At SNCF Group, we’re committed to maintaining the highest ethical standards, in particular when it comes to protecting personal data.

In the course of our business, we collect and process personal data concerning our customers, our employees, and our partners, such as suppliers and service providers.

In an effort to promote innovation while at the same time building strong, lasting relationships based on mutual respect and shared, socially responsible values, we use technical and organizational measures to protect the personal data we process.

This policy describes SNCF Group’s commitments concerning the protection of personal data.

We inform our customers, employees, and partners of the processing of their data.

Our aim in collecting personal data is to optimize management of our relationships with our customers, employees, and partners.

When we process data, we do so for specific purposes. Whenever we process data, there is a legitimate, defined, and explicit purpose.

We ensure that the data are retained in a form that permits identification of the data subjects for no longer than is necessary to accomplish the purpose of the processing.

Whenever we process data, we undertake to collect and use only such data as are adequate, relevant, and limited to what is necessary for the purposes for which the data are processed.

Each SNCF Group company has a designated Data Protection Officer (DPO).
DPO for SNCF : [email protected]
DPO for SNCF Voyageurs : [email protected]
DPO for SNCF Réseau : [email protected]
DPO for SNCF Gares & Connexions : [email protected]
DPO for Fret SNCF : [email protected]
DPO for Keolis : [email protected]
DPO for Geodis : [email protected]

At SNCF Group, we take technical and organizational measures to ensure that data are processed in a manner that ensures protection against accidental loss, destruction, or damage that could undermine their confidentiality or integrity.

When developing, designing, selecting, and using tools for the processing of personal data, we ensure (where applicable, working with the tools’ publishers) that they provide an optimal level of protection for processed data.

We take measures that comply with the principles of data protection by design and data protection by default. To that end, when possible and/or necessary, we use the techniques of pseudonymizing and encrypting data.

When using a service provider, we communicate personal data only after obtaining the provider’s commitment to comply with our own security rules.

We conduct audits of our own departments and of our service providers to verify compliance with data security rules.

SNCF Group follows strict authorization policies to ensure that the data we process are transmitted only to persons who are authorized to have access to them.

When we need to transfer data to a location outside the European Union, we do so only in accordance with specific contractual provisions and in compliance with the requirements of the competent supervisory authorities.

We are particularly careful to respect the rights of data subjects:

• the right to be informed;
• the right to access;
• the right to rectification;
• the right to erasure (the “right to be forgotten”);
• the right to restriction of processing;
• the right to data portability;
• the right to object; and
• the right to issue directives regarding the retention, erasure, and communication of personal data after the data subject is deceased.

SNCF Group is able to respond to requests by data subjects to exercise their rights throughout processing, in compliance with the conditions and time limits imposed by applicable regulations.

Data subjects may make requests to exercise their rights by electronic means and/or by post, using the contact information provided in information notices, application and website terms of use, data collection forms, etc.

Data subjects must clearly state their first and last name, attach a copy of a form of identification, and indicate the address to which they would like the response to be sent.

We inform all data subjects wishing to exercise their rights if it is impossible to comply with their request.