Privacy policy

General information on data processing

Northrail GmbH (Northrail) appreciates your visit to the website and your interest in the companies and products of the Northrail Group. We take the protection of your private data very seriously and want you to feel secure when visiting our website. As the responsible party in terms of data protection, we inform you below about the nature and extent of the processing of personal data.

The protection of your privacy when processing personal data is an important concern for us, which we take into account in our business processes. As a matter of principle, we only process personal data insofar as this is necessary for the provision of functional websites, for contacting you via the email addresses provided on our websites and for the provision of our content and services.

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6 (1) a of the EU General Data Protection Regulation (GDPR) serves as the legal basis. In the case of processing of personal data that is necessary for the performance of a contract, Art. 6 (1) (b) DSGVO serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures. In addition, processing may be necessary to protect our legitimate interests pursuant to Art. 6 (1) lit. f DSGVO.

The personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may take place beyond this if this has been provided for by the European or national legislator. Data will also be blocked or deleted if a prescribed storage period expires, unless there is a need to continue storing the data for the conclusion or performance of a contract.

Personal data will only be transferred to state institutions and authorities within the framework of mandatory European and national legal provisions. Our employees are obliged by us to maintain confidentiality.

For your security, we use SSL or TLS encryption to protect the transmission of all content that you send to us. You can recognise this encrypted connection by the fact that the address line of the browser changes from "http://" to "https//" and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Collection and processing of personal data on our websites

When you visit our website, our web server stores, among other things, the server log files listed in detail below by default. Additional data may be stored if this has been provided for by European or national legislation.


When you visit our website, our web servers store (as server log files) by default, among other things, information on the type and version of browser you are using, the operating system you are using, the website from which you are visiting us, the web pages you visit on our site, the date of the visit and, for security reasons, for example to detect attacks on our websites, the amount of data sent in bytes and, for a period of 7 days, the IP address assigned to you by your internet service provider. Storage may take place beyond this if this has been provided for by the European or national legislator. The temporary storage of the IP address by the system is necessary to enable delivery of the web pages to the user's computer. The storage in log files is done to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. This purpose is also our legitimate interest in data processing according to Art. 6 para. 1 lit. f DSGVO.

With the exception of the IP address, personal data is only stored if you provide it to us of your own accord, for example by sending us your email address and/or your contact details.

Collection and processing of personal data when contacting us by email

On our website, it is possible to contact us via the email addresses provided. In this case, the user's personal data transmitted with the email will be stored. In this context, the data will not be passed on to third parties, unless the point "Passing on personal data to third parties" of this data protection declaration provides for this. The data is used exclusively for processing the conversation and is used solely for processing the contact. The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of contact by email, this is the case when the respective conversation with the user has ended, i.e. when it is clear from the circumstances that the matter in question has been conclusively clarified.

The legal basis for the processing of this data is Art. 6 para. 1 lit. f DSGVO. If the email contact is aimed at concluding a contract, the additional legal basis for the processing is Art. 6 (1) lit. b DSGVO.

Collection and processing of personal data in an application

We process personal data about you for the purpose of your application for employment insofar as this is necessary for the decision to establish an employment relationship with us. This may be general data about you (such as your name, address and contact details), information about your professional qualifications and school education or information about further professional training or other information that you provide to us in connection with your application. In addition, we may process job-related information that you have made publicly available, such as a profile on professional social media networks. The legal basis for this is Section 26 (1) in conjunction with Section 26 (8) sentence 2 of the Federal Data Protection Act. Para. 8 S. 2 Federal Data Protection Act (new) (BDSG (new)). Insofar as we do not collect the data directly from you and you have an active profile on an online job platform — such as StepStone — or disclose an inactive or only partially active profile to us as part of the application process, we may also collect personal data via this.

We process your application in particular via StepStone, so that StepStone Deutschland GmbH and its subcontractors, which you can find in StepStone's GTC, are also recipients on our behalf. As part of our processing of your application by StepStone on our behalf, security services of the company Akamai Technologies, Inc are used, which may result in a transfer to the USA.

Furthermore, we use the software application "HRworks-Bewerbermanagement" of HRworks GmbH for the presentation of vacancies. As a processor, HRworks GmbH operates a website for us. You can access this through a link placed on our website. HRworks processes personal data on our behalf in the context of your application. A corresponding order processing contract has been concluded. The data transmitted in connection with your application is stored in a computer centre in Germany and on a server within the European Union (the latter at AMAZON Web Services EMEA SARL, based in Luxembourg, with servers in Ireland). The data is encrypted during transmission.

The following technically necessary cookies are used in the HR-Works software application:

This cookie is used by the software application "HRworks-Bewerbermanagement". It represents the session of the person on our job portal. This is necessary for operation in order to distinguish between the users of the session. This is a technically necessary cookie.

These two cookies are used by the software application "HRworks-Bewerbermanagement". On the one hand, they are needed to assign any information to the correct instance of the server. On the other hand, they are necessary for the upload of the application documents so that this process can be guaranteed smoothly for the applicants. This is a technically necessary cookie.

For further information on the data protection provisions of the HR software, please refer to the data protection declaration of HRworks GmbH.

Furthermore, we may process personal data about you insofar as this is necessary for the defence of asserted legal claims against us arising from the application process. The legal basis for this is Art. 6 para. 1 lit. f DSGVO; the legitimate interest is, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (AGG).

Insofar as an employment relationship between you and us is established, we may further process the personal data already received from you for the purposes of the employment relationship in accordance with section 26 para. 1 BDSG if this is necessary for the implementation or termination of the employment relationship or for the exercise or fulfilment of the rights and obligations of the employee representation resulting from a law or a collective agreement, a works agreement or a service agreement (collective agreement).

We store your personal data for as long as it is required to make a decision about your application. Insofar as an employment relationship between you and us does not come about, we may continue to store data beyond this, insofar as this is necessary for the defence against possible legal claims. In this case, the application documents will be deleted no later than 6 months after the rejection decision has been sent, unless longer storage is necessary due to legal disputes. The provision of personal data is neither legally nor contractually required, nor are you obliged to provide the personal data. However, the provision of personal data is necessary for the conclusion of a contract of employment with us. This means that if you do not provide us with personal data when applying for a job, we will not enter into an employment relationship with you.

Passing on of personal data to third parties

Northrail GmbH will treat your personal data confidentially. This data is received centrally by Northrail GmbH when contact is made via our general email address and, where necessary, is passed on to other areas of the company within the scope of the stated purposes. Any further disclosure to third parties will only take place if we are legally obliged to do so, if we commission an external service provider to process your information and if data is processed on the basis of contracts in accordance with Art. 28 DSGVO. An example of this is the sending of letters or emails or processing by host providers or providers of applicant management systems. These service providers only receive the information needed to fulfil their tasks. They are not allowed to use it for other purposes and are obliged to treat the information in accordance with the DSGVO and the Federal Data Protection Act (new). We also conclude appropriate confidentiality agreements and, where applicable, order processing agreements with each partner. In all other cases, we will inform you if personal information is to be passed on to third parties, thus giving you the opportunity to give your consent.

Links to other websites

Northrail GmbH sets links to third-party websites on this website. On the websites of the third parties, the privacy policy of Northrail GmbH does not apply to the processing of personal data by this third party. Northrail GmbH recommends that you always inform yourself about the data protection information on the websites of these third parties.

User rights

You can request information about your personal data stored by us free of charge at any time. You are also entitled to have this data corrected or completed if necessary, should it prove to be incorrect or incomplete, and furthermore — if the respective conditions are met — to make use of your right to restrict the processing of your data or to demand the deletion of your personal data. This does not apply if storage is required by law. If deletion cannot be carried out, data processing will be restricted.

Your request should be sent to the following contact details: Northrail GmbH, Königstraße 28, 22767 Hamburg, phone +49 40 8888 00 6-0, email:

You also have the right to object at any time to the processing of personal data concerning you. This does not apply to data whose collection is absolutely necessary for the provision and operation of the websites. If you have contacted us by email or applied to us via an online job platform, you can also object to the storage of your personal data at any time. In such a case, the conversation cannot be continued and the application process cannot be continued. After receiving your objection, we will no longer use, process or transmit the data concerned for purposes other than the processing of the concluded contracts. The lawfulness of the processing carried out until the revocation remains unaffected by this.

If you wish to object to the collection, processing or use of your data by Northrail GmbH in accordance with these data protection provisions, either in whole or for individual measures, you can send your objection to the following contact details: Northrail GmbH, Königstraße 28, 22767 Hamburg or by email:

Responsible body in the sense of data protection

The responsible party for the collection, processing and use of your personal data within the meaning of the General Data Protection Regulation (DSGVO) and the BDSG (new) is Northrail GmbH.

Data Protection Officer

If you have any questions regarding the processing of your personal data, you can contact our data protection officer at the data controller (, who is also available with her team in the event of requests for information, suggestions or complaints.