Information note on personal data protection - Sale of international tickets or passes
0 results for «»
Personal data protection
Thus, the protection of your personal data naturally constitutes a priority for the CFL, or any entity of the CFL group who has to process your personal data for the purpose of its activities.
This note provides you with the necessary information and explains to you how we collect, use, share, store and protect your personal details. It also informs you on your rights and on how to exercise them.
1. Who is the controller?
- Trips to or from France
- https://www.ter.sncf.com/grand-est/conditions-de-vente [in French].
The CFL act as a processor of the SNCF and will therefore transmit your personal data to the SNCF for the issuance of the tickets.
- Trips with Eurail – Interrail Pass
The controller is Eurail. For more information on the processing of your data, we invite you to consult its information note available online: https://www.interrail.eu/en/terms-conditions/privacy-and-cookie-statement.
- Interrail products
The controller regarding the processing of personal data is the Société Nationale des Chemins de Fer Luxembourgeois (the CFL), established and having its registered office in L‑1616 Luxembourg, 9, place de la Gare, and registered with the Trade and Companies Register of Luxembourg under number B59025.
The CFL will not transmit your personal data to Interrail in this context.
- Trips to and from Belgium, Germany, Austria, England, Switzerland, Denmark, France (for specific tickets) and the Netherlands
In some cases, we share your personal data with other transportation companies, which also become controllers as soon as they receive your data.
For example, if you book a trip from Luxembourg to London with the CFL, you will travel on a service provided by the CFL/SNCB (Belgian rail company) until Brussels, and then on a Eurostar service to your final destination. We are thus compelled to transmit your personal data to the operators carrying out the different trips in order for you to benefit from the requested service.
In this case, Eurostar is also controller.
2. What categories of personal data are processed and for what purpose?
To fulfil these missions, we collect and process some of your personal data.
According to the type of intended purpose and according to the requested ticket or pass, the categories of personal data are the following:
- surname, first name, address, phone number, e-mail address,
- birth date,
- number of the ID or any other administrative document enabling identification,
- credit card or bank account numbers in connection with the purchase of a service,
- data on the composition of your household,
- information on the trip.
The intended purposes are the following:
- managing the products and services you have subscribed to,
- invoicing and accounting.
3. How do we collect, process and use your data?
For each purpose described above, the collection and processing
- are performed in compliance with applicable laws and regulations regarding the protection of personal data, including the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)), the related guidelines as well as the national laws implementing the GDPR, as the case may be,
- are legally justified
- by the fact that it is necessary to process your personal data for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract,
- on the basis of your consent,
- by the fact that the processing is necessary for compliance with a legal obligation to which we are subject in our quality as controller,
- by an interest that is recognised as legitimate, or
- by the fact that the processing of your data is necessary to carry out a mission of public interest we have been entrusted with (public transportation).
4. Who can access your data?
The data will be shared with some of our internal departments in strict compliance with the missions these departments have been entrusted with:
- Directorate for Travel Activities (Direction Activités Voyageurs),
- Directorate for Administration and Finance (Direction Administratif et Financier),
- Unit Legal affairs and Insurances (Division Juridique et Assurances).
We acknowledge the invalidation of the privacy shield. We are taking the necessary steps to ensure that the level of protection of your personal data to the United States remains adequate
5. How long do we keep your data?
6. What are your rights regarding your personal data?
- access to the personal data we hold on you,
- have the data rectified if they are inaccurate or incomplete,
- have the data erased, in some cases, such as, for example, each time your data are not necessary for the intended purpose, and we do not have the contractual or legal obligation to keep them,
- ask for the restriction of the processing of your personal data, such as the restriction of the processing of an item whose accuracy you deny and for the time we need to verify your request,
- ask for the portability of your personal data in order to have your personal data transmitted to you in a structured, commonly used and readable format, or to have it transmitted to another controller,
- withdraw your consent to the processing of your personal data at any time (unless the processing is based on a legal ground other than your consent), without affecting the lawfulness of the processing based on your consent given before its withdrawal,
- object to the processing of your data based on the sole pursuit of our legitimate interests and prohibit us from processing them, including for direct marketing,
- file a complaint with the authority in charge of the protection of personal data in your country and/or in the Grand Duchy of Luxembourg (Commission Nationale pour la Protection des Données – CNPD, established in 1, avenue du Rock’n’roll, L‑4361 Esch-sur-Alzette – www.cnpd.public.lu).
7. How to contact us and how to exercise your rights?
- on our website www.cfl.lu by clicking on the link gdpr.cfl.lu,
- or by regular mail for the attention of the Data Protection Officer (DPO), Société Nationale des Chemins de Fer Luxembourgeois (CFL), 9, place de la Gare – L‑1616 Luxembourg.
8. How do we update this information note?
The last effective version of the information note is always available when you come to the CFL ticket counters and can also be consulted on the CFL website (www.cfl.lu).