Privacy police

The protection of your personal data, such as your date of birth, name, telephone number, address, etc., is of great importance to us. The purpose of this privacy policy is to inform you about the processing of your personal data that we collect when you visit our website. Our data protection practices comply with the legal provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). The following privacy policy serves to fulfil the information obligations arising from the GDPR. These can be found, for example, in Articles 13 and 14 et seq. of the GDPR. Data Controller The data controller within the meaning of Article 4(7) of the GDPR is the person who, alone or jointly with others, determines the purposes and means of the processing of personal data. With regard to our website, the data controller is: Eurailpool GmbH Lise-Meitner-Straße 9 85737 Ismaning Germany Email: info@eurailpool.com Tel.: +49 (0) 89 90 93 97 -20 Fax: +49 (0) 89 90 93 97 -266 Contact details of the Data Protection Officer We have appointed a Data Protection Officer in accordance with Article 37 of the GDPR. You can contact our Data Protection Officer using the following details: Florian Padberg Lise-Meitner-Straße 9 85737 Ismaning Germany Email: datenschutz@eurailpool.com Provision of the website and creation of log files Every time our website is accessed, our system automatically collects data and information about the device used to access it (e.g. computer, mobile phone, tablet, etc.). What personal data is collected and to what extent is it processed? (1) Information about the browser type and version used; (2) The operating system of the device used to access the site; (3) Host name of the accessing computer; (4) The IP address of the device used to access the site; (5) Date and time of access; (6) Websites and resources (images, files, other page content) accessed on our website; (7) Websites from which the user’s system accessed our website (referrer tracking); (8) Notification as to whether the request was successful; (9) Amount of data transferred This data is stored in our system’s log files. This data is not stored together with the personal data of a specific user, meaning that individual website visitors cannot be identified. Legal basis for the processing of personal data Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in ensuring that the purpose described below is achieved. Purpose of data processing The temporary (automated) storage of data is necessary for the course of a website visit in order to enable the website to be delivered. The storage and processing of personal data also takes place to maintain the compatibility of our website for as many visitors as possible, and to combat misuse and resolve malfunctions. For this purpose, it is necessary to log the technical data of the accessing computer in order to be able to react as quickly as possible to display errors, attacks on our IT systems and/or errors in the functionality of our website. Furthermore, we use the data to optimise the website and to generally ensure the security of our IT systems. Duration of storage The aforementioned technical data is deleted as soon as it is no longer required to ensure the website’s compatibility for all visitors, but no later than 3 months after accessing our website. Right to object and right to erasure You may object to the processing at any time in accordance with Article 21 of the GDPR and request the erasure of data in accordance with Article 17 of the GDPR. You can find out what rights you are entitled to and how to exercise them in the lower section of this privacy policy. Integration of external web services and processing of data outside the EU On our website, we use active content from external providers, so-called web services. When you visit our website, these external providers may receive personal information about your visit to our website. This may involve the processing of data outside the EU. You can prevent this by installing a suitable browser plugin or by disabling the execution of scripts in your browser. This may result in functional limitations on the websites you visit. We use the following external web services: Google Fonts On our website, we use the Google Fonts service provided by Google LLC, 1600 Amphitheatre Parkway, 94043 Mountain View, United States of America, email: support-de@google.com, website: http://www.google.com/. Processing also takes place in a third country for which no adequacy decision has been issued by the Commission. Consequently, the standard level of protection required by the GDPR cannot be guaranteed during transmission, as it cannot be ruled out that, for example, public authorities in the third country may access the data collected. The legal basis for the transfer of personal data is your consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR, which you have provided on our website. Fonts are loaded onto our site via the Google Fonts service so that we can display the site to you in a visually enhanced version. You may withdraw your consent at any time. Further information on withdrawing your consent can be found either in the consent form itself or at the end of this privacy policy. Further information on the handling of the transferred data can be found in the provider’s privacy policy at https://policies.google.com/privacy. Google APIS We use the Google APIS service on our website, provided by Google LLC, 1600 Amphitheatre Parkway, 94043 Mountain View, United States of America, email: support-de@google.com, website: http://www.google.com/. Processing also takes place in a third country for which no adequacy decision has been issued by the Commission. Consequently, the standard level of protection required by the GDPR cannot be guaranteed during transmission, as it cannot be ruled out that, for example, public authorities in the third country may access the data collected. The legal basis for the transfer of personal data is your consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, which you have given on our website. We use Google APIs to load additional Google services on the website. Google APIs is a collection of interfaces for communication between the various Google services used on your website. For the processing itself, the service or we collect the following data: IP address You may withdraw your consent at any time. Further information on withdrawing your consent can be found either in the consent form itself or at the end of this privacy policy. Further information on the handling of the transferred data can be found in the provider’s privacy policy at https://policies.google.com/privacy. Gstatic We use the Gstatic service on our site, provided by Google LLC, 1600 Amphitheatre Parkway, 94043 Mountain View, United States of America, email: support-de@google.com, website: http://www.google.com/. Processing also takes place in a third country for which no adequacy decision has been issued by the Commission. Consequently, the standard level of protection required by the GDPR cannot be guaranteed during transmission, as it cannot be ruled out that, for example, public authorities in the third country may access the data collected. The legal basis for the transfer of personal data is your consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR, which you have given on our website. Gstatic is a service used by Google to retrieve static content in order to reduce bandwidth usage and preload required catalogue files. You may withdraw your consent at any time. Further information on withdrawing your consent can be found either in the consent form itself or at the end of this privacy policy. Further information on the handling of the transferred data can be found in the provider’s privacy policy at https://policies.google.com/privacy. Jsdelivr We use the Jsdelivr service on our website, provided by Prospect One Sp., Krolweska 65A, 30-081 Krakow, Poland, email: hello@prospectone.io, website: https://prospectone.io/. The transmission and processing of personal data takes place exclusively on servers within the European Union. The legal basis for the transfer of personal data is our legitimate interest in the processing, in accordance with Article 6(1)(f) of the GDPR. Our legitimate interest lies in achieving the purpose described below. JSDelivr is a content delivery network that mirrors our content across various servers to ensure optimal accessibility worldwide. With regard to the processing, you have the right to object as set out in Article 21. Further information can be found at the end of this privacy policy. Further information on the handling of the transferred data can be found in the provider’s privacy policy at https://www.jsdelivr.com/privacy-policy-jsdelivr-com. Information on the use of cookies Scope of the processing of personal data We integrate and use cookies on various pages to enable certain functions of our website and to integrate external web services. So-called “cookies” are small text files that your browser can store on your device. These text files contain a unique string of characters that uniquely identifies the browser when you return to our website. The process of storing a cookie file is also referred to as “setting a cookie”. Cookies may be set both by the website itself and by external web services. Legal basis for the processing of personal data Art. 6(1)(f) GDPR (legitimate interest) or Art. 6(1)(a) or Art. 9(2)(a) GDPR (consent). The applicable legal basis is set out in the cookie table provided later in this section. Generally speaking, for cookies collected on the basis of a legitimate interest, our legitimate interest lies in ensuring the functionality of our website and the services integrated into it (technically necessary cookies). Furthermore, cookies may enhance user-friendliness and enable a more personalised approach. In this regard, we have weighed up your interests against our own. We can only identify, analyse and track individual website visitors using cookie technology if the website visitor has consented to the use of cookies in accordance with Article 6(1)(a) of the GDPR. Purpose of data processing Cookies are set by our website or external web services to maintain the full functionality of our website, improve user-friendliness or to pursue the purpose specified with your consent. Cookie technology also enables us to recognise individual visitors using pseudonyms, e.g. individual or random IDs, so that we can offer more personalised services. Details are listed in the table below. Storage duration The cookies listed below are stored in your browser until they are deleted or, in the case of a session cookie, until the session expires. Details are listed in the table below: Cookie name Server Provider Purpose Legal basis Storage duration Type borlabs-cookie eurailpool.com Website operator Cookie that stores the user’s decision regarding the cookie banner. Fulfilment of legal obligations approx. 12 months Cookie banner Right to object, withdrawal of consent and deletion You can configure your browser according to your preferences to generally prevent cookies from being set. You can then decide on a case-by-case basis whether to accept cookies or accept them by default. Cookies can be used for various purposes, e.g. to recognise that your device is already connected to our website (persistent cookies) or to store recently viewed content (session cookies). If you have expressly given us permission to process your personal data, you may withdraw this consent at any time. Please note that this does not affect the lawfulness of the processing carried out on the basis of your consent prior to its withdrawal. Data security and data protection, communication by email Your personal data is protected by technical and organisational measures during collection, storage and processing in such a way that it is not accessible to third parties. In the case of unencrypted communication via email, we cannot guarantee complete data security during transmission to our IT systems; therefore, we recommend encrypted communication or postal delivery for information requiring a high level of confidentiality. Right of access and requests for rectification – erasure & restriction of data – withdrawal of consent – right to object Right of access You have the right to request confirmation as to whether we are processing your personal data. If this is the case, you have a right to access the information specified in Article 15(1) of the GDPR, provided that this does not infringe upon the rights and freedoms of others (see Article 15(4) of the GDPR). We would also be happy to provide you with a copy of the data. Right to rectification In accordance with Article 16 of the GDPR, you have the right to have any personal data held by us that is incorrect (such as your address, name, etc.) corrected at any time. You may also request at any time that the data stored by us be completed. Any necessary amendments will be made without delay. Right to erasure In accordance with Article 17(1) of the GDPR, you have the right to request that we erase the personal data collected about you if the data is no longer required; the legal basis for processing has ceased to exist without replacement following the withdrawal of your consent; you have objected to the processing and there are no legitimate grounds for the processing; your data is being processed unlawfully; a legal obligation requires it or collection has taken place in accordance with Article 8(1) of the GDPR. This right does not apply in accordance with Article 17(3) of the GDPR if processing is necessary for the exercise of the right to freedom of expression and information; your data has been collected on the basis of a legal obligation; processing is necessary for reasons of public interest; the data is necessary for the establishment, exercise or defence of legal claims. Right to restriction of processing Pursuant to Article 18(1) of the GDPR, you have the right in certain cases to request the restriction of the processing of your personal data. This applies where you contest the accuracy of the personal data; the processing is unlawful and you do not consent to erasure; the data is no longer required for the purpose of processing, but the data collected serves to assert, exercise or defend legal claims; an objection to the processing has been lodged in accordance with Article 21(1) of the GDPR and it is still unclear which interests prevail. Right to withdraw consent If you have given us your explicit consent to the processing of your personal data (Article 6(1)(a) GDPR or Article 9(2)(a) GDPR), you may withdraw this consent at any time. Please note that this does not affect the lawfulness of the processing carried out on the basis of your consent prior to its withdrawal. Right to object Pursuant to Article 21 of the GDPR, you have the right to object at any time to the processing of your personal data collected on the basis of Article 6(1)(f) (in the context of a legitimate interest). You are only entitled to this right if there are specific circumstances that militate against the storage and processing of your data. How do you exercise your rights? You may exercise your rights at any time by contacting us using the details below: Eurailpool GmbH Lise-Meitner-Straße 9 85737 Ismaning Germany Email: info@eurailpool.com Tel.: +49 (0) 89 90 93 97 -20 Fax: +49 (0) 89 90 93 97 -266 Right to data portability Under Article 20 of the GDPR, you have the right to receive the personal data concerning you. We will provide the data in a structured, commonly used and machine-readable format. The data may be sent either to you or to a controller designated by you. Upon request, we will provide you with the following data in accordance with Article 20(1) of the GDPR: Data collected on the basis of explicit consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR; Data that we have received from you pursuant to Article 6(1)(b) GDPR within the framework of existing contracts; Data that has been processed as part of an automated procedure. We will transfer the personal data directly to a controller of your choice, provided this is technically feasible. Please note that we are not permitted to transfer data that infringes upon the freedoms and rights of other individuals in accordance with Article 20(4) of the GDPR. Right to lodge a complaint with the supervisory authority in accordance with Article 77(1) of the GDPR If you suspect that your data is being processed unlawfully on our site, you may, of course, seek a judicial resolution of the matter at any time. Furthermore, all other legal avenues are open to you. Irrespective of this, you have the option, in accordance with Article 77(1) of the GDPR, to contact a supervisory authority. You are entitled to the right to lodge a complaint pursuant to Article 77 of the GDPR in the EU Member State of your residence, your place of work and/or the place of the alleged infringement; that is to say, you may choose the supervisory authority to which you wish to turn from the locations mentioned above. The supervisory authority to which the complaint was submitted will then inform you of the status and outcome of your submission, including the possibility of a judicial remedy under Article 78 of the GDPR. Created by: © DURY LEGAL Lawyers – www.dury.de © Website-Check GmbH – www.website-check.de