Skip to main content

Data Privacy / Data Protection

It is very important to voestalpine Railway Systems GmbH, Kerpelystraße 199, 8700 Leoben, Austria (hereinafter “we,” “us,” or “our”) to protect your personal data. We comply with the legal requirements applicable to the protection, lawful handling, and confidential treatment of data as well as with those pertaining to data security, specifically the European General Data Protection Regulation (“GDPR”) and pertinent national data privacy rules and regulations.

This Data Protection Notice informs you of the type, scope, and purposes of the collection and use by us of your personal data when you visit and use our website www.voestalpine.com/railway-systems  ("website"), our social media accounts (LinkedIn and YouTube) and when you contact us.

Here you will find separate Data Protection Notices applicable to separate issues:

Who is responsible for data processing and who can you contact?

Controller:

voestalpine Railway Systems GmbH

Kerpelystraße 199, 

8700 Leoben, Austria

Email address: dataprotection.vae@voestalpine.com

 

What is personal data?

The term “personal data” refers to information concerning an identified or identifiable natural person ( “data subject”). For example, this includes the person’s name, email address, or IP address.

Processing of data when you use our website

Your data is processed for the following purposes:

  • Purpose: You may visit our website without disclosing your particulars. When you use our website, your end device sends data to our web server. This data is processed by our web servers and automatically stored in so-called “log files.” The processing of your data is necessary in order for us to make our website available to you. We must store the data in log files so that we can ensure the security and functionality of our website.

    Categories of data: Network protocol and identification data (IP address, HTTP header fields, browser type, previously visited website (so-called “referrer”), date and time of access, other web traffic data, such as information on the device used, the volume of data sent, etc.)

    Legal basis: It is in our legitimate business interest to make a secure, functional, and user-friendly website available. That is why we process data in accordance with Art. 6 (1) (f) of the General Data Protection Regulation (GDPR).

    Storage period: We shall store your data for as long as it is necessary for the processing of your inquiry. After your inquiry has been processed in full, your data will be erased in compliance with the statutory retention periods, unless it is required for the assertion, repulsion or defense of legal claims and their enforcement in official or judicial proceedings. The maximum limit for the storage of cookies is 8 months.

    Categories of recipients: Processors (IT service providers); in case of a security-related event, possibly also: law enforcement agencies, attorneys, courts, and administrative agencies.

  • Please see the [Cookie-Banner] for information on the data protection provisions that apply to the use of cookies and Google Analytics. Among other things, this information explains the type, scope, purposes, data categories, legal basis, retention periods, and categories of recipients of or related to the cookies used. 

  • Purpose: You may contact us by email, telephone, or fax if you have any questions about our company, our products, and our services. If you do so, we will process your data for the purpose of processing your inquiry; as a result, your data may also be processed in one of our customer management systems.

    Categories of data: Personal data (e.g., salutation, title, first and last name); contact information (e.g., address, telephone number, email address); correspondence data (e.g., content of the inquiry); network protocol and identification data (e.g., date and time of the inquiry); as well as all data you make available to us by uploading or attaching documents.

    Legal basis: Inquiries are processed either by carrying out (pre-)contractual steps (Art. 6 (1) (b) GDPR) or pursuant to our legitimate business interest (Art. 6 (1) (f) GDPR), specifically, our interest in communicating with our customers and website users.

    Retention period: We retain your data as long as necessary to process your inquiry. Once your inquiry has been completed, your data will be erased subject to statutory retention periods, unless holding the data is necessary to establish, fend off, or defend legal claims and to enforce them in governmental or court proceedings.

    Categories of recipients: Processors (IT service providers). In order to fulfill the intended purposes, in some cases, we may also have to transfer your data to specific Group companies (www.voestalpine.com/locations) in order to ensure rapid processing of your inquiry.

  • We use the functions of the web analysis service Google Analytics on our website in order to analyze user behavior and optimize our Internet presence. The provider of this service is Google Ireland Limited, Barrow Street, Dublin 4, Ireland.

    Purpose: In using Google Analytics, we are able to analyze information about website visitors in a simplified way. This enables us to further optimize our website.

    Data categories: During your visit to the website, among others, the following data are collected: The pages you access, your “click path”, the achievement of the “website goals” (conversions, such as newsletter registrations, downloads, purchases), your user behavior (such as clicks, length of stay, bounce rates), your approximate location (region), your IP address (in shortened form), technical information about your browser and the devices you use (such as language settings, screen resolution), your Internet provider, the referrer URL (from which website/advertising medium you came to our website), app updates, JavaScript support, widget interactions as well as the date and time of your visit.

    Legal basis: The processing of your data with the use of Google Analytics is based on your express consent in terms of point (a) of Art. 6 (1) GDPR. You can withdraw your consent at any time, with effect for the future.

    Storage period: The data on your use of our website will be erased immediately after the end of the storage period set by us. Google Analytics issues us with the following options for the retention period: 14 months, 26 months, 38 months, 50 months, do not erase automatically. You can ask us about the current storage period we have set at any time.

    Categories of recipient: On our behalf, Google will use information to evaluate the use of our website, to compile reports on the activities on our website and in order to provide us with further services connected to the use of our website. The information generated is transferred by Google to a server in the USA for analysis and stored there. The parent company of Google Ireland, Google LLC, is based in California, USA. A transfer of data to the USA and access by public authorities in the US to the data stored by Google cannot be ruled out. Google LLC, which is based in the USA, however, is certified for the US-European data protection agreement, the “EU-U.S. Data Privacy Framework”, which guarantees compliance with the level of data protection that applies in the EU. Google only transfers such data to third parties on the basis of statutory provisions or within the scope of contracted data processing. We have no influence on the scope or further use of the data collected by Google through the use of this tool.

  • We use the Google Maps service of the company Google Ireland Limited, Gordon House, Barrow Street, 4 Dublin, Ireland on our website. The use of Google Maps is subject to special terms of use, which you can find here: https://policies.google.com/terms?hl=de&gl=en and https://www.google.com/intl/de_de/help/terms_maps.html

    Purpose: The integration of map material from Google Maps is used for the professional presentation of the contents of our website. We use this service to offer the localization of objects.

    Data categories: For the processing itself, the service, and/or we, shall collect the following data:
    Data required for the visualization and display of location data in the form of a map, in particular IP address, information from Google background services such as Google Apis, search terms, IP address, coordinates, the start location and destination when using the route planner, location data, Google advertising ID, Android advertising ID.

    Legal basis: The collection, storage and evaluation take place in accordance with point (f) of Art. 6 (1) GDPR on the basis of the legitimate interest of Google in the display of personalized advertising, market research and/or the needs-based design of Google websites. You have the right to object to the creation of these user profiles; you must contact Google to exercise this right. If you do not agree to the future transfer of your data to Google when using Google Maps, you also have the option to completely deactivate the Google Maps web service by switching off the JavaScript application in your browser. In this case, Google Maps and therefore the map display cannot be used on this website.

    Storage period: Google anonymizes data in server logs by erasing part of the IP address and cookie information after 9 and/or 18 months respectively. Depending on your decision, your location and activity data will be stored for either 3 or 18 months and then erased. You can also erase the history manually at any time in your Google account. If you want to completely prevent your location from being recorded, you must deactivate the “Web and App Activity” section in your Google account. Further information is available in the data protection information of Google, which you can access here: https://www.google.com/policies/privacy/

    You can find out exactly where the Google data centers are located here: https://www.google.com/about/datacenters/inside/locations/. The data processing conditions for Google products and the standard contractual clauses for the data transfer to third countries are available at https://business.safety.google/adsprocessorterms/.

    Categories of recipient: The information generated is transferred by Google to a server in the USA for analysis and stored there. The parent company of Google Ireland, Google LLC, is based in California, USA. A transfer of data to the USA and access by public authorities in the US to the data stored by Google cannot be ruled out. Google LLC, which is based in the USA, however, is certified for the US-European data protection agreement, the “EU-U.S. Data Privacy Framework”, which guarantees compliance with the level of data protection that applies in the EU. Google only transfers such data to third parties on the basis of statutory provisions or within the scope of contracted data processing. We have no influence on the scope or further use of the data collected by Google through the use of this tool.

    Data recipients:

    Google Ireland Limited

    Google LLC (United States of America)

    Alphabet Inc (United States of America)

  • Our website uses the Google Tag Manager service from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

    Purpose: Tag Manager is a service with which we can manage website tags through an interface. This allows us to integrate code snippets such as tracking codes or conversion pixels on websites without interfering with the source code.

    Data categories: Google Tag Manager itself does not create any user profiles, does not store any cookies and does not carry out any independent analyzes. It is only used to manage and display the tools that integrated through its use. Google Tag Manager records your IP address, however, which may also be transferred to the parent company of Google in the United States.

    Legal basis: The use of Google Tag Manager takes place on the basis of point (f) of Article 6 (1) GDPR. We have a legitimate interest in the fast and uncomplicated integration and management of various tools on its website.

    Storage period: Apart from your IP address, no data is collected. To ascertain how long the individual tracking tools store your data, please refer to the respective data protection texts for the individual tools.

    Categories of recipient: As no data is collected by Google Tag Manager, the various web analysis tools are considered as primary categories of recipient.

    A transfer of data to the USA and access by public authorities in the US to the data stored by Google cannot be ruled out, however. Google LLC, which is based in the USA, however, is certified for the US-European data protection agreement, the “EU-U.S. Data Privacy Framework”, which guarantees compliance with the level of data protection that applies in the EU. Google only transfers such data to third parties on the basis of statutory provisions or within the scope of contracted data processing. We have no influence on the scope or further use of the data collected by Google through the use of this tool.

  • Our website uses the “JWPlayer” service. JWPlayer is a video player with which we are able to display videos. (Operator: Longtail Ad Solutions, 8 West 38th Street, 6th Floor, NY 10018 New York, USA). When you visit a page on our website on which a JWPlayer video is embedded, a connection is automatically established between your browser and the JWPlayer servers and the embedded video is displayed on the website through a message to your browser.

    Purpose: Your (temporarily) stored data is used to deliver the video to you, to place advertisements, to suggest videos to you and to create reports about the video activities on our website. The stored information also helps to increase the quality of the recommended videos and to carry out further analyzes in order to recognize user trends and technical problems and to maintain and improve the service.

    Data categories: When using the JWPlayer (such as when clicking the start button or other interactions with the JWPlayer plugins), data, especially statistical usage data, is transferred to JWPlayer. This includes your IP address, local ID, global ID, viewer ID, device type, browser type and version, times of use and duration of use.

    Legal basis: The legal basis is your consent in accordance with point (a) of Art. 6 (1) GDPR.

    Categories of recipient: JWPlayer initializes the Google Analytics tracker via an iFrame in which the video is accessed. This is the tracking system of JWPlayer, to which we have no access. You can prevent the tracking by Google Analytics by using the deactivation tools that Google offers for some Internet browsers. You can prevent any data created by Google Analytics and relating to website usage on your part (including your IP address) from being transferred to and processed by Google by downloading and installing the browser plug-in available at the link below:
    http://tools.google.com/dlpage/gaoptout?hl=de.

    Google LLC, which is based in the USA, however, is certified for the US-European data protection agreement, the “EU-U.S. Data Privacy Framework”, which guarantees compliance with the level of data protection that applies in the EU. Google only transfers such data to third parties on the basis of statutory provisions or within the scope of contracted data processing. We have no influence on the scope or further use of the data collected by Google through the use of this tool.

    We are also unable to rule out the possibility of JWPlayer transferring the information collected to the operator Longtail Ad Solutions in the USA. Longtail Ad Solutions is not yet certified according to the “EU-U.S. Data Privacy Framework” at the present time (October 2023). To ensure an adequate level of data protection, we have concluded standard data protection clauses with Longtail Ad Solutions in accordance with point (c) of Art. 46 (2) GDPR. For further information regarding the handling of user data, please see the privacy policy of JWPlayer: https://jwplayer.com/legal/privacy/.

    Data recipients:

    Google Analytics

    Longtail Ad Solutions

  • We use the YouTube service of the company Google Ireland Limited, Gordon House, Barrow Street, 4 Dublin, Ireland on our website.

    Purpose: Videos from the YouTube platform are integrated on our website via the YouTube service. The integration allows us to show you videos directly on our website. In this way, you can view videos about our services without having to visit the YouTube platform.

    Data categories: For the processing itself, the service, and/or we, shall collect the following data:
    Data for displaying the stream, referrer URL, data on visited videos, created play lists, reviews and comments, information on the end device used as well as the date and time of the visit, the IP address and browser of the user and other data from Google services for providing the video in accordance with the Google Privacy Policy.

    Legal basis: YouTube is used to ensure a uniform and appealing presentation of our website. This constitutes a legitimate interest in terms of point (f) of Art. 6 (1) GDPR. Consent that has been granted can be withdrawn at any time. The only consequence of not granting or withdrawing consent is that the YouTube content will not be made available.

    Storage period: If you are logged in to your YouTube account, YouTube allows you to assign your browsing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account. We have no influence on the data collection and its further use. There is no information on the extent to which, where and for how long the data is stored, to which extent the networks comply with the existing erasure obligations, which evaluations and links are made with the data, and to whom the data is forwarded. Your data will remain stored for as long as this is necessary for the purpose of the service, however.

    Categories of recipient: If YouTube is activated on our website and a video is played, our website establishes a connection to the company’s servers in the USA and transfers the data required to display the stream or the video. The parent company of Google Ireland, Google LLC, is based in California, USA. A transfer of data to the USA and access by public authorities in the US to the data stored by Google cannot be ruled out. Google LLC, which is based in the USA, however, is certified for the US-European data protection agreement, the “EU-U.S. Data Privacy Framework”, which guarantees compliance with the level of data protection that applies in the EU. Google only transfers such data to third parties on the basis of statutory provisions or within the scope of contracted data processing. We have no influence on the scope or further use of the data collected by Google through the use of this tool.

    Data recipients:

    Google Ireland Limited

    Google LLC (United States of America)

    Alphabet Inc (United States of America)

  • We use solutions from AccessiWay GmbH, located in Vienna, Austria, to produce a highly accessible website. To make our website technically accessible, purely technical data is transmitted to the AccessiBe Ltd, Israel (GDPR compliant by adequacy decision) server located in the USA (GDPR compliant by adequacy decision for the EU-U.S. Data Privacy Framework). This data is SSL3 encrypted and deleted immediately after the accessible, technical information has been retrieved. No data is stored. Only the IP address and user agent (web browser) are transmitted. See website. No cookies are set or stored; the data transfer is purely technical in nature and is used to produce an accessible website.

Data transfers to third countries

Given the complexity of prevailing data processing processes, we engage so-called processors to process your data. To the extent possible in this connection, we only engage processors that are domiciled within the European Union (EU) or the European Economic Area (EEA) and are thus subject to the GDPR.

There are scenarios, however, where we process data in third countries (i.e. outside the EU and/or the EEA) or where the processing takes place in connection with the use of service providers domiciled outside of the EU and/or the EEA. The level of data protection in some of these third countries may not correspond to EU standards. For example, the processing of personal data by law enforcement agencies may not be restricted to that which is absolutely necessary, and data subjects may only have limited rights of legal recourse.

We do, however, always ensure that European data protection and data security standards are maintained.

  • First of all, under certain circumstances, we may be able to transfer data to those third countries that the European Commission has certified, pursuant to an adequacy decision under Art. 45 GDPR, as possessing an adequate level of data protection.
  • If the European Commission has not adopted an adequacy decision regarding a specific third country, we only transfer data subject to appropriate safeguards pursuant to Art. 46 GDPR. In particular, we then apply the standard contractual data protection clauses approved by the European Commission or binding internal data protection regulations; we may also ensure by other means that an adequate level of data protection is put in place (e.g., recipient’s participation in an approved certification system).
  • In individual cases, the aforementioned appropriate guarantees pursuant to Art. 46 GDPR as well as the additional measures taken may not be effective enough, thus leaving gaps in legal protections. In cases like these, we process your data in accordance with the exemption under Art. 49 GDPR. Depending on the case at hand, therefore, and to legitimize data transfers we rely on a variety of factors, including (i) your express consent (Art. 49 (1) (a) GDPR); (ii) the need to fulfill the contract (Art. 49 (1) (b) GDPR); or (iii) the need to establish, exercise, or defend our legal claims (Art. 49 (1) (e) GDPR).

You may use the contact information provided to obtain further information as well as a copy of the implemented measures. 

 

Rights of data subjects and option to file a complaint

Article 15 GDPR gives you the right to request confirmation as to whether your data is processed by the controller and the right to access information regarding this data.

Article 16 GDPR gives you the right to request immediate rectification of inaccurate data concerning your person and/or completion of incomplete data.

Article 17 GDPR gives you the right to have your data erased.

Article 18 GDPR gives you the right to restrict the processing of your data.

Article 20 GDPR gives you the right to data portability.

Article 21 GDPR gives you the right to object to the processing of your data.

Finally, you also have the option of filing a complaint with the competent regulatory authority.

If your data is processed pursuant to your consent thereto, you have the right to withdraw your consent at any time; doing so, however, does not affect the legality of the processing carried out until you withdrew your consent.

Kontaktdaten

If you have any questions regarding issue of data protection and the assertion of your rights as enumerated in the foregoing, you may contact our data protection organization at dataprotection.vae@voestalpine.com or by postal mail to voestalpine Railway Systems GmbH, Kerpelystraße 199, 8700 Leoben, Austria.

 

This Data Protection Notice is amended from time to time.