Privacy Statement
The most recent version of this Privacy Statement is of 24 May 2018.
Introductory note
The application of due care when dealing with personal data is of paramount importance to RailApp in the performance of its services. RailApp is responsible for the processing of data together with the users. In view of the nature of the service provided by RailApp, certain personal details of one person must sometimes be shared with another person. It is therefore of vital importance that you take note of this privacy statement.
A brief explanation of RailApp
RailApp is an online planning application for rail-related activities. Companies can schedule services/activities within RailApp and choose to schedule their own employees to such services/activities or to have externally hired employees scheduled to the services/activities in the RailApp. Once services are scheduled, the employees can view the services when they log in to RailApp and then sign in and out resulting in a digitally signed e-Work Order if required. For a detailed explanation of RailApp with all its features, please refer to www.railapp.nl/en or to your contact at RailApp.
RailApp Online Privacy Policy
This privacy statement applies to all personal data collected through websites and/or applications offered by or on behalf of RailApp or directly under the name RailApp (RailApp is a trade name of SPL-it BV. SPL-it BV together with its trade names, subsidiaries and affiliates are referred to in this Privacy Statement as “RailApp”). The responsibility for the processing of personal data is borne by RailApp and by the users of the RailApp, who use the RailApp as a closed platform to match supply and demand with regard to specialized personnel, and who also help set the goals for the processing and maintain control of the personal data processed within the RailApp. Since RailApp manages the application and, together with the users, determines the purpose of and the means for the processing of the personal data entered by the users, RailApp acts both as controller and as processor within the meaning of the General Data Protection Regulation (GDPR).
This privacy statement only applies to websites and/or applications offered by or on behalf of RailApp and referring to this privacy statement (referred to as “RailApp websites and/or applications”). It does not apply to third-party websites and/or applications to which RailApp websites and/or applications may refer. Your use of RailApp websites and/or applications referring to this privacy statement is subject to this privacy statement and to the user conditions, and any direct agreements made among the users of the RailApp. You are requested to read this privacy statement before using RailApp websites and/or applications or providing personal data to us. In the event of registration for, the use of or the supply of personal data via the RailApp websites and/or applications, you consent to the use as described in this privacy statement.
Contact details
RailApp is established on Tweede Rosestraat 10, 3074 JK Rotterdam, Netherlands (please note: visiting address). The general e-mail address is: info@railapp.nl. For any correspondence regarding privacy-related matters please contact SPL-it BV’s Data Protection Officer, who can be reached at privacy@railapp.nl or on telephone number +31 10 203 59 18.
By post: SPL-it BV (RailApp)
Data Protection Officer
P.O.B. 24108 3007 DC Rotterdam
The Netherlands
What does “Personal Data” mean?
Following the definition in the GDPR, “Personal data” in this context means all information about an identified or identifiable natural person (“the data subject”); any natural person who can be identified directly or indirectly, in particular based on an identifier such as a name, an identification number, location data, an online identifier or one or more elements that are characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person, and which is provided to and/or collected by or on behalf of RailApp and is stored in an immediately accessible format, can be considered identifiable. Examples of personal details are your name, your address, your e-mail address and telephone number. “Sensitive data” refers to highly sensitive personal data such as your ethnic origin or your medical data.
What RailApp’s purpose of processing personal data?
RailApp processes personal data of its customers, users of the RailApp websites and/or applications and suppliers for the purposes described below. Since RailApp is mainly a processor, these goals are generic and aimed at providing services to the users/co-controllers.
These generic goals are:
• facilitating and providing access to, providing and being able to use the services offered by RailApp (processing is necessary for the execution of an agreement);
• the storage and the assessment of data in order to be able to offer services tailored to the preferences of the users (processing is necessary for the execution of an agreement);
• being able to conduct our financial administration (processing is necessary for the execution of an agreement);
• the security, control and prevention of abuse and the prevention of inconsistency and unreliability of data, such as in the performance of audits (necessary for the representation of the legitimate interests of the controller and the processor);
• the continuity and proper functioning of products and services, including having maintenance performed, making a backup, making improvements after errors or inaccuracies found and receiving support (processing is necessary for the execution of an agreement) ;
• improving our services (necessary for the representation of the legitimate interests of the controller and the processor, where data is aggregated and can never be traced back to a personal level);
• being able to inform about relevant products and services of RailApp (RailApp’s must ask for your permission and you may withdraw your permission at any time);
• to comply with legal obligations applicable to RailApp.
What is the legal ground on which RailApp processes personal data?
RailApp processes personal data of its customers, users of the RailApp websites and/or applications because the processing is necessary for the representation of the legitimate interests of the controller or of a third party.
With respect to the specific personal data being processed, these are largely optional; however, for some personal data they are definitely required within RailApp.
This means for example that, if such data is not processed, the application can not be used for its intended purpose. This may be the first and last names, the mobile number and the e-mail address of an employee who must be scheduled via RailApp. The e-mail address is required to be able to receive login details, to set a new password, and also to be informed about the operation of the application through functional news updates about updated or adapted functionalities. The starting point is that the users who accept this privacy statement want to be informed by RailApp through a periodic news update. However, users can also unsubscribe from this feature.
Further to this, data may be recorded within RailApp but are not mandatory. It depends on the users how they want to use RailApp. Confidential information such as a copy of your passport/ID card or your Citizen Service Number or whether you are medically competent for a particular job are usually optional and therefore do not have to be entered to use RailApp. However, for some clients it may be necessary to be able to offer yourself or your employees and to mediate for deployment at companies that make use of the RailApp. If this is the case, then this must be done based on your permission to the respective employer or client in order to make use of the services that RailApp can offer you.
By logging in to RailApp via the web application (www.railapp.nl/INLOGGEN), the menu items ‘my data’ and ‘certificates’ can be used to view your data that has been adopted in RailApp. You may adjust certain items by yourself and/or have certain data adjusted by your employer and/or client(s) in consultation with them.
RailApp takes your privacy seriously
RailApp uses third parties (“RailApp service providers”) to help provide high-quality services; RailApp can, for example, hire a (sub) processor for the management of the RailApp websites and/or applications. This means that such third parties engaged by RailApp may possibly process your personal data on behalf of RailApp. This is the case, for example, if you register for a RailApp website and/or application and you are requested to enter an e-mail address; in this case it may be a third party that processes your application. RailApp requires third parties engaged by RailApp that your personal information is not shared with others. The objective of not sharing information unnecessarily with RailApp by third parties engaged by RailApp helps us to protect your privacy; this is part of RailApp’s principles of “privacy by design”.
Since RailApp also partly acts as a processor for the collection and processing of your personal data with the aim of efficiently bringing together supply and demand in the planning and deployment of personnel between parties that (normally) have a contractual and/or commercial relationship with each other, you should also take note of the privacy statement of the controller. In practice, this will typically be your employer, your agent or your client, who uses your personal data via the RailApp to make schedules and for example to respond to service invitations. Where RailApp acts as a controller, this privacy statement grants certain rights and obligations to RailApp, and commitments in respect of you, even though RailApp may delegate the collection and processing of your personal data partially or entirely to a third party. Agreements have been made with such third parties engaged by RailApp about the collection and processing of personal data. Processing by such third parties only takes place in accordance with our instructions, this privacy statement and the applicable laws and regulations.
What information is being collected?
The following types of personal data is stored in the RailApp:
Personal Data provided by you: this is personal information entered by you or otherwise provided on RailApp websites and/or applications in (open) data fields. For example, you may provide your name, address, e-mail address and/or other information to receive information on various topics, to qualify yourself, to register for programs, to contact customer service or to participate in surveys. In order to better protect your privacy, we advise you not to provide information that is not specifically requested.
Personal data from other sources: this is personal information about you obtained from other companies, such as your client or employer when they use RailApp’s websites and/or applications in connection with services they offer you or plan for you. RailApp may furthermore process your personal data if you use one of the other websites and/or applications offered by us or other services provided by us.
Passive collection of technical and Web Browsing Information: via the RailApp websites and/or applications, information about your visits to RailApp websites and/or applications can be collected anonymously without you actively providing such information.
By logging in to RailApp via the web application (www.railapp.nl/INLOGGEN), the menu items ‘my data’ and ‘certificates’ can be used to view your data that has been adopted in RailApp. You may adjust certain items by yourself and/or have certain data adjusted by your employer and/or client(s) in consultation with them.
Is “sensitive” personal data being collected?
Certain special personal data can be collected by the controllers and entered into the RailApp, and then possibly viewed by others in the RailApp, depending on their rights and whether prior permission has been given, resulting from rail-related legislation and/or regulations, such as whether you have medical approval to perform a certain position and the validity term of the approval. This is related to safeguarding authorities and your possible employability and the safety of third parties. This data can be classified as “sensitive data”. RailApp will take additional measures for the collection, protection and processing of such data, in accordance with the legal requirements.
How will the personal details supplied by me be used?
Your personal data (collected through yourself or through other sources) can be used for the following purposes:
• The execution of our obligations arising from an agreement between you and/or your client and/or your employer on the one hand and RailApp on the other hand and to provide you with the information, the services you need to make effective use of the RailApp websites and/or applications.
• Matching the available information with the requested criteria to ensure that the deployment of persons in rail-related (possibly safety-critical) positions takes place in a warranted manner in order to comply with the applicable laws and regulations, including the requirements as formulated, for example, in general and specific European Regulations, the Railways Act, Decrees, Regulations, Railway Personnel 2011 and any later versions thereof, various current industry guidelines such as the guidelines of Stichting RailAlert, etc.
• To be able to inform you about any changes to these services.
• Ensure that the content of RailApp websites and/or applications is presented in the most effective way for you and for your computer and/or smartphone and/or tablet etc.
• To offer you the opportunity to receive information about the services and products of RailApp and to invite you to participate in surveys about our services.
• To offer you information and marketing materials with regard to the use of the RailApp products/services through various means of communication, such as written communication, e-mail, direct mail and/or telephone. If you do not want us to use your data in this way, or if we pass on your details to third parties for marketing purposes, we ask you to notify us with respect to this.
Technical passively collected and web-browsing information can be used:
• for the management of the RailApp websites and/or applications and for internal operations, including problem solving, data analysis, testing, research, statistical and research purposes;
• to improve RailApp websites and/or applications and ensure that the content is presented in the most effective way for you and your computer and other equipment;
• so you will be able to take part in interactive sections of our services (if you so choose); and
• as part of the efforts to secure RailApp websites and/or applications.
RailApp may furthermore use the data to improve, develop and evaluate the website and/or application and of products, services, materials, programs and market research. In this way, we can use data to find the best moment to send users certain reminders, to establish and improve interaction among users of RailApp websites and/or applications with a specific profile, to examine how (anonymized) users generally feel about certain functions or services of the websites and/or applications, to investigate whether certain groups of users stop prematurely with certain treatments and all kinds of other analyses that benefit RailApp and the users.
Will personal data supplied by me on a RailApp website and/or application be combined with other personal data about me?
Personal data provided by you on a RailApp website and/or application may be combined or consolidated with personal information from one or more customers or suppliers who are using RailApp websites and/or applications. In particular, such information can be anonymized and subsequently used to help us improve RailApp websites and/or applications and RailApp products, improve research activities and enable other business features.
For the end user it is important to know that the RailApp platform consists of a web application and a specific mobile extension through a mobile app for Android hosted in the Google Playstore as well as for iOS in the Apple Appstore.
RailApp does not use or store personal information offered with the so-called Android Advertising ID (Advertisement ID). However, RailApp does use third party services that may collect information used to identify you.
Link to privacy policy of third party service providers used by the app:
https://policies.google.com/privacy
https://firebase.google.com/terms/data-processing-terms/
If you do not want to send this data you can opt out from this from your device. To find your Android Advertising ID (Android Advertising Identifier), open the Google Settings app on your Android device and click on “Ads.” Your Advertising Identifier will be listed at the bottom of the screen.
To what extent do I have control of the use or collection of my personal data?
You may limit the amount and type of personal data collected by choosing not to enter any or all of your personal data on forms or data fields on RailApp websites and/or applications or to provide them us through your employer and/or client. However, some of the online services can only be provided to you if you provide the correct personal information. In addition, under the prevailing laws and regulations you may have the right to access, rectify and/or block the processing of your personal data. In that case, please contact the controller or us through the contact details in this privacy statement.
Will my personal data be shared with third parties?
RailApp only shares your personal data under the instruction of the controller, which may take place in the following circumstances:
Third parties with your consent.
In addition to the moments described in this privacy statement in which personal data can be shared with third parties, RailApp may share personal data with third parties if you have given permission thereto either directly or through your employer or through your client, or if you make a request for such data exchange. For example, the situation could be related to a different client where you would like to be employed as a person and the client could in that case view part of your personal data.
RailApp Service Providers.
As described above, RailApp can use third parties, such as service providers/sub-processors, to perform business activities for RailApp. If RailApp service providers collect your personal data on behalf of RailApp or the other controller, the obligation to observe confidentiality with regard to your personal data and to only use such data to perform activities for RailApp will be imposed on such RailApp service providers according to policy.
Disclosure to third parties as and when required by law or regulations or for the protection of our services.
RailApp or RailApp service providers may disclose your personal data in the following circumstances:
• If so required in legal proceedings or in case of a request for information or cooperation from the government or similar authorities.
• If so required by law.
• To prevent fraud or to enforce that our Terms of Use and other agreements apply to protect the rights, property or security of RailApp or any of our affiliates, business partners, customers, employees or others.
Other parties with respect to a business transaction.
RailApp may disclose your personal information to the potential (or actual) seller or buyer of a company or assets, for example in the event of a merger, bankruptcy, reorganization or liquidation. If RailApp, or practically all of its assets are acquired by a third party, the personal data held by RailApp about its customers and users will be one of the assets under the transfer.
How is my personal data securely stored?
RailApp takes appropriate technical and organizational measures to ensure a security level in line with the risk. The security measures taken by RailApp are stated below.
Retention period
The controller determines the retention period, which means you can verify with your client and/or your employer what their privacy statement states in this respect. When processing by RailApp is necessary for the execution of an agreement, your personal data will be processed by us for a period of up to two years maximum after termination of the agreement. In case of statutory retention periods, for example under the terms of the administrative retention obligation for Users such as companies, longer terms may apply.
Will personal data be supplied outside the country?
The Users, RailApp and third parties with whom RailApp shares data, may collect, transfer, store and process your personal data in countries within the EU, where such is in accordance with this privacy statement. If personal data is supplied to countries outside the EU, RailApp will take the appropriate measures to legitimize such a supply.
How is children’s privacy protected by RailApp?
RailApp does not process personal data of children on RailApp websites and/or applications, where RailApp is aware that it includes information about children (“children” are defined as minors below the age of 16). If you are a parent and find out that your child has provided us with personal data, please contact us using one of the methods mentioned above. We will then try to find a solution together with you.
How can I adjust or remove personal data from the current databases?
First of all, by logging in to RailApp via the web application (www.railapp.nl/INLOGGEN), the menu items ‘my data’ and ‘certificates’ can be used to view your data that has been adopted in RailApp. You may adjust certain items by yourself and/or have certain data adjusted by your employer and/or client(s) in consultation with them. You can request RailApp, or through your employer and/or your client (as controller), to delete your personal data from the current database or to make adjustments to your personal details. You are asked to inform the controller or RailApp of your wishes by contacting RailApp’s data protection officer as mentioned above. For administrative or other legitimate business purposes we may retain (certain parts of) your personal data. Furthermore, RailApp or the controller may be under statutory obligation to retain certain information that may contain personal data. For a proper assessment as to whether this is the case, RailApp may have to contact you and your employer and/or the client to specifically assess these matters.
Data Protection Officer
In all communication to RailApp you are requested to state your name and the e-mail address you used for registration (where applicable), as well as the address of the relevant website and/or application or the specific RailApp program to which you have supplied your personal data, and a detailed explanation of your request. If you wish to inspect your personal data, wish to (completely) delete, modify or correct such data, submit a request for data portability and/or contact us by e-mail, please make sure that the subject of the e-mail: “Request for deletion” or “Request for change/correction/data portability” is mentioned. We will make an effort to timely respond to all reasonable requests.
Complaints
RailApp would like to help you find a suitable solution for complaints or concerns about your privacy. However, you always have the right to submit a complaint to the Dutch Data Protection Authority.
Adjustment of the policy
RailApp may regularly review this privacy statement, inform you about adjustments by posting a notice on the RailApp websites and/or applications. Your use of the RailApp websites and/or applications after changes have been made is considered as your acceptance of the changed rules.
Security policy
Organization of information security and communication processes
Measures to protect personal data against unintentional or unlawful destruction, unintentional loss or alterations, unauthorized or unlawful storage, processing, access or disclosure.
The organization of information security and communication processes
• RailApp has a Data Protection Officer (DPO), who is mainly responsible for informing and advising RailApp with regard to its obligations under the GDPR and monitors compliance.
• Information security incidents are documented and used for optimization of the information-security policy.
• RailApp has set up a process for handling (and communication about) information-security incidents (dataleak procedure).
Staff members
• Confidentiality statements have been agreed with employees who perform work for and/or on behalf of RailApp.
• RailApp encourages awareness, education and training with regard to information security.
• Pursuant to an authorization system, employees do not have access to more data than is strictly necessary for their job.
Physical security and continuity of resources
• Personal data is only processed in data centers in a closed, physically secure environment, protected against external threats. An access protocol has been set up. Access is moreover registered.
• Personal data is only processed on equipment where measures have been taken to physically secure the equipment and to guarantee the continuity of the services.
• Periodic backups are made for the continuity of the services. These backups are treated confidentially and stored in a closed environment.
• The locations where data is processed are secured through locks, alarm systems and are periodically tested, maintained and periodically assessed for safety risks.
• Users have access to their data and personal data and any data and personal data of other users through a PC/notebook and/or mobile app, however, access is only possible after logging in with their user name and their own secret password. RailApp notifies its users (through this document and also through the various contractual agreements) of the fact that passwords must be kept in a safe manner and that they must observe due care when granting access to third parties in order to prevent unauthorized access to their data.
Network, server and application security and maintenance
• The network environment in which data is processed is strictly protected. Traffic flows are separated and measures are implemented against abuse and attacks.
• The environment in which personal data is processed is monitored.
• The systems in which personal data is processed are set up on the basis of system planning, security control and acceptance (DTAP). Any changes to applications are tested for vulnerabilities before they are taken into production.
• The latest (security) patches are periodically installed on the systems based on patch management.
• Data processed within applications are classified according to risks.
• Penetration tests and vulnerability assessments are performed periodically.
• Cryptographic measures have been applied to passwords to securely store such data.
• Encrypted connections are used for log-in processes. The exchange of personal data to third parties takes place encrypted.
Description of the measures to identify weak spots
The RailApp systems are periodically checked for safety. Additionally, RailApp’s security policy provides for internal processes to identify vulnerabilities.
Notification of an infringement related to personal data
RailApp monitors its services and has taken measures to prevent and identify unauthorized or unlawful access to data. Signs indicating a personal-data breach are assessed by RailApp’s data-protection officer, who analyzes whether there may be a breach of personal data and the type of infringement.
If an infringement relating to personal data processed by RailApp as the controller has been made, RailApp shall report this to the competent supervisory authority no later than 72 hours after it became acquainted with the infringement, unless it is unlikely that the personal-data breach involves a risk for the rights and freedoms of natural persons. Where the personal-data breach is likely to pose a high risk to the rights and freedoms of natural persons, RailApp shall inform the data subject of the personal-data breach without delay.
