Privacy
01. Applicant Privacy Notice 02. Customer Privacy Notice 03. Privacy and Cookie Policy 04. Supplier Privacy Notice 05. Data Protection Contacts

Applicant Privacy Notice

This notice provides you with information on how the GATX Rail Europe group, in particular, the GATX Rail
Europe entity you are in contact with (“we”) will process your personal data in connection with your job
application.

  1. Purposes for which we process your personal data

We will process the personal data set out in point 2 for the following purposes:

  • to approach potential employees actively through different means as well as through commissioned personnel consultants (recruitment);
  • to plan and manage human resources on a global level, including but not limited to ensuring appropriate staffing;
  • planning and administration of potential employee skills;
  • to process applications received via different communication methods (e.g. via e-mail or Social Media);
  • to organize the application process;
  • to execute assessment centres and to carry out aptitude tests;
  • for the establishment, exercise or defense of legal claims;
  • to be able to consider former job applicants for new job opportunities (e.g. Candidate Pool); and
  • ensuring the health and safety of our employees and visitors.

We collect your personal data in the course of your application process either (i) through public sources; (ii) personnel consultants; (iii) from you when you provide your personal data to us (e.g., by sending your résumé via e-mail or via employee profile registration on Success Factors); or (iv) by taking notes during your job interview.

The provision of personal data is voluntary. However, if you do not provide your personal data, it will not be
possible to complete the job application process.

  1. Processed data categories and legal basis of the processing

We process the following personal data on the basis of our prevailing legitimate interest according to Article 6(1)(f) General Data Protection Regulation (“GDPR”), which is to guarantee an efficient application process and to ensure that we fill our vacancies with suitable job applicants:

  • name;
  • prefix (Mr./Mrs./etc.) including academic titles;
  • suffix;
  • photo (if provided);
  • gender;
  • address;
  • date/place of birth;
  • driving license (yes/no);
  • e-mail address;
  • telephone number;
  • civil status and children;
  • citizenship;
  • residence permit / work permit;
  • position you apply for;
  • type of application (e.g., e-mail, LinkedIn, speculative application yes/no);
  • earliest date of entry;
  • notice period;
  • desired salary;
  • résumé;
  • military service/civilian service;
  • education (school, university, courses);
  • previous professional experience;
  • personal skills and competences;
  • signature;
  • certificates and reports;
  • notes regarding the job interview;
  • informative disclosures (e.g. provided by third parties);
  • communication data (including e-mail traffic);
  • video recordings provided by you as well as evaluations thereof (1-5 stars and explanations, if any) by HR managers, responsible managers or other decision makers;
  • evaluation and assessment data in the course of the application process (e.g. assessment reports, reports resulting from aptitude tests); and
  • any other data provided by you during the job application process.

In some cases we may ask you in a separate process to provide your consent (Article 6(1)(a) GDPR).

  1. Transfer of personal data

As far as necessary for the purposes set out above, we will transfer your personal data to the following recipients:

  • recruitment agencies that we use;
  • providers of aptitude tests that we use;
  • IT service providers that we use; and
  • companies that are part of our corporate group.

Some of the recipients referred to above are located in or process personal data outside of your country. The level of data protection in another country may not be equivalent to that in your country. However, we only transfer your personal data to countries where the EU Commission has decided that they have an adequate level of data protection or we take measures to ensure that all recipients provide an adequate level of data protection. We do this for example by entering into appropriate data transfer agreements based on Standard Contractual Clauses (2010/87/EC and/or 2004/915/EC). Such agreements are accessible upon request from GDPR@gatx.eu.

  1. Retention periods

We will retain your personal data either for the duration of the application process or in case you consent to us holding on to your application for future consideration until you revoke your consent. In any case, we will retain your data as long as there are statutory retention obligations or potential legal claims are not yet time-barred.

  1. Your rights in connection with your personal data

Under applicable law, you have, among others, the rights (under the conditions set out in applicable law): (i) to check whether and what kind of personal data we hold about you and to request copies of such data; (ii) to request correction, supplementation or deletion of your personal data that is inaccurate or processed in noncompliance with applicable requirements; and (iii) to request us to restrict the processing of your personal data; (iv) in certain circumstances, to object for legitimate reasons to the processing of your personal data or to revoke consent previously granted for the processing; (v) to request data portability; (vi) to know the identities of third parties to which your personal data are transferred; and (vii) to lodge a complaint with the competent authority. Withdrawing your consent does not affect the lawfulness of processing based on your consent before your withdrawal.

  1. Our contact details

Please address your requests and any other questions concerning this notice to your contact person at GATX or GDPR@gatx.eu.
Furthermore, you can find the contact details of each entity here.

Last update on September 30th, 2021

Customer Privacy Notice

The protection of your personal data is of great importance to the GATX Rail Europe group and in particular, the GATX Rail Europe entity you are in contact with (“we”). We would, therefore, like to inform you how we process your personal data and, if applicable, how we disclose and use such data as well as how you can exercise your rights as a data subject.

  1. Purposes for which we process your data

We will process the categories of your personal data set out in Point 2 for the following purposes:

  • performing direct marketing via electronic and non-electronic means as well as advertising;
  • analysis of customer satisfaction;
  • managing of our relationships with (potential) customers, including the analysis of (potential) customers’ business needs and how they use our products and services;
  • business analytics and statistical analysis, including the aggregation of data in order to analyze market trends
    and anticipate (potential) customer demand;
  • documenting interactions (e.g. meetings, phone calls, e-mail conversations) with (potential) customers;
  • organization of and invitation to any of our events;
  • business opportunity management and tracking of opportunities;
  • managing and performing sales processes, compliance with sanctions (e.g. trade sanctions) and other regulatory
    requirements;
  • making available certain online services to customers and further optimizing and developing such services and
    analyzing the usage of such services and generating access statistics;
  • analyzing and forecasting (potential) customer demand; and
  • administration of any on-site visits at our premises, including ensuring the health and safety of our employees
    and visitors.

We collect your personal data either

  • from you directly, in the course of our communication or business relationship, or
  • from public sources (e.g., public internet sources, public registers, public attendance lists of events), or
  • through our employees, who are in contact with you or manage the relationship with you.

You are under no obligation to provide us with the data we ask you for. However, if you do not provide your personal data certain business processes or marketing processes might be delayed or even impossible, and it might become impossible for you to attend our events. Should the provision of your personal data be mandatory by law, we will inform you separately thereof.

  1. Personal data we collect and process

We collect and process the following personal data relating to you:

  • Main data: name, academic title, salutation/sex, language, country, birth date, associated (potential) customer (employer), company address, e-mail address, phone number, fax, and other contact, information, roles/functions at (potential) customer, department, and any other data necessary to communicate with you efficiently.
  • Relationship data: professional and personal interests, career information, meeting notes, receipt of and reaction to marketing and sales initiatives, information on participation in prize draws and sweepstakes (e.g. prize awarded), history of previous interactions with any of our group companies, information on the use of any online services provided by any of our group companies, including IP address, authentication data (e.g., username and password), URLs visited, time and date of the use of an online service or a particular feature thereof, name and version of the client software used, location data, and the webpage (URL) visited before accessing the online service, history of orders placed, history of inquiries made, customer category, correspondence, additional information necessary to ensure the health and safety of our customers and visitors, and any other information to document and maintain our relationship with you.
  • Commercial information: scope of power of attorney for the (potential) customer, history of commercial transactions with any of our group companies, contracts entered into on behalf of the customer, contractual documentation, information about contract performance and instances of non-performance, information about the expiration and termination of the contract, and other information necessary to document our commercial relationship with your employer.
  1. Legal bases of the processing

We process the categories of your personal data listed in Point 2 either on the basis of

  • your consent according to Article 6(1)(a) of the General Data Protection Regulation (“GDPR“), for which we may ask you in a separate process;
  • our prevailing legitimate interest according to Article 6(1)(f) GDPR to achieve the purposes set out in point 1, or
  • the necessity to comply with legal obligations to which we are subject (Article 6(1)(c) GDPR).
  1. Transfer of your personal data

To achieve the purposes set out above, we may transfer your personal data to the following categories of recipients:

  • IT service providers that we use;
  • auditors for the performance of audits;
  • banks for the management of payment transactions;
  • contract partners or business partners who are or should be participating in the performance of the delivery or service;
  • companies that are part of the GATX Corporation corporate group (www.gatx.com);
  • courts and public authorities;
  • insurances in the context of the conclusion of an insurance contract concerning the delivery/service or occurrence of the insured event.

Some of the recipients referred to above are located in or process personal data outside of your country. The level of data protection in another country may not be equivalent to that in your country. However, we only transfer your personal data to countries where the EU Commission has decided that they have an adequate level of data protection or we take measures to ensure that all recipients provide an adequate level of data protection. We do this for example by entering into appropriate data transfer agreements based on Standard Contractual Clauses (2010/87/EC and/or 2004/915/EC). These are accessible upon request (see the contact details in point 7).

  1. Retention period

We will retain your personal data for (i) as long as we are in a business relationship with you and thereafter (ii) as long as required under statutory retention obligations or (iii) as long as potential legal claims, where personal data is needed to raise or defend against the claim, are not yet time-barred.

  1. Your rights in connection with your personal data

Under applicable law, you have the right to (under the conditions set out in applicable law):

  • obtain confirmation as to whether and what kind of personal data we store about you and to request copies of
    such data;
  • request us to restrict the processing of your personal data;
  • request data portability;
  • request rectification or erasure of your personal data;
  • object to the processing of your personal data; and
  • lodge a complaint with the competent supervisory authority.
  1. Our contact details

Please address your requests and any other questions concerning this notice to your contact person at GATX or GDPR@gatx.eu.
Furthermore, you can find the contact details of each entity here.

Last update on September 30th, 2021

Privacy and Cookie Policy

This website is operated by GATX Rail Austria GmbH, Am Europlatz 5, Building C, A-1120 Vienna, Austria (“GATX”, “we” or “us”). GATX respects the privacy of the visitors of this website. This policy outlines the type of personal data we may collect from you in the course of your visit of this website and how we may use this data. We may update this policy from time to time, so please check it occasionally.

  1. Processed data categories, legal bases and purposes of the processing

In the course of your visit of this website, we may collect and process the following personal data:

The Date and the time of your visit of this website, the address of the pages visited on our website (URL), your IP address, name and version of your web browser, the webpage (URL) you have visited before or will visit after you accessed this website, certain cookies (see point 3 below), your login data and the information that you provide to us when making an enquiry on this website (e.g., your name, address, telephone number and e-mail address).

We collect this data from you automatically when you visit this website or if you provide it to us via this website (e.g. by completing a contact form or signing up for our newsletter).

You are under no obligation to provide us with the data we ask you for. However, if you do not provide your data, you will not be able to make use of all the functions of this website. Should the provision of your data be mandatory by law, we will inform you separately thereof.

We will process the data set out above for the purposes of making this website and your user account available to you, to administer the user account, to further optimise and develop our website, to recognise, prevent and investigate attacks of our website, to analyse the usage of our website, to generate website access statistics, to analyse and forecast customer demand, to provide our newsletter and allow you to make inquiries using this website.

The legal basis of the processing of your personal data is our prevailing legitimate interest to achieve the purposes identified above (Article 6(1)(f) EU General Data Protection Regulation) or, where you have given us your consent, your consent (Article 6(1)(a) EU General Data Protection Regulation).

We do not use automated individual decision-making that would produce legal effects for you or would similarly significantly affect you.

  1. Transfer of your personal data

To achieve the purposes set out above, we may transfer your personal data to our IT service providers, including the hosting provider Data Quest, and to other companies of the GATX Group as set out in point 7 below.

Some of the recipients referred to above may be located in or process personal data outside of your country. The level of data protection in another country may not be equivalent to that in your country. However, we only transfer your personal data to countries where the EU Commission has decided that they have an adequate level of data protection or we take measures to ensure that all recipients provide an adequate level of data protection. We do this for example by entering into appropriate data transfer agreements based on Standard Contractual Clauses (2010/87/EC and/or 2004/915/EC). These are accessible upon request (see the contact details in point 6).

  1. Cookies and Google Analytics

3.1. Cookies

We use “cookies” to improve the functionality of our websites. Cookies are small text files that may be installed on your end device when you visit a website. Cookies are generally used to provide site visitors with additional functionality within the site. Cookies cannot access, read or modify any other data on your computer.

We may use cookies that

  • are going to be deleted again when you close your browser (session cookies),
  • remain stored on your end user device even after you close your browser (permanent cookies),
  • originate from us (first party cookies) or from third party cookies.

Through our cookies, we process data on the following legal bases:

  • We use cookies, which are absolutely necessary for our websites to function, on the basis of our prevailing legitimate interest to ensure the functioning and security of this website (Article 6(1)(f) EU General Data Protection Regulation).
  • We use all other cookies on the basis of your consent (Article 6(1)(a) General Data Protection Regulation).

In order to withdraw your consent or to restrict it to certain cookies, you have inter alia the following options:

  • Use the settings of your browser. Details can be found in the help function of your browser.
  • At http://www.youronlinechoices.com/uk/your-ad-choices you can have the system analyze which cookies are used by you and deactivate them individually or in their entirety. This is an offer from the European Interactive Digital Advertising Alliance.

Withdrawing your consent does not affect the lawfulness of processing based on your consent before your withdrawal. Please note that the functionality of our websites may be impaired if you withdraw or restrict your consent.

Details about the cookies we use:

3.2. Google Analytics

This website also uses Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer to help the website analyze how users use the site. We process your data on the basis of our prevailing legitimate interest to cost-efficiently generate easy to use website access statistics and optimize our web offerings and advertising (Article 6(1)(f) General Data Protection Regulation).

The information generated by the cookie about your use of the website (including your IP address and the URLs of the accessed websites) will be transmitted to and stored by Google on servers in the United States. We do not store any of your personal data collected in connection with Google Analytics.

This website uses the IP anonymization feature provided by Google Analytics. Your IP address will therefore be truncated/anonymized by Google as soon as Google receives you IP address. On our behalf, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to us. Google will not associate your IP address with any other data held by Google.

You may refuse the use of cookies by selecting the appropriate settings on your browser. However, please note that if you do this, you may not be able to use the full functionality of this website. Furthermore, you can prevent Google’s collection and use of your data by downloading and installing the browser plug-in available under: https://tools.google.com/dlpage/gaoptout?hl=en-GB.

Further information concerning Google’s terms of use and privacy statement can be found at https://www.google.com/analytics/terms/gb.html or at https://policies.google.com/?hl=en&gl=uk.

  1. Retention period

Your personal data will only be kept for as long as it is necessary to achieve the purposes set out in point 1 above.

We will, in any case, retain your personal data for as long as (i) required under statutory retention obligations or (ii) potential legal claims, where personal data is needed to raise or defend against the claim, are not yet time-barred.

  1. Your rights in connection with your personal data

Under applicable law, you have the right to (under the conditions set out in applicable law):

  • obtain confirmation as to whether and what kind of personal data we store about you and to request copies of such data,
  • request rectification or erasure of your personal data,
  • request us to restrict the processing of your personal data,
  • object to the processing of your personal data,
  • withdraw any consent previously granted for the processing (withdrawing your consent does not affect the lawfulness of processing based on your consent before your withdrawal),
  • request data portability, and
  • lodge a complaint with the competent supervisory authority.
  1. GATX Group companies

We may transfer your personal data to the following GATX Group companies:

Company Address
GATX Rail Germany GmbH Valentinskamp 70
Emporio Tower
20355 Hamburg
Germany
GATX Rail Poland Sp z o.o. The Warsaw HUB
Rondo Daszyńskiego 2B
00-843 Warszawa
Poland
GATX Rail France SAS 64 rue Tiquetonne
75002 Paris
France
GATX Rail Europe B.V. Johan de Wittstraat 130
3311 KJ Dordrecht
The Netherlands
GATX Rail Switzerland GmbH Neuhofstrasse 12
6340 Baar – Neufeld
Switzerland
Wagon Service Ostróda Sp.z o.o. ul. 11-go Listopada 26
14-100 Ostróda
Polen

 

  1. Our contact details

Please address your requests and any other questions concerning this notice to your contact person at GATX or GDPR@gatx.eu.
Furthermore, you can find the contact details of each entity here.

Last update on August 1st, 2020

Supplier Privacy Notice

This notice provides you with information on how the GATX Rail Europe group, in particular the GATX Rail Europe
entity you are in contact with, („we“) will process your personal data.

  1. Purposes for which we process your data

We will process your personal data (as set out in point 2 below) for the following purposes:

  • supply chain collaboration;
  • strategic sourcing;
  • procurement;
  • contract lifecycle management;
  • spend analysis;
  • supplier management;
  • financial supply chain management;
  • invoice management;
  • dynamic pricing;
  • payments; and
  • supplier discovery.

We collect this data either directly from you, from our distribution partners, or your employer. The provision of personal data is voluntary. However, if you do not provide your personal data, we may not be able to perform relevant business processes, including sales and distribution processes.

  1. Processed data categories and legal basis of the processing

We process your personal data either (i) on the basis of our prevailing legitimate interest (according to Article 6(1)(f) GDPR), which lies in achieving the purposes as set out in point 1 above; or (ii) on the basis of the necessity for the performance of a contractual obligation or in order to take steps at your request prior to entering into a contract (Article 6(1)(b) GDPR) or (iii) on the basis of the necessity for compliance with legal obligations to which we are subject (Article 6(1)(c) GDPR).

We process the following persona data:

a) Master data

  • Name;
  • Academic title;
  • Salutation/sex;
  • Company name;
  • Address;
  • Phone number;
  • Email address;
  • Other contact details of the supplier;
  • Corporate evaluation report;
  • Supplier contact person’s name;
  • Job position and role within a project team;
  • Department;
  • Language;
  • Work related contact details;
  • Partner roles of the suppliers needed for invoicing and ordering;
  • Government-issued identification number;
  • Information on the use of any online services provided by any GATX Rail Europe Group company, including IP; and
  • address, authentication data (e.g., username and password), URLs visited, time and date of the use of an online service or a particular feature thereof, name and version of the client software used, location data, and the webpage (URL) visited before accessing the online service.

b) Accounting and payment information

  • VAT number;
  • Tax code;
  • Country key;
  • Bank key;
  • Bank account;
  • Name of the account holder;
  • Account key;
  • Bank category;
  • Reference details;
  • SWIFT code;
  • IBAN;
  • Bank name and address;
  • Attachment of confirmation documents;
  • Terms of payment; and
  • Accounting correspondence.

c) Supplier classification

  • Vendor portfolio;
  • Product categories;
  • Main product category;
  • Additional product categories; and
  • Vendor category.

d) Supplier qualification

e) Information on goods and/or services offered by supplier

  • quantity and quality of offered goods and/or services; and
  • other commercial terms of the offer.

f) Contract information

  • commercial terms of the contract;
  • legal terms of the contract;
  • any other contractual documentation; and
  • information about contract performance and instances of non-performance.
  1. Transfer of your personal data

For the purposes set out above, we will transfer some of your personal data to the following recipients:

  • IT service providers that we use;
  • GATX Rail Europe Group entities; and
  • our distribution and business partners if they are involved in the product/service delivery.

some of the recipients referred to above are located or process personal data outside of your country. The level of data protection in another country may not be equivalent to the one in your country. Therefore, we take measures to guarantee that all recipients provide an adequate level of data protection. We do this for example by entering into appropriate data transfer agreements based on Standard Contractual Clauses (2010/87/EC and/or 2004/915/EC). Such agreements are accessible upon request from GDPR@gatx.eu.

  1. Retention periods

Your personal data will only be kept for as long as we reasonably consider necessary for achieving the purposes set out in point 1 above and as is permissible under applicable laws. We will in any case retain your personal data for as long as there are statutory retention obligations or potential legal claims are not yet time-barred.

  1. Your rights in connection with your personal data

Under applicable law, you have, among others, the rights (under the conditions set out in applicable law): (i) to check whether and what kind of personal data we hold about you and to request copies of such data, (ii) to request correction, supplementation or deletion of your personal data that is inaccurate or processed in non-compliance with applicable requirements, and (iii) to request us to restrict the processing of your personal data, (iv) in certain circumstances, to object for legitimate reasons to the processing of your personal data, (v) to request data portability, (vi) to know the identities of third parties to which your personal data are transferred and (vii) to lodge a complaint with the competent authority.

  1. Our contact details

Please address your requests and any other questions concerning this notice to your contact person at GATX or GDPR@gatx.eu.
Furthermore, you can find the contact details of each entity here.

Last update on September 30th, 2021

Data Protection Contacts

If you have any questions or suggestions concerning the processing of your personal data by the companies of the GATX Rail Europe Group, please contact Mr. Gregor Gessner via e-mail GDPR@gatx.eu or in writing

GATX Rail Austria GmbH
Am Europlatz 5
Building C
A-1120 Vienna
Austria

For questions regarding the processing of your personal data by GATX Rail Germany GmbH, you can also contact their data protection officer:

DPO Service GmbH
Bethmannstraße 50-54
D-60311 Frankfurt/Main
Germany
Datenschutz@dposervice.de

Array