Data privacy statement


General information about data processing

The team at Northrail GmbH (Northrail) is pleased that you have decided to visit our website and thanks you for your interest in our company and products. We take the protection of your personal information very seriously and want you to feel safe when visiting our website. As the data controller under data protection legislation, we would like to inform you about the nature and scope of personal data processing.

The protection of your privacy when processing personal data is an important matter for us and one that is reflected in our business processes. In principle, we only process personal data to the extent that is necessary in terms of running a functional website, handling correspondence through the email addresses published on our website and providing content and services.

Insofar as we obtain the data subject’s consent for personal data to be processed, the legal basis for processing personal data is Article 6, paragraph 1, point (a), of the EU General Data Protection Regulation (GDPR). When the processing of personal data is necessary for the performance of a contract, the legal basis is Article 6, paragraph 1, point (b), of the GDPR. This also applies to processing operations that are necessary for carrying out tasks before a contract is entered into. Furthermore, data processing may be carried out to protect our legitimate interests under Article 6, paragraph 1, point (f), of the GDPR.

Personal data is blocked or deleted as soon as the purpose of data storage ceases to apply. Data may also be stored if this is required under European or local legislation. Data is blocked and deleted when the specified retention period lapses, unless it is necessary to continue storing data in order to conclude or fulfil a contract.

Personal data is not shared with state institutions and authorities unless subject to mandatory provisions under European or national law. We compel our employees to maintain confidentiality.

For your security, we use SSL or TLS encryption to protect data transfers when you send information to us. You can recognise an encrypted connection because the address line of the browser changes from http:// to https:// or by the padlock icon in the browser window. If SSL or TLS encryption is activated, any information you send to us cannot be accessed by third parties.


Collection and processing of personal data on our website

When you visit our website, our web server automatically saves the server log files listed below, among other things. Data may also be stored if this is required under European or local legislation.

Server log files

We automatically collect and store information in the form of server log files that are sent automatically to us by your browser. This information includes the following:

name of the accessed website, file, date and time of access, data transfer volume, notification of successful access, browser type and version, the user’s operating system, referrer URL (previously visited page), IP address and requesting provider. For mail logs, the information also includes the IP address of the connection, the IP address of the sending server and your own IP addresses as well as the sender email address and delivery email address.

The above information is required for technical operation, for troubleshooting problems, for analysing the load on our servers and for protecting against risks or hacker attacks. Log files are used only for statistical evaluation for the purpose of operation, for security reasons and to optimise our technical infrastructure. Server log files are deleted every 14 days.

The purpose of storage is our legitimate interest in providing and optimising the website. The legal basis is Article 6, paragraph 1, point (f), of the GDPR.

Google Analytics

We use Google Analytics, a web analysis service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The legal basis for use is your consent, which is obtained through the cookie banner, in line with Article 6, paragraph 1, point (a), of the GDPR. Google uses cookies, which are stored on your computer and allow an analysis of how you use our website.

The information generated by the cookie about your use of our website is sent to a Google server in the US and stored there. We activate IP anonymisation, which means that your IP address is truncated within the member states of the European Union or in other member states of the European Economic Area. Only in exceptional cases is the full IP address sent to a Google server in the US, where it is then shortened. The IP address provided by your browser will not be associated with any other information held by Google. Google uses this information on our behalf to analyse your use of our website in order to compile website activity reports. We have no influence on the scope of data collection. For details about the purpose and scope of data collection and further processing as well as the use of data by Google, your related rights and the possible settings to protect your privacy, please refer to Google’s privacy policy.

The IP address provided by your browser to Google Analytics is not associated with any other information held by Google. Your personal data is deleted or anonymised after 14 months. You can prevent the storage of cookies by selecting the appropriate settings in your browser. In this case, however, Northrail would like to point out that you may be unable to make full use of all the available content on the website. As the user, you can also prevent information generated by cookies relating to your use of our website (including your IP address) from being collected and sent to Google as well as the processing of this data by Google by downloading and installing the browser plug-in provided on the following link:

Additionally, we offer you the opportunity to deactivate the collection of your usage data for this website: you can change your decision to use Google Analytics here.


Collection and processing of personal data – contact by email

It is possible to contact us through our website using the email addresses provided. In this case, the user’s personal data that is sent with the email will be stored. As a rule, no information is shared with third parties in this context unless explained otherwise in this data privacy statement under the section ‘Sharing data with third parties’. Data is used only to process the conversation, and we only need it to handle the enquiry. Information is deleted as soon as it is no longer necessary for the purpose for which it was collected. For contact made by email, this occurs when the respective conversation with the user has ended, specifically when it is fair to assume from the circumstances that the matter in question has been clarified in full.

The legal basis for processing this data is Article 6, paragraph 1, point (f), of the GDPR. If the aim of email contact is to conclude a contract, an additional legal basis for data processing is Article 6, paragraph 1, point (b), of the GDPR.


Collection and processing of personal data – job applications

We process your personal data for the purpose of handling your application for employment to the extent necessary for making a decision on embarking on an employment relationship with us. This includes general personal information (such as your name, address and contact details) as well as details concerning your professional qualifications and school education or details concerning your professional training and any other information you provide to us in connection with your application. In addition, we may process professional information that you have made publicly available, such as profiles on professional social media networks. The legal basis here is section 26, paragraph 1, in conjunction with section 26, paragraph 8, sentence 2, of the Federal Data Protection Act (BDSG, latest version). If we does not collect data directly from you but rather from an active profile on an online job platform (e.g. StepStone), or if you present an inactive or only partially active profile during the application process, we may collect personal data in addition to professional information.

We processes your application using StepStone, which means that StepStone Deutschland GmbH and its subcontractors, which you can find in StepStone’s terms and conditions, act on our behalf and are also data recipients under the GDPR. When your application is processed by StepStone on our behalf, security services from Akamai Technologies, Inc. are used and this may result in data transfers to the US.

At the same time, we may process your personal data to the extent necessary to defend against legal claims made against us resulting from the application process. The legal basis for this is Article 6, paragraph 1, point (f), of the GDPR, where our legitimate interest may be, for example, a burden of proof in proceedings under the General Act on Equal Treatment (AGG).

If an employment relationship comes into being between you and us, we may, in accordance with section 26, paragraph 1, of the BDSG, continue to process personal data that you have already provided for purposes related to the employment relationship, to the extent necessary for managing or terminating the employment relationship or to exercise or meet any rights or obligations arising from a law, collective agreement, company agreement or operating agreement (collective agreement) concerning the protection of employees’ interests.

We store your personal data for as long as this is necessary to reach a decision on your application. If an employment relationship between you and us does not come about, we may also store data to the extent necessary to defend against potential legal claims. Application documents are deleted two months after notification of the rejection decision unless a longer retention period is necessary due to legal disputes. The provision of personal data is not required by law or contract, and neither are you obliged to provide personal data. However, the provision of personal data is necessary in order to form a contract of employment with us. This means that if you do not provide us with any personal data during the application process, we will not enter into an employment relationship with you.


Sharing data with third parties

Northrail GmbH will treat your personal data as confidential. If you contact us using our general email address, your data is received centrally by Northrail GmbH and, if necessary, passed on to other departments of the company for the purposes mentioned above. No further sharing with third parties takes place unless, if legally required to do so, we commission an external service provider to process your information and this processing is based on contracts in accordance with Article 28 of the GDPR. Examples of such cases include sending letters or emails and processing by host providers or applicant management system providers. These service providers only receive the information that is necessary for them to perform their tasks. They may not use data for other purposes and are obliged to handle information in accordance with the GDPR and the Federal Data Protection Act (BDSG, latest version). We also draw up appropriate non-disclosure agreements and, if necessary, order processing agreements with each partner. In all other cases, we will inform you if personal information is to be shared with third parties and provide you with an opportunity to give your consent.



Our website uses the following session cookies, which are essential for operating the pages. When a user accesses a page of our website, a cookie may be stored on the local operating system. This cookie contains a unique string of characters that uniquely identifies the user’s browser when the website is accessed again at a later time. We use cookies in order to give our website a more user-friendly design. Some features of our website cannot be offered without using cookies. Additionally, some elements of our website make it necessary for the accessing browser to be identifiable even after the user has navigated to a different website.

The legal basis for the processing of personal data using cookies is Article 6, paragraph 1, point (f), of the GDPR and for cookies used by Google Analytics Article 6, paragraph 1, point (a), of the GDPR.

As the user, you have full control over the use of cookies and can delete the cookies used from your computer at any time. You can also deactivate or limit the use of cookies by changing the settings in your internet browser. Cookies that have already been saved can be deleted at any time.

Change cookie settings


PHPSESSID (session cookie)

This cookie saves your current session with regard to PHP applications and ensures that page functions based on the PHP programming language can be displayed in full. The cookie is deleted after the browser session has ended.

Borlabs Cookie

This cookie is required to save consent with regard to the cookie banner. It is saved for one year after consent has been given through the cookie banner unless you, as the user, delete this cookie from your browser or change your decision regarding consent through the cookie banner by calling it up again using this link: Change cookie settings. In other cases, the cookie is deleted after one year. No personal data is saved.


This cookie is only set to recognise and record the language used or selected by the user. It is saved for one year and is then deleted. No personal data is saved.

Google Analytics

Google Analytics currently places the following cookies on your device:


Rights of the user

You can request information from us about the personal data we have stored about you at any time and free of charge. You are also entitled to have this data corrected or completed if necessary, should it prove to be incorrect or incomplete. If the relevant requirements are met, you are also able to exercise your right to restrict the processing of your personal data or to have it deleted. This does not apply if a certain retention period is required by law. If it is not possible to delete data, data processing will be restricted.

Your request should be made using the following contact details: Northrail GmbH, Königstrasse 28, 22767 Hamburg, Germany; phone: +49 40 8888 00 6-0; email: Additionally, you have the right to object to the processing of your personal data at any time. This does not apply in cases where data collection is absolutely necessary for the provision and operation of the website. If you have contacted us by email or made an application using an online job platform, you can also object to the storage of your personal data at any time. In such cases, the conversation or application process cannot be continued. After receiving your objection, we will no longer use, process or share the data concerned for any purpose other than processing existing contracts. The legality of data processing up until the point of withdrawal shall remain unaffected.

If you would like to object to the collection, processing or use of your data by Northrail GmbH in accordance with this data privacy statement, either entirely or with regard to individual measures, please send your objection to the following address: Northrail GmbH, Königstrasse 28, 22767 Hamburg, Germany, or send an email to:


Data controller under data protection legislation

As the data controller under the General Data Protection Regulation (GDPR) and the BDSG (latest version), Northrail GmbH is responsible for the collection, processing and use of your personal data.


Data protection officer

If you have any questions concerning the processing of your personal data, you can contact our data protection officer (, who acts on behalf of the data controller and whose team is available to handle any information requests, suggestions or complaints.