National railway company SNCF S.A., a French limited company (société anonyme) with a Board of Directors and share capital of €1,000,000,000, registered in the Bobigny Commercial Register under number 552 049 447, with its registered office at SNCF Campus Étoiles, 2, place aux Étoiles, 93200 Saint-Denis (hereafter “the Company”), processes personal data to manage and track its public affairs, advocacy and lobbying activities.
 
In doing so, the Company applies the principles laid down in the legal and regulatory rules it is required to comply with respect to personal data protection. These include, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with respect to the processing of personal data and on the free movement of such data, known as the General Data Protection Regulation or GDPR, and France’s Act No. 78-17 of 6 January 1978 on Information Technologies, Data Files and Civil Liberties, together with its implementing decrees.

This privacy policy (hereafter “the Policy”) is intended to inform you about how the Company processes your personal data, its role as data controller, and how your data are collected, used and protected. 

This Policy also lays out your rights with respect to your personal data under applicable laws and regulations.

In addition to the terms defined elsewhere in this Policy, the following definitions apply to terms used in the Policy, whether in the singular or plural:

• Recipient: a natural or legal person, public authority, agency or other body to which personal data are disclosed, whether or not that party is a a third party.
• Personal data: any information relating to an identified or identifiable natural person, referred to as a “data subject”. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data or online identifier, or to one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural or social identity.
• Controller: the natural or legal person, public authority, agency or other body that determines the purposes and means of the processing of personal data.
• Processor: a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
• Processing: any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means. This includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction.

We are required to collect personal data where processing is necessary to comply with a legal obligation or to pursue the Company’s legitimate interests. If the data are not provided, the Company may be unable to meet its legal obligations or pursue purposes that fall within its legitimate interest.

Certain personal data are also necessary for processing requests from data subjects seeking to exercise their rights. If these data are not provided, the Company may not be able to process your request.

We collect your personal data both directly and indirectly, in particular from the following sources:

• public sources
• biographical databases obtained from a supplier
• the websites and publications of institutions, organizations and bodies to which you may belong
• newsletters, publications and other publicly available sources of information
• professional databases and government directories
• the press, websites and social media

Personal data are retained for five years from the end of the calendar year in which the advocacy action was undertaken. This is the standard retention period for processing based on a legitimate interest, except in cases where you choose to exercise your right to object or your right to erasure, under the conditions set out in Article 10 of the Policy: “Exercise of rights by data subjects”.

Data processed to produce reporting required by the HATVP are retained until the reports have been submitted, after which they are deleted.

When we process your personal data, only authorized individuals within the Company may access the data, and may do so only where such access is necessary for them to perform their duties and/or assignments.

In certain limited and clearly defined circumstances, external parties may also receive or have access to your personal data. These include:

• departments or bodies responsible for auditing or monitoring the Company, including the statutory auditors, authorities or entities responsible for internal or external control procedures, organizations authorized to perform audits or inspections, the French High Authority for Transparency in Public Life (HATVP), etc.
• the Company’s legal, financial, accounting and other advisers
• the Company’s partners, including current or potential suppliers and service providers, technical service providers and other third parties involved in activities or assignments where access to personal data is necessary and/or justified

This category of recipients may also include companies that publish the applications, software or tools used in our business activities, as well as any IT supplier or provider that performs maintenance on the apps, software or tools used by the Company to process personal data.

Depending on the legal or regulatory framework applicable to the Company, it may also be required to disclose your personal data in response to a lawful request from public authorities or another authorized body.

Note that the recipients listed above only receive the personal data that is strictly necessary for the purpose of the disclosure.

The data is hosted in France and is not transferred outside the European Union.

No automated decisions are made in connection to the data processed in the circumstances described here.

The Company has appointed a data protection officer, reachable at [email protected].

Within the limits and subject to the conditions specified in the prevailing regulations—France’s Information Technologies, Data Files and Individual Liberties Act and the GDPR—all data subjects have the right to ask the data controller for access to their personal data. They also have the right to rectification and erasure, the right to restrict or object to the processing of their data, and the right to issue instructions concerning the handling of their personal data after their death.

You may exercise your rights regarding your personal data processed in connection with public affairs and lobbying activities by sending an email to [email protected].

After you have contacted us, if you believe that your rights have not been upheld, you may file a complaint with the French National Data Protection Commission (CNIL).