Privacystatement

Purpose of the privacy statement

The Regulatory Body for Railway Transport and Brussels Airport Operations (hereinafter: the Regulatory Body) processes the personal data that it obtains during the fulfilment of its legal tasks, either via this website or through other channels, for the purposes stated in this privacy statement.

This privacy statement provides an overview of all processing of personal data by the Regulatory Body and is intended for all stakeholders who encounter its services.

Processing manager

The Regulatory Body for Railway Transport and Brussels Airport Operations, located at Boulevard du Botanique 50, box 72, 1000 Brussels, is responsible for the processing of the personal data that it processes in the exercise of its legal tasks. This means that he only determines the purpose and means for the processing of these personal data.

Function of the Data Protection Officer (DPO)

The Data Protection Officer is responsible for ensuring that the Regulatory Body complies with the legal framework on data protection. His mission is to inform and advise the Regulatory Body on his obligations under the GDPR, to cooperate with the Data Protection Authority and to act as a contact point for this authority. He is also the contact point for all your questions about how we process your personal data.

You can reach our DPO via the following e-mail address: dpo@regul.be

Through the mail:

Regulatory Body for Railway Transport and Brussels Airport Operations
DPO
Boulevard du Botanique 50, box 72
1000 Brussels

What are “personal data”?

Within the meaning of Article 4, 1) of the GDPR[1], personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

In recital 14 of the Regulation, data on legal persons, such as the name, legal form of the legal entity and contact details are excluded from the scope of the GDPR.

What is “processing of personal data”?

Data processing is based on Article 4, 2) of the GDPR “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

What personal data do we process and for what purposes?

The processing of personal data obtained via the website has the following purposes:

Providing information and assistance to citizens and organizations. The acquisition of personal data is done here via the contact form. The processing of personal data is based on the consent of the data subject.
Legal obligation to publish and to notify the “Notification form of a planned new rail passenger service”. The processing of personal data is based on the consent of the data subject.
Casemanagement. It is possible that the Regulatory Body will be informed during the course of an ongoing casefile (monitoring, specific investigations, complaint, dispute, advice) of personal data that is provided to it via the contact form. The processing of these personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Regulatory Body.
Functioning and security of the website. The processing of personal data obtained through functional cookies is based on the legitimate interest of the Regulatory Body. The processing of personal data obtained through analysis cookies is based on the consent of the data subject.

Which personal data?	How did we obtain this information?	How long?	To whom?
From the notification form of a planned new rail passenger service	Directly from the data subject	Subject to the terms of the Public Records Act (24.06.1955)	External communication : publication of the completed form on the website and LinkedIn page of the Regulatory Body notification of the completed form to the parties referred to in Article 62, (3), 5°, second paragraph of the Railway Code
From contact forms: mere provision of information	Directly from the data subject	No longer than necessary to achieve the purpose	No external communication
From contact forms: information about (current) files	Directly from the data subject	Subject to the terms of the Public Records Act (24.06.1955)	External communication when the disclosure does not prejudice the protection of private life or when the data subject has consented to the disclosure (Art. 6, §2, 1° Law of 11 April 1994 on the publicity of government documents)
Functional cookies	Directly from the data subject	see cookie policy	No external communication
Analysis cookies	Directly from the data subject	see cookie policy	No external communication

Cookie policy

Name of the cookie	Third Party Provider	Type	Retention	Description
__cfduid	Cloudflare	Technical	1 year	Used to distinguish users.
pll_languange		Technical	1 year	Contains the current language of the site user.
displayCookieConsent		Technical	1 year	This cookie is used to remember the user’s choice about cookies on the website to avoid opening the popup after acceptance.
_ga	Google analytics	Analytical	2 years	The Google Universal Analytics javascript library uses first-party cookies to: distinguish unique users and throttle the request rate. To opt out click here.
_gid	Google analytics	Analytical	1 day	Used to distinguish users.
_gat	Google analytics	Analytical	Session	Used to distinguish users.

The processing of personal data obtained via other channels (emails, letter post, answers to questionnaires via web forms, etc.) has the following purposes:

Providing information and assistance to citizens and organizations. The processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Regulatory Body.
Casemanagement. If the Regulatory Body obtains personal data during the course of an ongoing casefile (monitoring, specific investigations, complaint, dispute, advice), the processing thereof is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Regulatory Body.
Establish and maintain contacts with companies from the regulated sectors. If the Regulatory Body obtains personal data originating from (contact) persons of companies in the railway or airport sector, then the processing thereof is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Regulatory Body.

Which personal data?	How did we obtain this information?	How long?	To whom?
From e-mails or letter post: mere provision of information.	Directly from the data subject	No longer than necessary to achieve the purpose	No external communication
From e-mails, letter post of webforms: information on (ongoing) casefiles	Directly from the data subject	Subject to the terms of the Public Records Act (24.06.1955)	External communication when the disclosure does not prejudice the protection of private life or when the data subject has consented to the disclosure (Art. 6, §2, 1° Law of 11 April 1994 on the publicity of government documents)

7. What are your rights?

You have a number of rights with regard to your personal data. However, some of these rights apply only in a limited number of cases.

You have the right to access your personal data processed by our organization;
You have the right to obtain rectification of incorrect personal data without delay. With due regard for the purposes of the processing, you have the right to obtain the completion of incomplete personal data;
In certain cases provided by the GDPR, you have the right to obtain a restriction on the processing of your personal data;
In certain cases provided by the GDPR, you have the right to object to the processing of your personal data at any time due to your specific situation;
You do not have the right to be subject to a decision based solely on automated processing, including profiling, to which you have legal consequences or that you otherwise have a significant effect, unless this decision is necessary for the creation or execution of an agreement, legally permitted or based on your explicit consent;
In certain cases provided by the GDPR, you have the right to immediately erase your personal data.

In certain circumstances, the exercise of your rights may be suspended.

How can you exercise your rights?

To exercise your rights, you can contact the Data Protection Officer (DPO) through the aforementioned channels.

We remind you that your identity must be reasonably verifiable so that we can be sure that no one else is trying to exercise your rights.

Appeal possibilities

Without prejudice to other administrative or judicial remedies, you have the right to file a complaint with the Data Protection Authority and to institute a legal remedy if you believe that your rights are not respected or that the processing of your personal data constitutes a breach of the GDPR .

You can submit your complaint at the following address:

Data Protection Authority
Rue de la Presse 35
1000 Brussels
Tel: +32 (0) 2 274 48 00
Fax: +32 (0) 2 274 48 35
E-mail: contact@apd-gba.be

More information

More information about the legislation that applies to your personal data in Belgium can be found on the website of the Data Protection Authority:

https://www.dataprotectionauthority.be

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, May 4^th 2016, p. 1–88, in force since May 25^th, 2018.