SNCF uses a platform provided by the company DASTRA to manage requests to exercise data-protection rights (hereafter referred to as the “DASTRA platform”). This platform can be accessed via SNCF Group’s online services.

SNCF SA, Délégué à la Protection des Données, SNCF – Direction Numérique Groupe - 12 rue Jean-Philippe Rameau - CS 80001 - 93212 La Plaine Saint-Denis CEDEX

We process your data to manage your requests to exercise your data-protection rights.

Data processing is based on SNCF’s legal obligation to respond to requests to exercise data-protection rights (Articles 12 et seq. of the Regulation (EU) 2016/679 - General Data Protection Regulation - GDPR).

The DASTRA platform processes the personal data you provide when submitting a request to exercise your data-protection rights using the online form available in the relevant privacy notice.

Depending on the information you submit, the DASTRA platform may process the following categories of personal data:

• Identity data – first and last name or pseudonym, date of birth, and proof of identity where required
• Subscription information – passes, loyalty cards, discount cards and similar products.
• Contact details – email address and telephone number
• Photographs or images
• Messages exchanged
• Log-in or connection data – IP address, date and time of connection

Requests to exercise data-protection rights that are submitted by email or by post, using the contact details provided in the relevant privacy notice, are also recorded on the DASTRA platform so that they can be tracked and managed centrally.

Your answers to the fields marked with an asterisk on the online form are required to process your request.

• Data are kept for five years from the end of the calendar year in which your request to exercise your personal data rights was submitted.
• Supporting identity documents are deleted immediately after your identity has been verified.

Within the limits of their respective responsibilities, SNCF personnel involved in managing your requests to exercise your data protection rights are the recipients of all or part of the data you provide.

Your data may be communicated to other SNCF Group entities, as well as their partners and subcontractors, where necessary to process your request.

The data is hosted in France and is not transferred outside the European Union.

No automated decisions are made in connection with the data processed.

In accordance with applicable regulations, you may access and obtain a copy of your personal data, object to its processing, and request its rectification or erasure. You also have the right to request the restriction of processing of your data.

You may exercise your rights by contacting the Data Protection Officer (DPO) of the SNCF Group company responsible for the processing, using the address provided in the relevant SNCF Group privacy policy.

If, after contacting us, you believe that your data protection rights have not been respected, you may file a complaint with the French National Data Protection Commission (CNIL).