data are accurate, complete and up to date, and that personal data that are unnecessary for the purposes of the processing are erased.  
  • With regard to the principle of storage limitation, the Data Controller shall process personal data which permit identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. The Data Controller shall ensure that the data are erased after the purpose of the processing has changed or ceased to exist. The Data Controller shall/may store personal data for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.The Data Controller shall exercise particular care when disposing of data storage media containing personal data.
  • With regard to the principle of integrity and confidentiality, the Data Controller shall ensure the protection of personal data in a contained, complete, continuous and risk-proportionate manner, and shall take organisational and technical measures to protect personal data in particular against unauthorised or unlawful processing, accidental loss, destruction or damage.  In order to protect data against unauthorised use or disclosure, the Data Controller shall apply data security controls in its own activities.

The information security measures designed and implemented by the Data Controller shall ensure the confidentiality, integrity and availability of personal data. These measures are set out in the Data Controller's Information Security Policy.

  • With regard to the principle of accountability, the Data Controller shall design and implement its data processing processes and set up its data management system in such a way that it is able to demonstrate compliance with the principles set out in this Section at any time of processing, in particular when and in what form the personal data were collected and what information was provided to the data subject when the personal data were collected. 

By means of this Privacy Notice, the Data Controller provides the Data Subject with adequate information in accordance with Articles 13 and 14 of the GDPR.  

The Data Controller, in its capacity as data controller, shall ensure that the Data Subject has access to the data processed by the Data Controller, unless an exception is provided by law, and may exercise his or her right to information, access, rectification, restriction, erasure, portability and objection.

4.    METHOD AND SECURITY OF DATA PROCESSING

The Data Controller shall ensure the security of the data and shall take the technical and organisational measures and establish the procedural rules necessary to enforce the privacy and confidentiality rules required under the GDPR. The Data Controller shall protect personal data against unauthorised access; alteration; transmission; disclosure; or accidental deletion, destruction; corruption; and inaccessibility resulting from changes in the technology used.

The Data Controller shall place particular emphasis on the protection of data files processed electronically in different records so that data stored in different records cannot be directly linked and attributed to the data subject, except where permitted by law.

Where a data breach occurs at the Data Controller, the Data Controller shall notify the National Authority for Data Protection and Freedom of Information of the data breach without undue delay, but no later than 72 hours after the data breach has come to the Data Controller’s attention, unless the breach is unlikely to pose a risk to the rights and freedoms of natural persons. The Data Controller shall inform the data subjects where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. Pursuant to Article 34(3) of the GDPR, the Data Controller shall not inform the data subjects if any of the following conditions are met:

  • the Data Controller has implemented technical, organisational or security measures in relation to the data affected by the personal data breach, such as encryption, which prevent unauthorised persons from accessing the data or render the data unintelligible to them;
  • after the occurrence of the personal data breach, the Data Controller has taken measures to ensure that the identified high risk is unlikely to materialise;
  • the provision of information would involve disproportionate effort, in which case the data subjects shall be informed by means of public communication, which may be provided by electronic means.

5.    DESCRIPTION OF DATA PROCESSING OPERATIONS

 

5.1.    CONTACT

The Data Controller provides the possibility for visitors to the Website to contact the Data Controller using any of the contact details provided.

 

Purpose of processing

Scope of processed data

 

Scope of data subjects

Legal basis for processing

 

Time limit for data storage

 

Method of data processing

Source of data

Possible consequences of not providing data

 

 

Automated decision-making and profiling

Who can access the personal data?

 

 

Transmission of data

 

To ensure the possibility to contact the Data Controller.

Name and e-mail address of the data subject, content of the message sent.

Persons who contact the Data Controller.

The data subject’s explicit consent pursuant to Article 6(1)(a) of the GDPR.

 

Until the consent is withdrawn and the request is investigated and answered.

By electronic means

Data collected from the data subject

If the data subject does not provide the Data Controller with the data, he/she will not be able to contact the Data Controller. The failure to provide data has no adverse legal consequences for the data subject.

The Data Controller does not use automated decision-making or profiling.

The Data Controller’s competent employees and employees of data processors, if any. The current list of the Data Controller's processors is set out in Section 6 of this Privacy Notice.

No data will be transferred to third countries or international organisations. 

 

5.2.    COOKIES

The Data Controller uses cookies on the Website, details of which are available in the footer of the Website.

6.    DATA PROCESSORS 

Data Processors do not take independent decisions and are only entitled to act in accordance with the contract concluded with the Data Controller and the instructions received. Data Processors shall record, handle and process personal data transmitted to them by the Data Controller and processed or handled by them in accordance with the provisions of the GDPR. Data Processors shall carry out processing operations on the personal data provided by data subjects within the time limits for use indicated in this Privacy Notice, in accordance with the purposes for which the data are processed. The Data Controller uses the following data processors in connection with its processing operations as indicated in this Privacy Notice. A current list of data processors is available from the Data Controller.

Category of Data Processor   Hosting provider

Purpose of processing            Hosting services 

Data Processor Name             ÖBB-Business Competence Center GmbH

Registered office                      Lassallestraße 5. 1020 Vienna

Company registration number  -
           

7.    ENFORCEMENT OF DATA SUBJECTS’ RIGHTS

The data subject may request information about the processing of his/her personal data; request the rectification of his/her personal data; request the restriction of processing; request the erasure of his/her data from the Data Controller or the Data Protection Officer directly at the adatvedelem.rch.hu@railcargo.com e-mail address, and exercise his/her right to data portability, the right to judicial remedy and the right to withdraw consent. In the event of a complaint in the territory of Hungary, the data subject may refer the matter to the National Authority for Data Protection and Freedom of Information or, at his or her option, to a court. The regional court shall have jurisdiction in court proceedings.

In case of fulfilling the data subject's request for the processing of personal data, the Data Controller shall, in view of the data subject’s capacity (customer, applicant, etc.), identify the data subject in accordance with this Privacy Notice, and the Data Controller shall only be entitled to fulfil the data subject's request once the data subject has been duly identified.

If the applicant has not made a request for personal data processing in accordance with this Privacy Notice and the Data Controller has not been able to duly identify the applicant (as a data subject), as required for data security and/or confidentiality purposes (as set out in this Privacy Notice), the Data Controller will invite the applicant to provide additional information, failing which the Data Controller shall not entertain the request. 

The time elapsed between the request by the Data Controller to provide the required personal data/perform the missing activity and the provision of the personal data shall not be counted in the time limit for responding to the request.

The Controller shall inform each recipient to whom the personal data have been disclosed of any rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. The Data Controller shall inform the data subject, at his or her request, of these recipients.

a)    Right to information and access

In accordance with the obligation under Article 13 of the GDPR, where personal data are collected from the data subject, the Data Controller shall, at the time when personal data are obtained, provide the data subject with all of the following information regarding processing: 

  • the identity and the contact details of the Data Controller and its representative;
  • the contact details of the Data Protection Officer, where applicable;
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • the recipients or categories of recipients of the personal data, if any;
  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • the existence of the data subject’s right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  • where the processing is based on consent, the existence of the right to withdraw such consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • the right to lodge a complaint with a supervisory authority;
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.

Where personal data have not been obtained from the data subject, the Data Controller shall provide the data subject with the above information as well as the following information pursuant to Article 14 of the GDPR:

  • the categories of personal data concerned;
  • the recipients or categories of recipients of the personal data, if any;
  • from which source the personal data originate, and if applicable, whether it came from publicly accessible sources.

Where personal data have not been obtained from the data subject, the Data Controller shall provide the information:

  • within a reasonable period after obtaining the personal data, but at the latest within one month;
  • if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
  • if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

The above obligation to provide information shall not apply where and insofar as:

  • the data subject already has the information referred to above;
  • the provision of such information proves impossible or would involve a disproportionate effort; 
  • obtaining or disclosure is expressly laid down by community or Hungarian law to which the Data Controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or
  • where the personal data must remain confidential subject to an obligation of professional secrecy regulated by community or Hungarian law, including a statutory obligation of secrecy.

In accordance with the provisions of Article 15 of the GDPR, the data subject’s right of access shall extend to the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed;
  • the envisaged period for which the personal data will be stored;
  • the data subject’s rights regarding the processing of personal data;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the information related to automated decision-making.

The Data Controller shall always endeavour to ensure that the information it provides to the data subject is, as far as possible, concise, transparent, intelligible, easily accessible, clear and plain, while complying with the rules laid down by the GDPR. The Data Controller is responsible for providing the information and taking measures. The Data Controller shall provide all information to the data subject in writing, including by electronic means. With regard to the data security rules set out in Article 15 and Article 32 of the GDPR, the Data Controller shall provide information to the data subject only and exclusively if the Data Controller is satisfied as to the identity of the data subject. If the identity is not verified, the Data Controller shall reject the data subject's request to exercise his or her rights and shall inform the data subject of the means of exercising his or her rights.

The Data Controller shall inform the data subject within one month of receipt of the request in the event of a request for the exercise of his or her rights, submitted as a duly notified statement. In view of the complexity of the request and the number of requests, this one-month period may be extended by a further two months by means of a reasoned communication from the Data Controller to the data subject within one month of the submission/receipt of the request to the Data Controller.

Due notification or receipt shall be deemed to have been made when the written request is sent by the data subject to the Data Controller's official address or dedicated email address and is received by the Data Controller.

Requests not notified in accordance with the above shall not be entertained by the Data Controller.

The information and communication relating to the processing of personal data shall be easily accessible and comprehensible and shall be drafted in clear and plain language. The same principle shall apply in particular to the information provided to data subjects on the identity of the data processor and the purpose of processing, as well as to further information to ensure fair and transparent processing of their personal data, and to the information that data subjects have the right to obtain confirmation and information about the data processed concerning them.  

The Data Controller shall provide the information and take the measures referred to in this Section free of charge, and shall charge a fee only in the cases provided for in Article 12(5) of the GDPR.

b)    Right to rectification

The data subject shall have the right to request the Data Controller, without undue delay, the rectification of inaccurate personal data relating to him or her. Having regard to the purposes of processing, the data subject shall have the right to request the rectification of incomplete personal data, including by means of a supplementary declaration.

c)    Right to object

The data subject may object to the processing of his or her personal data by means of a statement addressed to the Data Controller, where the legal basis for the processing is 

  • public interest within the meaning of Article 6(1)(e) of the GDPR; or
  • legitimate interest within the meaning of Article 6(1)(f) of the GDPR; or

In the event of the exercise of the right to object, the Data Controller may no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The management of the Data Controller shall decide whether the processing is justified by compelling legitimate grounds.  

It shall inform the data subject of its relevant position in an opinion. For the period until the decision, the personal data shall be restricted accordingly.

In the case of processing based on the data subject's consent (Article 6(1)(a) of the GDPR), the data subject shall not have the right to object.  

d)    Right to restriction of processing

Processing may be restricted where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, the Data Controller restricts the processing of personal data until the accuracy of the data is verified;
  • the processing is unlawful and the data subject requests restriction of use instead of erasure;
  • the Data Controller no longer needs the data but the data subject requires them for the purposes of legal claims;
  • the data subject objects to the processing of the personal data pursuant to Article 21 of the GDPR, pending the outcome of the assessment of the objection.

The Data Controller shall suspend the processing for the duration of the assessment of the data subject's objection to the processing of the personal data, not to exceed a period of 5 days, examine the grounds for the objection and take a decision, which shall be notified to the data subject.

If the objection is justified, the Data Controller shall restrict the data, i.e. only storage may take place until:

  • the data subject consents to the processing;
  • the processing of the personal data is necessary for the exercise of legal claims;
  • the processing of the personal data is necessary to protect the rights of another natural or legal person; or
  • processing is ordered by law in the public interest.  

Where the restriction of processing is lifted by the Data Controller, it shall, prior to lifting the restriction, inform in writing the data subject at whose request the restriction was applied of the fact of the lifting of the restriction, unless this proves impossible or involves a disproportionate effort. Where the restriction of processing has been requested by the data subject, he or she shall be informed by the Data Controller before the restriction of processing is lifted.

e)    Right to erasure (“right to be forgotten”)

The data subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay and the Data Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
  • the personal data have been unlawfully processed; 
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • the personal data have been collected in relation to the offer of information society services.

The data subject’s right to erasure may be limited only if the following exceptions in the GDPR apply, i.e. if the above grounds are met, the further retention of the personal data should be lawful where it is necessary 

  • for exercising the right of freedom of expression and information, or
  • for compliance with a legal obligation (i.e. in the case of an activity recorded in the Register of Data Processing as a legal obligation for a period of time adequate for the purposes of the processing), or
  • for the performance of a task carried out in the public interest, or
  • in the exercise of official authority vested in the Data Controller, or
  • in the area of public health, for archiving purposes in the public interest, 
  • for archiving purposes in the public interest, or 
  • scientific or historical research purposes or statistical purposes, or 
  • for the establishment, exercise or defence of legal claims. 

f)    Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller without hindrance from the Data Controller to which the personal data have been provided, where:

  • the processing is based on the data subject’s consent, or the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the data subject’s request prior to entering into a contract [Article 6(1)a) or b) of the GDPR, and Article 9(2)a) of the GDPR]; 
  • the processing is carried out by automated means.

The data subject’s right under this Section shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of public powers vested in the Data Controller, or where such right would adversely affect the rights and freedoms of others.

Where the Data Controller is required to disclose personal data to a third party other than the data subject on the basis of the data subject's right to data portability, the Data Controller shall inform and draw the attention of that third party to the fact that the personal data disclosed by the Data Controller in relation to the data subject shall not be used for its own purposes and shall only be processed for the purposes for which they are disclosed, in accordance with the provisions of the applicable data protection legislation. The Data Controller shall not be liable for the use by a third party of personal data duly transmitted to a third party at the data subject’s request.

g)    Right to withdraw consent

Where the legal basis for the processing of the data subject's personal data by the Data Controller is the data subject's consent, the data subject may withdraw his or her consent to the processing at any time. In this respect, the Data Controller shall inform the data subjects that the Data Controller may process their personal data for the purposes of complying with a legal obligation or pursuing legitimate interests, even after the withdrawal of their consent, where the pursuit of such interests is proportionate to the restriction of the right to the protection of personal data.

8.    REMEDY

  • the data subject shall have the right seek judicial remedy and complaint at the Hungarian National Authority for Data Protection and Freedom of Information:

For further information concerning data processing under this present Information and possible complaints you can reach Rail Cargo Hungaria Zrt. at one of the following contacts:

  • via email: adatvedelem.rch.hu@railcargo.com
  • via registered mail with proof of receipt: Rail Cargo Hungaria Zrt., 1133 Budapest, Váci út 92.
  • Data protection officer: Dr. Nagy Dóra Adriána

The data subject has the right to apply to the courts for the protection of his or her data, which will rule on the matter out of turn.  In such cases, the data subject is free to decide whether to bring the action before the courts for the place of residence (permanent address) or the place of stay (temporary address) (http://birosag.hu/torvenyszekek). The data subject may approach the court of his or her domicile or residence at birosag.hu/ugyfelkapcsolati-portal/birosag-kereso.

Rail Cargo Hungaria Private Limited Company

Data protection declaration Rai Cargo Group