Privacy and Data Protection Policy

Contents:

1 Defined terms
2 Introduction
3 Why does the International Registry Process Personal Data?
4 What information does the International Registry collect?
4.1 Personal Data
4.2 Registered Information
4.3 International Registry system information
5 How does the International Registry collect Personal Data?
6 Does the International Registry disclose or share Personal Data?
7 Could Personal Data be transferred internationally?
8 How long with Personal Data be retained?
9 How does the International Registry protect Personal Data?
10 User Rights
11 How can a complaint be made?
12 How are changes to this Policy made?
13 How can the Registrar be contacted?

 

1 Defined terms
   (a) “Company”, “Registrar”, or “Regulis” means Regulis S.A., located at 17 Boulevard F.W Raiffeisen, Luxembourg City, 2411 Luxembourg.
   (b) “Controller” is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
   (c) “Convention” means the Convention on International Interests in Mobile Equipment.
   (d) “Data Protection Laws” means any applicable data protection legislation, including GDPR and any Luxembourg data protection legislation.
   (e) “Data Subject” is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
   (f) “Employee” means an employee of Regulis or any subsidiary of Information Services Corporation.
   (g) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
   (h) “International Registry” means the International Registry of Interests in Rolling Stock.
   (i) “Personal Data” means any information relating to an identified or identifiable natural person. A wide range of personal identifiers may be considered Personal Data, such as:
• name, home address, personal email address, or personal telephone number;
• IP address, cookies, or location data;
• age, marital status, medical history, facial recognition data, fingerprint, or gender information; or
• income, banking information, occupation, tax return, or personal public service number).
   (j) “Policy” means this Privacy and Personal Data Protection Policy.
   (k) “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means such as collection, recording, organizational structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
   (l) “Processor” is a natural or legal person, public authority, agency or other body that processes Personal Data on behalf of Controller.
   (m) “Protocol” means the Luxembourg Protocol to the Convention on International Interests in Mobile Equipment on Matters specific to Railway Rolling Stock.
   (n) “Registered Information” has the same meaning as set out in the Regulations and Procedures.
   (o) “Regulations and Procedures” means the Regulations and Procedures for the International Registry.
   (p) “Special Category Data” is Personal Data classified as more sensitive data that requires greater protection. Examples of Special Category Data include information about a Data Subject’s:
• Racial or ethnic origin;
• Political opinions;
• Religious or philosophical beliefs;
• Trade union membership;
• Genetics;
• Biometrics (where used for identification purposes);
• Health; or
• Sex life or sexual orientation.
   (q) “User(s)” means any visitor or user of the International Registry and its associated website.

2 Introduction
Regulis S.A. is the Registrar of the International Registry, having been appointed by the Supervisory Authority of the International Registry pursuant to the Protocol, which is subject to the Convention.

The International Registry is a web-based software platform that facilitates the registration and search of international interests in rolling stock. The Registrar manages the International Registry, which includes collecting and Processing information submitted to the Registry.

This Policy applies to all Users of the International Registry and its website. Users are responsible for ensuring they are familiar with this Policy, which provides information on how the Registrar collects and uses Personal Data in connection with use of the International Registry. Users are responsible for obtaining consent from any individuals whose Personal Data they submit to the Registry and for providing those individuals with a copy of this Policy.

As the Registrar is located in the European Union, any Personal Data Processed by the Registrar in connection with any User’s use of the Registry will be treated in accordance applicable Data Protection Laws.

3 Why does the International Registry Process Personal Data?
Data Protection Laws require Personal Data only to be Processed for a lawful basis. The Processing of Personal Data by the International Registry is required in order to comply with the Convention, Protocol, Regulations and Procedures.

The primary purposes for which the International Registry Processes Personal Data are to:

   (a) facilitate the operation of the Registry, including registration and verification of Users, as applicable;
   (b) effect the registration of interests in rolling stock with the International Registry;
   (c) allow searching of the International Registry; and
   (d) process payments.

This Policy applies to Personal Data collected by the Registrar that must be protected under applicable Data Protection Laws.

4 What information does the International Registry collect?
   4.1 Personal Data
Personal Data the International Registry may collect and Process about Users may include name, physical address, email address, phone number, date of birth, VAT number, and credit card information. Providing a copy of government-issued identification may be used to verify a User’s identity.
   4.2 Registered Information
Registered information is largely a matter of public record. The Regulations that govern the International Registry, which are subject to the Convention and the Protocol, prescribe that certain information must be collected by the Registrar in order to effect a registration. The primary purpose for the collection of this information is to comply with the Convention, Protocol, Regulations and Procedures and therefore facilitate the operation of the International Registry.
   4.3 International Registry system information
The International Registry may also Process other information provided from time to time through the Registry, including records of communications sent by Users and the contents of those messages. This includes any letters, emails, or other correspondence sent by Users to the Registrar, as well as any communications with the helpdesk.

The International Registry and the Registrar may monitor and keep a record of communications and submissions made in order to:

   (a) establish facts in the event of litigation;
   (b) ensure compliance with applicable regulatory practices and internal policies;
   (c) evaluate service levels;
   (d) prevent fraud or other financial crime;
   (e) investigate any unauthorised use of the International Registry and related systems;
   (f) conduct audits;
   (g) compile statistics as required under the Regulations;
   (h) report to the Supervisory Authority as required by contract or the Regulations; or
   (i) any other purpose connected to the operation of the International Registry.

5 How does the International Registry collect Personal Data?
Personal Data is collected directly from Users on:

   (a) applying as a guest user or authorised user;
   (b) filing a Model Rules declaration; or
   (c) communicating with the International Registry or Registrar by any means.

The International Registry does not intentionally Process Personal Data collected from any sources other than directly from Users, unless it is provided by a User registering an account on behalf of another User.

The collection of Personal Data is limited to what is necessary for the proper functioning of the International Registry and compliance with the Regulations.

6 Does the International Registry disclose or share Personal Data?
Personal Data collected and entered into the International Registry as required by the Regulations may be made available to other Users who carry out searches of the International Registry. This Registered Information is a requirement of the Regulations and one of the primary functions of the Registry.

The Registrar may otherwise only share your Personal Data with select third parties in limited circumstances including, but not limited to, the following situations where:

   (a) Registrar employees require access to provide a requested service or respond to a specific inquiry;
   (b) Such information is required to investigate or remediate a technical or security issue;
   (c) A complaint has been made against the Registrar;
   (d) It is necessary for the International Registry and / or the Registrar to obtain professional advice or obtain services from third party service providers;
   (e) Disclosure is required by applicable law or a court order; or
   (f) There is a transfer of all or part of the Registrar’s responsibility for operating the Registry on the basis that recipient(s) use such Personal Data only for purposes related to the operation of the International Registry.

7 Does the International Registry use cookies?
Yes. Users may use the tool offered on the website to customise their cookie preferences.

8 Could Personal Data be transferred internationally?
The International Registry and its website are hosted on a server operated by a third party on its behalf within the European Union. Any Processing conducted will be in accordance with Data Protection Laws. Personal Data will not be relocated to a country which does not provide a similar level of legal protection for Personal Data without notification.

As noted above, Personal Data may be accessed by Users carrying out searches of the International Registry who may be located anywhere in the world. The lawful basis for such transfer is that the transfer is made from the International Registry, which is intended to provide information to the public and is open to the public to search.

9 How long will Personal Data be retained?
Personal Data will be retained for the required period under applicable law, including requirements under the Convention and Protocol, and in particular with the Regulations and Procedures. If you require further information, please contact the Registrar as directed below.

10 How does the International Registry protect Personal Data?
The Registrar takes appropriate IT security and operational measures to protect Personal Data. For instance, the International Registry may only be accessed via the public internet using a unique username and password. Steps are taken to restrict the Personal Data that is available to Users of the International Registry insofar as practicable and necessary for their involvement with the International Registry.

Cybersecurity tools are in place to block unauthorised traffic to servers and databases and the production environment for the International Registry can only be accessed by authorised personnel. The Registrar’s internal procedures further cover the storage, access and disclosure of Personal Data.

11 User Rights
Users have the right to:
   (a) Be informed. The Registrar is obligated to be transparent and inform Users on the Processing of their Personal Data. This Policy sets out Processing activities and is publicly available.
   (b) Access. Users have the right to request a copy of the Personal Data the Registrar holds about them. The Registrar may charge a fee for this service.
   (c) Rectification. Users have the right to request that any inaccurate or incomplete Personal Data the Registrar holds about them be corrected.
   (d) Erasure. To the extent permitted by applicable law, Users have the right to request that any of the Personal Data the Registrar holds about them be erased.
   (e) Restrict processing. Users have the right to request that the Registrar restrict the processing of their Personal Data under certain conditions.
   (f) Object to processing. Users have the right to object to the Registrar’s processing of their personal data under certain conditions.
   (g) Data portability. Users have the right to obtain their Personal Data held by the Registrar to provide to a third party or can require the Registrar to transfer their Personal Data directly to a third party.
   (h) Automated decision-making including profiling. Users have the right not to be subjected to Processing that is wholly automated and to object to any decision-making based solely on automated Processing.

The rights set out above are not absolute; they are subject to certain conditions that may apply, such as statutory exemptions to rights to access or erase Personal Data held by the Registrar. However, the Registrar will do its best to uphold each User’s data protection rights to the greatest extent practically possible.

If a User wishes to exercise any of the rights outlined above, please contact the Registrar as set out below.

12 How can a complaint be made?
Any questions in relation to Personal Data rights should be directed to the Registrar using the details outlined below. Users also have the right to lodge a complaint with the National Commission for Data Protection, Grand Duchy of Luxembourg.

13 How are changes to this Policy made?
The Registrar reserves the right to change this Policy as necessary, such as to comply with changes in laws, regulations, practices, procedures and organizational structure or requirements imposed by the European Data Protection Commission or other applicable authorities.

Any revised Policy will be posted to this page and effective on the date it is posted.

14 How can the Registrar be contacted?
Any queries or comments in relation to data privacy may be directed to the Registrar by email at privacy@rollingstockregistry.com, or by mail at 17 Boulevard F.W Raiffeisen, Luxembourg City, 2411, Luxembourg.  


Regulis S.A.
Version 1.0
8 March 2024