Data privacy statement
Data privacy statement
General information about data processing
The team at Northrail GmbH (Northrail) is pleased that you have decided to visit our website and thanks you for your interest in our company and products. We take the protection of your personal information very seriously and want you to feel safe when visiting our website. As the data controller under data protection legislation, we would like to inform you about the nature and scope of personal data processing.
The protection of your privacy when processing personal data is an important matter for us and one that is reflected in our business processes. In principle, we only process personal data to the extent that is necessary in terms of running a functional website, handling correspondence through the email addresses published on our website and providing content and services.
Insofar as we obtain the data subject’s consent for personal data to be processed, the legal basis for processing personal data is Article 6, paragraph 1, point (a), of the EU General Data Protection Regulation (GDPR). When the processing of personal data is necessary for the performance of a contract, the legal basis is Article 6, paragraph 1, point (b), of the GDPR. This also applies to processing operations that are necessary for carrying out tasks before a contract is entered into. Furthermore, data processing may be carried out to protect our legitimate interests under Article 6, paragraph 1, point (f), of the GDPR.
Personal data is blocked or deleted as soon as the purpose of data storage ceases to apply. Data may also be stored if this is required under European or local legislation. Data is blocked and deleted when the specified retention period lapses, unless it is necessary to continue storing data in order to conclude or fulfil a contract.
Personal data is not shared with state institutions and authorities unless subject to mandatory provisions under European or national law. We compel our employees to maintain confidentiality.
For your security, we use SSL or TLS encryption to protect data transfers when you send information to us. You can recognise an encrypted connection because the address line of the browser changes from http:// to https:// or by the padlock icon in the browser window. If SSL or TLS encryption is activated, any information you send to us cannot be accessed by third parties.
Collection and processing of personal data on our website
When you visit our website, our web server automatically saves the server log files listed below, among other things. Data may also be stored if this is required under European or local legislation.
Server log files
We automatically collect and store information in the form of server log files that are sent automatically to us by your browser. This information includes the following:
name of the accessed website, file, date and time of access, data transfer volume, notification of successful access, browser type and version, the user’s operating system, referrer URL (previously visited page), IP address and requesting provider. For mail logs, the information also includes the IP address of the connection, the IP address of the sending server and your own IP addresses as well as the sender email address and delivery email address.
The above information is required for technical operation, for troubleshooting problems, for analysing the load on our servers and for protecting against risks or hacker attacks. Log files are used only for statistical evaluation for the purpose of operation, for security reasons and to optimise our technical infrastructure. Server log files are deleted every 14 days.
The purpose of storage is our legitimate interest in providing and optimising the website. The legal basis is Article 6, paragraph 1, point (f), of the GDPR.
The IP address provided by your browser to Google Analytics is not associated with any other information held by Google. Your personal data is deleted or anonymised after 14 months. You can prevent the storage of cookies by selecting the appropriate settings in your browser. In this case, however, Northrail would like to point out that you may be unable to make full use of all the available content on the website. As the user, you can also prevent information generated by cookies relating to your use of our website (including your IP address) from being collected and sent to Google as well as the processing of this data by Google by downloading and installing the browser plug-in provided on the following link: https://tools.google.com/dlpage/gaoptout?.
Additionally, we offer you the opportunity to deactivate the collection of your usage data for this website: you can change your decision to use Google Analytics here.
Collection and processing of personal data – contact by email
It is possible to contact us through our website using the email addresses provided. In this case, the user’s personal data that is sent with the email will be stored. As a rule, no information is shared with third parties in this context unless explained otherwise in this data privacy statement under the section ‘Sharing data with third parties’. Data is used only to process the conversation, and we only need it to handle the enquiry. Information is deleted as soon as it is no longer necessary for the purpose for which it was collected. For contact made by email, this occurs when the respective conversation with the user has ended, specifically when it is fair to assume from the circumstances that the matter in question has been clarified in full.
The legal basis for processing this data is Article 6, paragraph 1, point (f), of the GDPR. If the aim of email contact is to conclude a contract, an additional legal basis for data processing is Article 6, paragraph 1, point (b), of the GDPR.
Collection and processing of personal data – job applications
We process your personal data for the purpose of handling your application for employment to the extent necessary for making a decision on embarking on an employment relationship with us. This includes general personal information (such as your name, address and contact details) as well as details concerning your professional qualifications and school education or details concerning your professional training and any other information you provide to us in connection with your application. In addition, we may process professional information that you have made publicly available, such as profiles on professional social media networks. The legal basis here is section 26, paragraph 1, in conjunction with section 26, paragraph 8, sentence 2, of the Federal Data Protection Act (BDSG, latest version). If we does not collect data directly from you but rather from an active profile on an online job platform (e.g. StepStone), or if you present an inactive or only partially active profile during the application process, we may collect personal data in addition to professional information.
We processes your application using StepStone, which means that StepStone Deutschland GmbH and its subcontractors, which you can find in StepStone’s terms and conditions, act on our behalf and are also data recipients under the GDPR. When your application is processed by StepStone on our behalf, security services from Akamai Technologies, Inc. are used and this may result in data transfers to the US.
At the same time, we may process your personal data to the extent necessary to defend against legal claims made against us resulting from the application process. The legal basis for this is Article 6, paragraph 1, point (f), of the GDPR, where our legitimate interest may be, for example, a burden of proof in proceedings under the General Act on Equal Treatment (AGG).
If an employment relationship comes into being between you and us, we may, in accordance with section 26, paragraph 1, of the BDSG, continue to process personal data that you have already provided for purposes related to the employment relationship, to the extent necessary for managing or terminating the employment relationship or to exercise or meet any rights or obligations arising from a law, collective agreement, company agreement or operating agreement (collective agreement) concerning the protection of employees’ interests.
We store your personal data for as long as this is necessary to reach a decision on your application. If an employment relationship between you and us does not come about, we may also store data to the extent necessary to defend against potential legal claims. Application documents are deleted two months after notification of the rejection decision unless a longer retention period is necessary due to legal disputes. The provision of personal data is not required by law or contract, and neither are you obliged to provide personal data. However, the provision of personal data is necessary in order to form a contract of employment with us. This means that if you do not provide us with any personal data during the application process, we will not enter into an employment relationship with you.
Sharing data with third parties
Northrail GmbH will treat your personal data as confidential. If you contact us using our general email address, your data is received centrally by Northrail GmbH and, if necessary, passed on to other departments of the company for the purposes mentioned above. No further sharing with third parties takes place unless, if legally required to do so, we commission an external service provider to process your information and this processing is based on contracts in accordance with Article 28 of the GDPR. Examples of such cases include sending letters or emails and processing by host providers or applicant management system providers. These service providers only receive the information that is necessary for them to perform their tasks. They may not use data for other purposes and are obliged to handle information in accordance with the GDPR and the Federal Data Protection Act (BDSG, latest version). We also draw up appropriate non-disclosure agreements and, if necessary, order processing agreements with each partner. In all other cases, we will inform you if personal information is to be shared with third parties and provide you with an opportunity to give your consent.
The legal basis for the processing of personal data using cookies is Article 6, paragraph 1, point (f), of the GDPR and for cookies used by Google Analytics Article 6, paragraph 1, point (a), of the GDPR.
PHPSESSID (session cookie)
This cookie saves your current session with regard to PHP applications and ensures that page functions based on the PHP programming language can be displayed in full. The cookie is deleted after the browser session has ended.
This cookie is required to save consent with regard to the cookie banner. It is saved for one year after consent has been given through the cookie banner unless you, as the user, delete this cookie from your browser or change your decision regarding consent through the cookie banner by calling it up again using this link: Change cookie settings. In other cases, the cookie is deleted after one year. No personal data is saved.
This cookie is only set to recognise and record the language used or selected by the user. It is saved for one year and is then deleted. No personal data is saved.
Google Analytics currently places the following cookies on your device:
- _gat: used to throttle the request rate. The cookie is deleted after one minute.
- _ga and _gid: used to distinguish between users. These cookies are deleted after two years.
Rights of the user
You can request information from us about the personal data we have stored about you at any time and free of charge. You are also entitled to have this data corrected or completed if necessary, should it prove to be incorrect or incomplete. If the relevant requirements are met, you are also able to exercise your right to restrict the processing of your personal data or to have it deleted. This does not apply if a certain retention period is required by law. If it is not possible to delete data, data processing will be restricted.
Your request should be made using the following contact details: Northrail GmbH, Königstrasse 28, 22767 Hamburg, Germany; phone: +49 40 8888 00 6-0; email: firstname.lastname@example.org Additionally, you have the right to object to the processing of your personal data at any time. This does not apply in cases where data collection is absolutely necessary for the provision and operation of the website. If you have contacted us by email or made an application using an online job platform, you can also object to the storage of your personal data at any time. In such cases, the conversation or application process cannot be continued. After receiving your objection, we will no longer use, process or share the data concerned for any purpose other than processing existing contracts. The legality of data processing up until the point of withdrawal shall remain unaffected.
If you would like to object to the collection, processing or use of your data by Northrail GmbH in accordance with this data privacy statement, either entirely or with regard to individual measures, please send your objection to the following address: Northrail GmbH, Königstrasse 28, 22767 Hamburg, Germany, or send an email to: email@example.com
Data controller under data protection legislation
As the data controller under the General Data Protection Regulation (GDPR) and the BDSG (latest version), Northrail GmbH is responsible for the collection, processing and use of your personal data.
Data protection officer
If you have any questions concerning the processing of your personal data, you can contact our data protection officer (firstname.lastname@example.org), who acts on behalf of the data controller and whose team is available to handle any information requests, suggestions or complaints.