Information notice on the protection of personal data "CFL mobile" App

Information notice on the protection of personal data "CFL mobile" App

At the CFL Group, the customer always comes first.

As such, and quite naturally, the protection of personal data is an absolute priority of the CFL Group, respectively for each Group entity that is required to process your personal data for the needs of its business.

We have a commitment to transparency concerning the data collected about you within the framework of the use of the CFL mobile app, as well as around the use and sharing of this personal data.

This information notice provides you with the necessary information and explains how we collect, use, share, store and protect your personal data.

It also provides you with information on your rights and how to exercise them.

1. Who is the data controller?

The Luxembourg National Railway Company (CFL), 16 boulevard d'Avranches, BP 1803, L-1160 Luxembourg, is the data controller for the personal data concerning you and which we process.

In this respect, we are responsible for the manner in which we collect, use, share, store and protect your personal data.

If you have any questions or complaints concerning this Information Notice, you may contact us by sending a written request to the CFL Data Controller, 16 boulevard d'Avranches, BP 1803, L-1160 Luxembourg. 

2. What categories of personal data are processed and for what purpose?

The CFL collects, processes and stores personal data that you send to us, as well as data provided by any device (including a mobile device) that you use when accessing our services, opening a customer account, completing one of our forms or updating or adding information to your account.

The processing operations are implemented by the CFL for the following purposes:

• The sale, issuance, validation and management of electronic public transport tickets;
• The management of CFL services and related services (management of contractual relationships, subscriber management, passenger sales management, complaint handling, collation of statistics, fraud prevention and dealing with infringements);
• The personal data may be used for the purpose of improving the offer through targeted and one-off surveys and marketing campaigns.

The CFL directly collects the following personal data:

• Your identifying information (surname, first name, address, telephone number) and your electronic identifying information (e-mail address, IP address);
• Your personal characteristics (title, date of birth);
• Where necessary, identifying information (surname, first name) and the date of birth of other persons for whom you have purchased transport tickets;
• Your financial data (credit card number) relating to the purchase of your public transport ticket;
• On an optional basis, the name of your employer when purchasing public transport tickets in connection with business travel;
• On an optional basis, your mother’s maiden name when creating your account as a response to a security question for resetting your password;
• On an optional basis, and once push notifications are activated, an ID from your mobile device in order to route a push notification.

Mandatory data is indicated in the data collection forms with an asterisk.

In the event of a refusal to provide said personal data, the service associated with this data collection may not be provided and you will be required to purchase the desired public transport ticket from one of our ticket counters, ticket vending machines or other points of sale.

In addition, the application can also access your contacts for the function of searching for connections to or from one of your contacts with address, as well as sharing routes directly through the app. The application does not store this information and it is processed locally on your mobile device. Access to contacts is optional and not necessary for the proper use of the application.

In all cases, we ensure that the data is collected for specific purposes and that it is processed in an appropriate and relevant manner and solely for that which is necessary in respect of the intended purpose.

3. How do we collect, process and use your data?

We collect, process and use the personal data that you provide us with when:

• you open a customer account to purchase public transport tickets on the CFL mobile app and when you use the app to purchase public transport tickets thereafter;
• you make a suggestion or lodge a complaint;
• you set up a push notification when setting up a custom alert.

For each of the previously described purposes, the collection and processing of your data will be carried out:

• in compliance with the applicable regulations relating to the protection of personal data including the GDPR (European Regulation EU 2016/679 of 27 April 2016), the Guidelines and related materials and the national laws implementing the GDPR where necessary;
• on legal grounds
  • either based on the fact that the processing of your personal data is required for the performance of the contract that you are a party to or in order to take steps at your request prior to entering into a contract;
  • or on the basis of your consent;
  • or based on the fact that the processing is necessary for compliance with a legal obligation to which the data controller is subject;
  • or an interest that is recognised as legitimate;
  • or when the processing of your data is necessary for the performance of a task carried out in the public interest vested in the data controller (passenger and staff safety, protection of property, prevention and identification of infringements etc.).

4. Who has access to your data?

The data collected is processed and used by the CFL passenger traffic department – Service Activité Voyageurs Trains.
In addition, in order to ensure optimum service quality, the CFL has entrusted certain tasks to specialised subcontractors. With this in mind, the data is stored and used by the following subcontractors:

• The company eos.uptrade GmbH whose head office is located in Hamburg, Germany, in its role as developer and operator of the mobile ticketing solution;
• The company Six Payment Services (Europe) S.A. whose registered office is located in Munsbach, Luxembourg, in its role as payment services provider.

We ensure that your personal data is processed for the purposes mentioned above.
This data may be shared with certain internal departments in strict compliance with the tasks entrusted to these departments: Finance and Controlling Department, IT Department, Legal and Insurance Department and Internal Audit Department.
Within the strict framework of the purposes referred to above, and whenever it is necessary, we share your personal data with our auditors, our legal advisers, the Luxembourg authorities or competent foreign authorities.

5. Where your data is processed. Will your data be transferred?

Your data is intended for the authorised CFL departments (Passenger traffic department, Finance and Controlling Department, IT Department, Legal and Insurance Department and Internal Audit Department), which take all of the appropriate technical and organisational measures to protect the security of your personal data and primarily the confidentiality, integrity and availability of your personal data.

For security reasons, it is also transferred to:

• The company eos.uptrade GmbH whose head office is located in Hamburg, Germany, in its role as developer and operator of the mobile ticketing solution;
• The company Six Payment Services (Europe) S.A. whose registered office is located in Munsbach, Luxembourg, in its role as payment services provider.

For transfers, CFL contractually imposes the obligation on service providers to provide guarantees in terms of the security and confidentiality of your personal data by taking appropriate technical and organisational measures pursuant to regulations.

6. How long do we retain your personal data?

The period for which data is retained is limited to the period of use of the “CFL mobile” app and for as long as data needs to be retained in order for us to fulfil our obligations resulting from the limitation periods and/or any other legal provisions.

In general, the personal data described above is deleted no later than 12 months following the last transaction made through the “CFL mobile” app.

7. What are your rights regarding your personal data?

Under the conditions provided for by the regulations, you have the right to:

• Access the personal data that we hold about you;
• Request the correction of the data if it is inaccurate or incomplete;
• Request the deletion in certain cases, such as whenever your data is no longer required for the intended purpose for which it was collected and/or processed and which we haven't yet deleted by virtue of the statutory and regulatory requirement obligations applicable to the period of data retention;
• Request the limitation of the processing of your personal data such as the limitation of the processing of data for which you dispute the accuracy and throughout the period that we require to enable us to verify your request;
• Request the portability of your personal data so that your personal data can be sent to you in a structured, commonly used and readable format, or to have it transferred to another data controller;
• Withdraw your consent at any time to the processing of your personal data without this compromising the lawfulness of the processing on the basis of the consent given prior to your withdrawal and unless such data is processed on a legal basis other than your consent.
• Object to the processing of your data solely in the pursuit of our legitimate interests or prohibit us from processing it, including for direct marketing purposes.
• Lodge a complaint with the competent authority for the protection of personal data in your country and/or the Grand Duchy of Luxembourg (National Commission for Data Protection – CNPD).

8. How can you contact us and exercise your rights?

Should you have any questions relating to the processing of your personal data and/or wish to exercise your previously mentioned rights, please write to the Data Protection Officer – DPO of the CFL:

• On our website www.cfl.lu or by following the link gdpr.cfl.lu
• By letter to the following address:

       Société Nationale des Chemins de Fer Luxembourgeois (CFL)
       Data Protection Officer – Service Juridique et Assurances
       16 boulevard d'Avranches, BP 1803, L-1160 Luxembourg

To ensure the confidentiality and protection of your personal data, we will need to confirm your identity in advance so that we can respond to you. A copy of both sides of your valid identity card must be sent to us for this purpose.

Any complaints regarding the processing of your personal data can be sent to the above-mentioned postal address or to the Luxembourg national data supervisory authority:

Commission nationale pour la protection des données
15, Boulevard du Jazz
L-4370 Belvaux

9. How do we update this information notice?

In order to comply at best with the regulations in force, the CFL undertakes to update this information notice whenever required. The latest version in force is always available on the mobile app.

Any changes to this statement on personal data protection are notified to the customer when they first make a purchase or on the first validation following the amendment by forcing the approval of the amended statement by the customer.