It is very important to voestalpine Railway Systems Nortrak LLC (hereinafter “we,” “us,” or “our”) to protect your personal data. We comply with the applicable legal requirements applicable to the protection, lawful handling, and confidential treatment of data as well as with those pertaining to data security, specifically, to the extent legally applicable, the requirements of the laws of the USA and Canada and their political subdivisions, the EU (i.e., European General Data Protection Regulation [“GDPR”]), and voestalpine AG group policies (“Applicable Law and Policies”).
This Data Protection Notice informs you of the type, scope, and purposes of the collection and use by us of your personal data when you visit and use our website and our social media accounts (e.g., Facebook and Instagram), when you contact us, when you use our online shop, and when you subscribe to our newsletter.
Here you will find separate Data Protection Notices applicable to separate issues:
- General Data Protection Notice for Business Partners
- General Data Protection Notice Capital Market Communications
- General Data Protection Notice for event participants
1. Who is responsible for data processing and who can you contact?
Controller:
voestalpine Railway Systems GmbH
Kerpelystraße 199,
8700 Leoben, Austria
Email address: dataprotection.vae@voestalpine.com
2. What is personal data?
The term “personal data” refers to information concerning an identified or identifiable natural person ( “data subject”). For example, this includes the person’s name, email address, or IP address.
3. Processing of data when you use our website
Your data is processed for the following purposes:
3.1 Availability and protection of the website
Purpose: You may visit our website without disclosing your particulars. When you use our website, your end device sends data to our web server. This data is processed by our web servers and automatically stored in so-called “log files.” The processing of your data is necessary in order for us to make our website available to you. We must store the data in log files so that we can ensure the security and functionality of our website.
Categories of data: Network protocol and identification data (IP address, HTTP header fields, browser type, previously visited website (so-called “referrer”), date and time of access, other web traffic data, such as information on the device used, the volume of data sent, etc.)
Legal basis: It is in our legitimate business interest to make a secure, functional, and user-friendly website available. That is why we process data in accordance with Applicable Law and Policies. (For example, to the extent data is subject to the GDPR: Art. 6 (1) (f) of the General Data Protection Regulation (GDPR).)
Retention period: The aforementioned data is stored for the duration permitted under Applicable Law and Policies and is erased upon expiration of this deadline, unless the data is still needed for investigating a security-related event (e.g., a cyber attack) on our website after it has occurred.
Categories of recipients: Processors (IT service providers); in case of a security-related event, possibly also: law enforcement agencies, attorneys, courts, and administrative agencies.
3.2 Use of cookies and Google Analytics
Please see the cookie banner for information on the data protection provisions that apply to the use of cookies and Google Analytics. Among other things, this information explains the type, scope, purposes, data categories, legal basis, retention periods, and categories of recipients of or related to the cookies used.
3.3 Processing of data in connection with the use of our online shop
Our website offers you the option of using an online shop.
If you decide to register in our online shop, please note that it is extremely important to us to handle customer data in accordance with Applicable Law and Policies. Please also see our “General Data Protection Notice for Business Partners.” https://www.voestalpine.com/group/static/sites/group/.downloads/en/group/general-data-protection-notice-for-business-partners-voestalpine-AG.pdf
We inform you below of the type, scope, and purposes of the collection and use of your data when using our online shop:
i. Opening a customer account (registration)
Purpose: You may open a customer account on our website if you want to gain access to expanded functions. We can only make the expanded functions of a user account available to you if we process your data at the time you open a customer account.
Categories of data: Personal data (e.g., salutation, first and last name); business contact information (e.g., name of the company, business address, zip code, city, country, telephone number, email address); identification data assigned (e.g., user name)
Legal basis: You are not obligated, neither by contract nor by law, to make the data required to open a customer account available to us. If you do, however, choose not to make this data available, you will not be able to register for our online shop and, therefore, will be unable to place any orders with us. It is in our legitimate business interest to make a customer account available to you and to process the data you provide in that connection. That is why we process data in accordance with Applicable Law and Policies. (For example, to the extent data is subject to the GDPR: Art. 6 (1) (f) of the General Data Protection Regulation (GDPR)).
Retention period: We store your data in accordance with Applicable Law and Policies. (For example, to the extent data is subject to the GDPR: as long as you maintain a customer account with us.) If you delete your customer account, we will erase your data in accordance with Applicable Law and Policies. (For example, to the extent data is subject to the GDPR:, unless the data are subject to a statutory retention period or are needed to establish, defend, or exercise legal claims).
Categories of recipients: Processors (IT service providers); in case of legal disputes, the data may also be transferred to: law enforcement agencies, legal representatives, and courts.
ii. Online shop orders
Purpose: When you place an order in our online shop, we need to process your data so that we can securely process your payment and send the products you have ordered to you. Your order cannot be processed unless you make your data available.
Categories of data: Personal data (e.g., salutation, name, title, etc.); identification data assigned (e.g., user name, UID number, customer number); business contact information (e.g., company name, address, email address, telephone number, etc.); network protocol and identification data (e.g., IP address, login data (time stamp)); IT data regarding access and authorization credentials (e.g., account activation and deactivation); profile information (optional: preferences, industry, and other information); order data (e.g., order and order history, date, time); billing data (e.g., invoice details, payment terms); communications between the customer and us (free-form text input box).
Legal basis: Applicable Law and Policies provide (For example, to the extent data is subject to the GDPR: Article 6 (1) (b) GDPR (fulfillment of a contract to which the data subject is party)) the legal basis for processing your data, provided you personally are our counterparty. In other respects, pursuant to Applicable Law and Policies (for example, to the extent data is subject to the GDPR: pursuant to Article 6 (1) (f) GDPR), it is in our legitimate interest to process the data we have received from you, provided you are an employee of one of our business partners, so that we can fulfill our contract with this business partner.
Retention period: Your data is erased in accordance with Applicable Law and Policies. (For example, to the extent data is subject to the GDPR: upon expiration of the statutory retention period if there is no other reason for retaining it, such as our need to establish, exercise, or defend our legal claims, or even to fend off legal claims against us (especially guarantee and warranty claims).)
Categories of recipients: Processors (IT service providers); in case of legal disputes, the data may also be transferred to: legal representatives, courts.
iii. Credit checks
Please note that, in certain cases — particularly in connection with purchases on account (i.e., the goods are not paid for until after they have been delivered) — we have the right to collect and process credit check data from other sources, for example, credit reporting agencies.
Since we are providing an advance service when we agree to purchases on account, we process your data in this connection as well as data received from other sources to protect our financial interests (expectation that we will be paid as promised); in doing so, we do so subject to Applicable Law and Policies. (For example, to the extent data is subject to the GDPR: the legal “legitimate interest” doctrine set forth in Art. 6 (1) (f) GDPR.) To the extent that they are performed with respect to an individual, credit checks are carried out only as needed and are limited to that which is indispensable. However, decisions based on credit checks are not just fully automated; instead, the final decision rests with the controller.
3.4 How to contact us
Purpose: You may contact us by email, telephone, or fax if you have any questions about our company, our products, and our services. If you do so, we will process your data for the purpose of processing your inquiry; as a result, your data may also be processed in one of our customer management systems.
Categories of data: Personal data (e.g., salutation, title, first and last name); contact information (e.g., address, telephone number, email address); correspondence data (e.g., content of the inquiry); network protocol and identification data (e.g., date and time of the inquiry); as well as all data you make available to us by uploading or attaching documents.
Legal basis: Inquiries are processed in accordance with Applicable Law and Policies. (For example, to the extent data is subject to the GDPR: either by carrying out (pre-)contractual steps (Art. 6 (1) (b) GDPR) or pursuant to our legitimate business interest (Art. 6 (1) (f) GDPR), specifically, our interest in communicating with our customers and website users.)
Retention period: We retain your data in accordance with Applicable Law and Policies. (For example, to the extent data is subject to the GDPR: as long as necessary to process your inquiry. Once your inquiry has been completed, your data will be erased subject to statutory retention periods, unless holding the data is necessary to establish, fend off, or defend legal claims and to enforce them in governmental or court proceedings.)
Categories of recipients: Processors (IT service providers). In order to fulfill the intended purposes, in some cases, we may also have to transfer your data to specific Group companies (www.voestalpine.com/locations) in order to ensure rapid processing of your inquiry.
3.5 Newsletter subscription
Purpose: You have the option of subscribing to our newsletter through our website. If you subscribe to our newsletter, we need to process your data in order to send you our newsletter. As a result, your data may be processed in one of our customer management systems.
Categories of data: Contact information (e.g., email address)
Legal basis: We process your data for the newsletter only if you give us your consent to do so (Art. 6 (1) (a) GDPR). You may revoke your consent at any time (e.g., via email to [email address of the competent data protection organization] or by clicking the unsubscribe link located in the footer of the newsletter that was sent to you).
Retention period: We retain your data for the purpose of sending you the newsletter as long as you do not revoke your consent to receive it.
Categories of recipients: Processors (IT service providers)
4. Data transfers to third countries
Given the complexity of prevailing data processing processes, we engage so-called processors to process your data. To the extent possible in this connection, we only engage processors in accordance with Applicable Laws and Policies.
We and our service providers process data in third countries. The level of data protection in some of these third countries may not correspond to typical practices in place in the country of origin of the relevant data. For example, the processing of personal data by law enforcement agencies may not be restricted to that which is absolutely necessary, and data subjects may only have limited rights of legal recourse.
We do, however, always ensure that data protection and data security standards compliant with Applicable Laws and Policies are maintained.
For example, to the extent data is subject to the GDPR:
- First of all, under certain circumstances, we may be able to transfer data to those third countries that the European Commission has certified, pursuant to an adequacy decision under Art. 45 GDPR, as possessing an adequate level of data protection.
- If the European Commission has not adopted an adequacy decision regarding a specific third country, we only transfer data subject to appropriate safeguards pursuant to Art. 46 GDPR. In particular, we then apply the standard contractual data protection clauses approved by the European Commission or binding internal data protection regulations; we may also ensure by other means that an adequate level of data protection is put in place (e.g., recipient’s participation in an approved certification system).
- In individual cases, the aforementioned appropriate guarantees pursuant to Art. 46 GDPR as well as the additional measures taken may not be effective enough, thus leaving gaps in legal protections. In cases like these, we process your data in accordance with the exemption under Art. 49 GDPR. Depending on the case at hand, therefore, and to legitimize data transfers we rely on a variety of factors, including (i) your express consent (Art. 49 (1) (a) GDPR); (ii) the need to fulfill the contract (Art. 49 (1) (b) GDPR); or (iii) the need to establish, exercise, or defend our legal claims (Art. 49 (1) (e) GDPR).
You may use the contact information provided in section 11 to obtain further information as well as a copy of the implemented measures in accordance with Applicable Law.
5. Rights of data subjects and option to file a complaint
To the extent, data is subject to the GDPR:
- Article 15 GDPR gives you the right to request confirmation as to whether your data is processed by the controller and the right to access information regarding this data.
- Article 16 GDPR gives you the right to request immediate rectification of inaccurate data concerning your person and/or completion of incomplete data.
- Article 17 GDPR gives you the right to have your data erased.
- Article 18 GDPR gives you the right to restrict the processing of your data.
- Article 20 GDPR gives you the right to data portability.
- Article 21 GDPR gives you the right to object to the processing of your data.
Finally, you also have the option of filing a complaint with the competent regulatory authority.
If your data is processed pursuant to your consent thereto, you have the right to withdraw your consent at any time; doing so, however, does not affect the legality of the processing carried out until you withdraw your consent.
6. Contact information
If you have any questions regarding issue of data protection and the assertion of your rights as enumerated in the foregoing, you may contact our data protection organization at dataprotection.vae@voestalpine.com or by postal mail to voestalpine Railway Systems GmbH, Kerpelystraße 199, 8700 Leoben, Austria.
This Data Protection Notice is amended from time to time at our discretion subject to Applicable Law and Policies.