[Valid from 25.05.2018]
1.1 The data controller for data of the Website users is one of the local GATX Rail Europe entitiy ("GATX" or "Data Controller" or "Company").
1.2 The Data Controller undertakes to respect the confidential nature of the data collected when users use the Website.
1.3 The Data Controller respects the privacy of its customers/Website users and all visitors to the Website (including all its pages).
1.5 "Non-Personal Data" are information that is not personally identifiable, either alone or together with other information. GATX may collect some information about the user, such as age and sex, and also about the areas of the Website visited by the user. This information may be compiled and analysed, both for individuals and in aggregate. This information can cover: the Uniform Resource Locator ("URL") of the website from which the user came and the URL they will visit next, the browser used, and the user's IP address ("IP"). A URL is a global address of Internet sites and other resources. An IP address is an ID of a computer or device in a network using the Transmission Control Protocol/Internet Protocol ("TCP/IP"), such as the Internet. Networks use the TCP/IP protocol to send information on the basis of the IP address of the destination. In other words, an IP address is a number which is automatically assigned to the user's computer when the user surfs the Internet, enabling Internet servers to locate and identify the user's computer. Computers require IP addresses so that users can communicate online and surf the Internet.
2. Information collected by GATX
2.1 Personal Data
GATX may collect Personal Data if the user:
2.1.1 enquires about the services provided by GATX;
2.1.2 contacts GATX;
2.1.3 asks for information about GATX cars; or
2.1.4 sends information to GATX in another manner.
2.2 Non-Personal Data
This Website collects some non-personal information about the user. This process uses Clickstream technology, which may not be fully understandable to the user. Non-identifiable data are not combined with Personal Data.
3. Data processing rules
3.1 The personal data of the Website users will be processed in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR").
4. Data processing: Purposes and operations
4.1 The Data Controller collects data of the people who log into the Website, completed the contact form or signed up for a newsletter.
4.2 The Personal Data of Website users will be processed for the purposes of administrating the user account on the Website, communicating with the user, sending a newsletter and carrying out marketing activities, as well as for other purposes consistent with applicable laws, provided that it is required for the purposes of the agreement to provide electronic services in the form of administering an account for the user, and also for direct marketing of the Data Controller's services, i.e. under Article 6.1(a), (b) and (f) of the GDPR.
4.3 Depending on the form of using the Website, a user may be asked to provide more or less information, including Personal Data, necessary to fulfil their requests.
4.4 The Personal Data of Website users will be stored until the user withdraws their consent to the newsletter and for the period necessary to perform the agreement to provide electronic services in the form of administering an account for the user, to which the user is a party, and after termination of the agreement, for 3 years in an archived form. The Data Controller will process the Personal Data provided by the user for the purposes of direct marketing for the duration and for 12 months after termination of the agreement, unless the user objects to the processing of their Personal Data for this purpose.
5. User rights
5.1 A user has the right to access their data and to modify them, request that they be deleted or the processing be limited, withdraw their consent to Personal Data processing if the Personal Data is processed on the basis of consent, object to processing, transfer the data provided and complain to the supervisory authority for personal data protection in case they conclude that the processing of the user's Personal Data by the Data Controller is contrary to the provisions of the GDPR.
5.2 The provision of Personal Data is voluntary but necessary to perform the agreement. Refusal to provide data will make it impossible to enter into an agreement and to perform the agreements concluded with the Data Controller, and will prevent the Data Controller from performing such services as sending a newsletter.
5.3 Depending on the decision communicated when filling out the relevant form on the Website, the Personal Data provided, in particular the email address and the mobile number, may be used by the Data Controller to send commercial information.
5.4 Moreover, where separate consent is given, the Data Controller may periodically send a newsletter prepared by it to the email address provided by the user.
6. Information provided by GATX to other entities
6.2 GATX enters into agreements with other companies (e.g. website developers) who provide certain services to GATX in order to create/maintain this Website. In some cases, the partners can have access to Personal Data but they are contractually obliged to keep them secret and use them solely to provide services to GATX.
6.3 The agreements signed with those companies prohibit them from using the information provided by GATX for their own marketing purposes or provide that information to entities other than GATX.
6.4 The Data Controller entered into an agreement with the hosting company DATA Quest, concerning the processing of the Personal Data necessary to provide services related to details entered by the Website users in relevant contact forms (e.g. name, surname, address, email address). The Data Controller intends to provide data to the above-mentioned service provider after receiving them from users.
6.6 Notwithstanding the above rules, GATX may disclose a user's Personal Data to relevant third parties if GATX is required to do so by law or believes that it is necessary:
6.6.1 to comply with obligations imposed by law (e.g. search order, court summons or court order);
6.6.2 to protect the rights and property of the Company;
6.6.3 to analyse reports of fraud, users sending materials using a fake email address or users sending harassing, threatening or offensive messages;
6.6.4 to prevent improper or unauthorised use of this website; or
6.6.5 in emergencies, for example when GATX believes that the physical safety of a given person is or may be at risk.
8.1 Subject to the consent of the Website user, the Data Controller may store some information in cookies on the user's computer.
8.2 Cookies are not used to obtain any information about the Website users Cookies used on the Website do not store any Personal Data or any other information collected from users. They are used to help user log in (e.g. save username when the user signs up or logs in), remember some preferences of the user, and support the Controller in improving the Website, among other things.
8.3 The Website uses two basic cookie types: session cookies and persistent cookies. Session cookies are temporary files stored on the user's end device until the user logs out, leaves the website or closes the software (web browser). Persistent cookies are stored on the user's end device for the time specified in the parameters of the cookies or until deleted by the user.
8.4 In many cases, the default settings of the web browsing software (web browser) enable cookie storage on the user's end device. Website users may change their cookie settings at any time. These settings can be changed in particular to block automatic cookie handling, which requires changing the web browser settings, or to inform the Website user any time cookies are sent to their device. For detailed information on cookie handling, see your software (web browser) settings.
8.5 A user can give their consent referred to above through the settings of the software installed on their end IT device or the service configuration - i.e. to disable or restrict cookies, the user can change the settings of their web browser. However, this may result in incorrect operation of or lack of access to some pages of the Website.
8.6 The following types of cookies are used on the Website:
(a) strictly necessary cookies, which enable use of the services available on the Website, e.g. authentication cookies used for services that require authentication on the Website;
(b) cookies that ensure security, e.g. those used for detecting authentication abuses on the Website;
(c) performance cookies, which help us collect information about how the pages of the Website are used;
(d) functionality cookies, which remember choices made by the user and personalise the interface, e.g. regarding language, the user’s region, font size, page design, etc.;
8.7 The Data Controller informs you that restricting cookies can affect some functions of the Website.
8.8 For more information on cookies, visit http://www.allaboutcookies.org/.
9. Risk related to using the Website
9.1 A user should be aware that data sent by the public telecommunications network between their device and the Website are not entirely safe. The Data Controller is unable to ensure full protection and safety for these data during communication with the Website. However, the Controller guarantees that it will take appropriate measures to secure the data sent to it by electronic means, in particular Personal Data provided by the user via online forms.
9.3 Therefore, the Data Controller bears no responsibility for the content directly or indirectly linked to from this Website or to which references are made on this Website. The sole responsibility for the content of such a site lies with the operator of the site linked to or site referred to on this Website. The Data Controller will remove links or references to sites containing illegal content immediately upon becoming aware of them and as soon as realistically possible.
9.4 The Data Controller shall not be responsible for posts or messages published or sent by forum users, published in visitors books or on mailing lists on this Website.
9.5 Some elements of the Website can be particularly interesting for children, but GATX has no intention to collect the Personal Data of persons under 13 years old. Should it turn out at any time that GATX collected any Personal Data of persons under 13, these Data will be immediately deleted.
10. Control transfer
10.1 Under certain circumstances the Data Controller may decide to sell or transfer some or all of its enterprise or assets. In such a case, users' Personal Data may be transferred or provided to third parties by the Data Controller as part of or in connection with the planned transaction. In such situations, the Controller will ensure that the third parties undertake to ensure adequate protection of the Personal Data collected through the Website. In addition, the Data Controller will inform Website users of such circumstances and the users will have the right to demand that their data be deleted.
11. Contacting us
Should you have any questions about the processing of Personal Data by the Data Controller, please contact the Data Controller:
GATX Rail Austria GmbH
Am Europlatz 5
+43 1 865 66 85 0
+43 1 865 66 85 91
GATX Rail Germany GmbH
+49 40 36 804 0
+49 40 36 804 112
Data Protection Officer:
DPO Service GmbH
Attn: Mr. Philipp Karius
+49 69 2 99 08 901
GATX Rail Poland Sp z o.o.
ul. Przyokopowa 31
+48 22 69 79 100
+48 22 69 79 200
GATX Rail France SAS
64 rue Tiquetonne
+33 1 44 88 20 30
+33 1 44 88 21 17