1. Data Controller - DB Cargo Polska S.A. with headquarters in Zabrze, ul. Wolności 337, phone no. 32 7889396
2. Personal Data – any information relating to a natural person identified or identifiable by reference to one or more factors specific to the physical, physiological, genetic, economic, cultural or social identity of that natural person, including: facial image, voice recording, contact details, location data, information included in correspondence, information collected with recording equipment or a similar technology.
3. GDPR – Regulation (EU) of the European Parliament and of the Council No. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
4. Data Subject – a natural person who is concerned by provisiothe personal details processed by the Data Controller, e.g. a visitor to the premises of the Data Controller or a sender of inquiries in an electronic form.
5. Policy – this Policy of Personal Data Processing at DB Cargo Polska S.A.

1. In connection with its economic activity, the Data Controller collects and processes personal data in accordance with relevant regulations, including in particular GDPR and principles of data processing contained therein.
2. The Data Controller shall:
   1. ensure transparency of data processing;
   2. always provide the information about data processing on the moment it is collected, in particular about its goal and legal basis, unless it is not obliged to do so based on separate regulations;
   3. ensure that the data is collected only in the scope required to the defined goal and processed only for the period it is required.
3. When processing data, the Data Controller shall ensure its safety, confidentiality and access to the information about processing to Data Subjects. If, despite the applied security measures, the personal data protection is violated and this violation may result in high risk of violating rights of freedoms of data subjects, the Data Controller shall inform the Data Subjects thereof in a manner compliant with relevant rules of law.

1. Contact with Data Controller is possible via mailing address: DB Cargo Polska S.A., ul. Wolności 337, 41-800 Zabrze with a note: Representative for Personal Data Protection or at daneosobowe@deutschebahn.com.
2. The Data Controller has appointed representatives for personal data protection: Barbara Solarska, Katarzyna Oleksik and Dariusz Kańtoch. It is possible to contact them in each matter related to personal data processing via e-maildaneosobowe@deutschebahn.com.

1. In order to ensure integrity and confidentiality of data, the Data Controller has implemented relevant procedures, that would provide access to personal data only to authorised individuals and only in the scope required by the tasks they carry out. The Data Controller shall apply organizational and technical solutions in order to ensure that all operations on the personal data are recorded and performed only by authorized individuals.
2. The Data Controller shall continuously analyse the risk and monitor the adequacy of applied measures of data protection against the risks identified. If required, the Data Controller shall implement additional means to increase the data security.
3. The Data Controller shall take all necessary steps to oblige its subcontractors and other contractors to guarantee that they apply relevant security measures in each case they process personal data on the commission of the Data Controller.
4. The Data Controller shall respect all duties resulting from professional secrecy of a legal advisor and a lawyer – client privilege, regardless of duties resulting from GDPR.

E-mail and traditional mail

1. If any correspondence is sent to the Data Controller with e-mail or traditional mail not related to services provided to the sender or other contract concluded with the sender, the personal data included in such correspondence shall be processed only in order to communicate and handle the issue the correspondence is referring to
2. The legal basis of processing is the legitimate interest of the Data Controller (art. 6 clause 1 letter f GDPR), i.e. correspondence sent to the Controller in relation to the economic activity it conducts.
3. The Data Controller shall process only those personal data which are relevant for the matter the correspondence is concerned about. The correspondence shall be stored in a manner ensuring the security of personal data (and other information) contained therein and it shall be disclosed only to properly authorized individuals.

Phone contact

If the Data Controller is contacted via phone in matters not related to a concluded contract or services provided, the Controller may require the personal data to be provided only if it is necessary to handle the issue the contact is referring to. In such case, the legal basis shall be the legitimate interest of the Data Controller (art. 6 clause 1 letter f GDPR), i.e. the need to solve the issue connected with the economic activity conducted by the Data Controller.

Profiles on Facebook and LinkedIn

1.  The Data Controller has public profiles in social media, Facebook and LinkedIn. Therefore it processes data left by the individuals who visit those profiles (e.g. likes, comments, internet identifiers).
2. Personal data of such individuals shall be processed:
   1. in order to allow them to be active in the profiles;
   2. in order to keep the profiles updated in an efficient manner by presenting information about initiatives and other activities of the Data Controller to the users of portals and in relation with promoting various events, services and products;
   3. for analytical and statistical purposes;
   4. they may be possibly processed in order to exercise or defense of legal claims.
3. The legal basis of personal data processing shall be the legitimate interest of the Data Controller (art. 6 clause 1 letter f GDPR), i.e.:
   1. promoting own brand and improving quality of provided services,
   2. if required – exercise or defense against legal claims.

NOTE: the information above is not applicable to processing of personal data by the administrators of webpages (Facebook and LinkedIn).

Contact forms

1. The Data Controller offers the possibility to contact the Controller via electronic contact forms on its internet websites. To use a form it is required to provide personal data necessary to contact a Data Subject and reply the inquiry. The Data Subject may also provide other data in order to facilitate the contact of inquiry handling. Data marked as obligatory is required for the inquiry to be accepted and handled. Failure to provide them will render it impossible to handle the inquiry. Provision of other data is voluntary.
2. The personal data shall be processed in order to identify the sender and handle his/her inquiry sent via a form – the legal basis  for the processing is the consent (art. 6 clause 1 letter a GDPR).
3. If personal data that are collected via contact form on the internet website of the Data Controller are processed also for purposes other than the ones listed above, then the information about those purposes shall be published in the Privacy Policy of the website where the form is available.

Recruitment

1. As a part of the recruitment processes, the Data Controller expects to be provided with personal data (e.g. CV) only in the scope defined in the rules of the labour law. Therefore the candidates shall provide no additional information. If the applications include additional data that exceed the scope defined in the rules of the labour law, their processing shall be based on the candidate’s consent (art. 6 clause 1 letter a GDPR), expressed with the unambiguous confirming activity, i.e. sending the application by the candidate. If the received applications include data inadequate to the purpose (i.e. recruitment), the shall be neither used, nor considered in the recruitment process.
2. Personal data shall be processed:
   1. If the preferred employment form is an employment contract – in order to execute duties resulting from the rules of law related to the employment process, the Labour Law in particular – the legal basis shall be the legal obligation of the Data Controller (art. 6 clause 1 letter c GDPR in connection with the rules of the labour law);
   2. If the preferred form of a legal relation is a civil law contract – in order to conduct the recruitment process – the legal basis for processing of data included in the application is taking actions prior to the conclusion of a contract on the request of the Data Subject (art. 6 clause 1 letter b GDPR);
   3. For the purpose of the recruitment process and in relation to data required neither by the rules of law, nor by the Data Controller and also for the purpose of the future recruitment processes – the legal basis for the processing shall be the consent (art. 6 clause 1 letter a GDPR);
   4. In order to verify the qualifications and skills of a candidate and determine the cooperation conditions – the legal basis for the processing shall be the legitimate interest of the Data Controller (art. 6 clause 1 letter f GDPR). The legitimate interest of the Data Controller is verification of the candidates to work and determine conditions of any future cooperation;
   5. In order for the Data Controller to establish or exercise any claims or to defend against claims made towards it – the legal basis shall be the legitimate interest of the Data Controller (art. 6 clause 1 letter f GDPR).
3. If the personal data are processed based on an expressed consent, it shall be possible to withdraw it at an time, which however shall not affect the lawfulness of the processing carried out before withdrawal of consent. If the consent is expressed for the purpose of future recruitment processes, personal data shall be removed no later than after the elapse of one year, unless the consent is withdrawn beforehand.
4. The rules of law, first and foremost the Labour Code require to provide data in the scope defined under art. 22 (1) of the Labour Code, if the candidate prefers to be employed based on an employment contract and if a legal relation based on a civil law contract is preferred – it shall be required by the Data Controller. Failure to provide the data will render it impossible to consider the candidacy in the recruitment process. Provision of data is voluntary.

Collecting data due to service provision or execution of other contracts

If the data is collected for the purposes related to the execution of a specific contract, the Data Controller shall provide detailed information to the Data Subject about processing of his/her personal in the case when processing is necessary for the Data Controller to take actions on the request of the Data Subject prior to the contract conclusion.

Processing of personal data of the contractor’s staff or customers that cooperate with the Data Controller

1. As a result of concluding contracts under its activity, the Data Controller acquires from its contractors/customers data of individuals involved in the execution of such contracts (e.g. contact persons, individuals who carry out certain activities, etc.). The scope of provided data in each case shall be limited to the degree which is indispensable to execute the contract and usually shall include no information beyond first name, surname and official contact details.
2. The abovementioned data are processed in order to pursue the legitimate interest of the Data Controller and its contractor (art. 6 clause 1 letter f GDPR), i.e. to allow for appropriate and efficient contract execution. The data may be disclosed to third parties involved in the contract execution.
3. The data shall be processed for the period necessary for the pursuit of the abovementioned interests and performance of duties resulting from rules of law.

Collecting data as a part of business contacts

1. As a result of the conducted activity, the Data Controller collects personal data also in other cases – e.g. during business meetings or by exchanging business cards – in order to establish and maintain business contacts. The legal basis shall be the legitimate interest of the Data Controller (art. 6 clause 1 letter f GDPR), i.e. establishing a base of contacts in relation to the conducted activity.
2. Personal data collected in such circumstances shall be processed only for the purpose they were collected for and the Data Controller shall ensure they are properly protected.

1. As a result of conducting the activity that requires personal data processing, the personal data may be disclosed to external entities, in particular to vendors responsible for maintaining IT systems and devices, entities that provide accounting services, mail operators, couriers and recruitment agencies.
2. The Data Controller shall reserve the right to disclose the selected information concerning Data Subjects to relevant authorities or third parties who would require such information with relevant legal basis and in accordance with the currently binding rules of law.

1. The level of protection of personal data outside the European Economic Area (“EEA”) differs from the one ensured by the European law. Therefore the Data Controller shall provide the personal data outside EEA only when it is necessary and ensuring a relevant degree of protection, first and foremost by:
   1. Cooperation with processors of personal data in states with regards to which a relevant decision of the European Commission has been issued that a sufficient level of personal data protection has been ensured;
   2. Applying relevant contractual clauses issued by the European Committee;
   3. Applying binding corporate rules approved by a relevant supervisory body;
   4. If the data is transferred to the USA – by cooperation with entities participating in the Privacy Shield programme approved with the decision of the European Committee.
2. The Data Controller shall always inform about the intention to transfer personal data outside the EEA on the moment they are collected.

1. The period when the data is processed by the Data Controller depends on the type of provided service and purpose of processing. The data processing period may also be defined in regulations, if they are the basis for the processing. If the data is processed based on a legitimate interest of the Data Controller (e.g. for security reasons), data will be processed for the period that would allow for pursuing the interest or until an efficient objection towards data processing is raised. If the processing occurs based on a consent, the data shall be processed until it is revoked. If the basis for processing is indispensability of data for concluding and executing a contract, the data shall be processed until the contract is terminated.
2. The period of data processing may be prolonged if the processing is necessary to establishment, exercise or defense against legal claims and afterwards – only in the case and scope required by law. After the elapse of the processing period, the data shall be irrevocably deleted or anonymized.
3. Personal data processed by legal advisors and lawyers as a part of their professional duties shall be stored for 10 years after the end of the year of completion of a proceeding which was the purpose for collecting personal data.

Rights of Data Subjects

1.  The Data Subjects shall have the right to:
   1. Right to be informed about the processing of personal data - on this basis the Data Controller shall provide the natural person making the request with information about the processing of data, including, first of all, the purposes and legal bases of the processing, the scope of the data stored, entities whom they have been disclosed to and the planned date of data deletion. The Data Controller shall not execute such a request if it violates the obligation to maintain legal adviser's or lawyer's secret;
   2. Right to obtain a copy of the data - on this basis the Data Controller shall provide a copy of the processed data concerning the natural person making the request. The Data Controller shall not execute such a request if it violates the obligation to maintain legal adviser's or lawyer's secret;
   3. Right of rectification - the Data Controller shall be obliged to remove any possible inconsistencies or errors in the personal data processed and supplement them if they are incomplete;
   4. Right to delete data - on this basis, it is possible to request the deletion of data the processing of which is no longer necessary for any of the purposes for which they were collected;
   5. Right to restrict the processing - in case of such a request, the Data Controller shall cease to operate on personal data - with the exception of operations to which the Data Subject has consented - and to store them, in accordance with the adopted principles of retention, or until the reasons for the restriction of data processing cease to exist (e.g. a decision of the supervisory body authorizing further processing of the data is issued). It is not possible to fulfil this right to the extent in which it would violate the obligation to maintain the confidentiality of the legal advisor or of a lawyer;
   6. The right to data portability - on this basis, to the extent that data are processed by automated means in connection with a concluded contract or a consent - the Data Controller shall issue the data provided by the Data Subject in a format which can be read by a computer. It is also possible to request that the data be sent to another subject, provided however, that the technical possibilities exist in this respect both on the part of the Data Controller and the designated entity;
   7. Right to object to the processing of data for marketing purposes - the Data Subject may at any time object to the processing of personal data for marketing purposes; no justification shall be required;
   8. Right to object to other purposes of data processing - the Data Subject may object at any time – for reasons attributable to his or her particular situation - to the processing of personal data on the basis of a legitimate interest of the Data Controller (e.g. for analytical, statistical or property protection purposes); an objection in this regard should include a justification. This right does not apply to personal data obtained by a legal advisor or a lawyer in connection with the provision of legal assistance;
   9. Right to withdraw the consent - where data are processed on the basis of a consent, the Data Subject shall have the right to withdraw it at any time, which however shall not affect the lawfulness of the processing carried out before withdrawal of consent;
   10. Right of complaint - if the processing of personal data is found to violate the provisions of the GDPR or other regulations on the protection of personal data, the Data Subject may lodge a complaint with the authority that supervises the processing of personal data, competent for the Data Subject's ordinary residence, place of work or place of the alleged violation. In Poland the supervisory body is the President of the Office for Personal Data Protection (PUODO).

Submission of requests related to the execution of rights

1. A request on the execution of rights of Data Subjects may be submitted:
   1. In a written form to: DB Cargo Polska SA, ul. Wolności 337, 41-800 Zabrze
   2. By e-mail: daneosobowe@deutschebahn.com
2. If the Data Controller is not able to identify the natural person based on the request submitted, it shall ask the petitioner to provide additional information. It shall not be obligatory to provide such data, however, failure to do so will result in a refusal to execute the request.
3. The request may be submitted in person or through a representative (e.g. a member of the closest family). Due to the safety of data, the Data Controller encourages to use power of attorney in a form certified by a notary public or an authorized legal advisor or a lawyer which shall significantly speed up the verification of the request’s authenticity.
4. A reply to a request should be given within one month of its receipt. If it is necessary to extend this deadline, the Data Controller shall inform the applicant of the reasons for such situation.
5. Where a request has been addressed to the Data Controller electronically, the reply shall be provided in the same form, unless the applicant has requested to be provided with a reply in another form. In other cases, the reply shall be in writing. If the time limit for the execution of the request prevents the reply in writing and the extent of the applicant's data processed by the Data Controller allows for electronic contact, the reply shall be provided electronically;
6. The Data Controller shall store the information concerning the request and the person who made the request in order to ensure a possibility to demonstrate the compliance and for the purpose of establishing, defending or pursuing possible claims by the Data Subjects. The register of requests shall be kept in a manner that ensures the integrity and confidentiality of the data contained therein.

We hereby inform you about the data processing regarding our sales system "CASA" (customer services and sales application). 

DB Cargo AG works closely with its subsidiaries and national companies in the Cargo business unit of DB AG to ensure smooth and effective sales and customer support. Contact details for business transactions are shared in a company master database in order to provide the best possible service. 

For this purpose, a joint responsibility agreement in accordance with Art. 26 GDPR has been concluded between the contracting parties. 

1. The Policy is verified on a regular basis and updated if required.
2. The current version of the Policy has been binding since 1 July 2020.