Shift2Rail logo A body of the European Union


When the EU-Rail processes your personal data

The Europe’s Rail Joint Undertaking (the “EU-RAIL”), as a body of the European Union, is obliged to comply with the data protection law specifically applicable to them. The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her. This right is also guaranteed under Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms.

In this regard, EU-RAIL processes personal data collected according to the provisions of Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data. The new data protection rules applicable to the EU institutions are in line with those in the General Data Protection Regulation, applicable to EU member states. The new rules aim to make the EU institutions more accountable in the way they process personal data.

The EU-RAIL, as a controller, shall maintain a record of processing activities under its responsibility in a central register. In addition, for reasons of transparency, EU-RAIL shall make the register publicly accessible (article 31(5) of Regulation (EU) 2018/1725). In addition, the EU-RAIL shall take appropriate measures to provide transparent information, communication and modalities for the exercise of the rights of the data subject (articles 14 to 16 of Regulation (EU) 2018/1725). You can find a collection of privacy notices for each specific processing operation in our web site.

For more information about how your personal data might be used when you visit this website, read our Website Data Protection Notice page.

Data Protection Officer

Based on the law, all EU institutions must appoint a Data Protection Officer (DPO).

EU-RAIL has appointed a DPO. The task of the DPO is to ensure, in an independent manner, that the Union body complies with the data protection law and protects individuals’ rights and freedoms by protecting effectively their personal data. The EU-RAIL DPO also collaborates with the DPOs of the other EU institutions in the relevant network.

For any questions related to your rights as a data subject, please contact the EU-RAIL Data Protection Officer at Data-Protection[at]

Data Protection Principles

Personal data is any information relating to an identified or identifiable person. For a full definition, see Article 3 (1) of Regulation (EC) 1725/2018.

The Data Controller is the person who determines how personal data is processed and grants rights to the data subject. For each processing operation, a data controller is identified and prior notice must be given to the Data Protection Officer.

The Data Processor is a natural or legal person, public authority, agency or any other body, which processes personal data on behalf of the data controller.

The following data protection principles are applicable to all EU-RAIL processing activities that address personal data:

  • lawful and fairness: meaning that personal data should be lawfully and fairly processed in accordance with the Regulation (EC) 1725/2018;
  • data minimization: meaning that the collection of personal data must be adequate, relevant and not excessive, following a necessity test;
  • purpose limitation: meaning that personal data should be obtained only for specified purposes and not further processed in a manner incompatible with those purposes;
  • data accuracy: meaning that personal data should be accurate and up-to-date;
  • storage limitation: meaning that personal data should not be kept for longer than necessary to complete the indicated purpose;
  • data retention: meaning that a specific time limit should be defined for retaining personal data;
  • data transfer: meaning that personal data should not be transferred to countries outside the European Union that don’t offer adequate protection;
  • accountability: meaning that measures should be implemented and documented in order to guarantee the respect of data protection rules for all processing activities.

Your rights when we process your personal data

When your personal information is processed by the EU-RAIL you have the right to know about it. By making a written request to the EU-RAIL Data Protection Officer (e-mail: Data-Protection[at] data subjects have also the right to:

  • access the data processed, collected and used concerning themselves;
  • rectify the information in case of inaccuracy and incompleteness;
  • block inaccurate data collected;
  • under certain conditions, delete the personal data or restrict its use;
  • where applicable, object to the processing of your personal data, on grounds relating to your particular situation, at any time, and the right to data portability;
  • withdraw their consent if it no longer represents the legal basis of the processing;
  • be informed in case personal data is disclosed to any third party.

Without undue delay and in any case within one month of receipt of the request, EU-RAIL will provide information on action taken on the data subject’s request to exercise her/his rights.  In case of complex or voluminous requests, this period may be extended by another two months, in which case EU-RAIL will inform the data subject.

Your rights on your personal data are stated in Articles 17 to 24 of Regulation (EU) 2018/1725.

How to exercise your data protection rights at the EU-RAIL

If the EU-RAIL is processing your personal data and you would like to exercise your data protection rights, please send us a written enquiry. We cannot accept verbal enquiries (telephone or face-to-face) as we may not be able to deal with your request immediately without first analysing it and reliably identifying you.

You can send your request to the EU-RAIL by post in a sealed envelope or by e-mail to Data-Protection[at] Your request should contain a detailed, accurate description of the personal data you want access to.

Recourse to the EDPS

The Supervisory Authority, in terms of processing personal data, is the European Data Protection Supervisor (EDPS). The EDPS is responsible for the monitoring of European Union institutions and bodies and their compliance with data protection rules, ensuring that the rights to privacy and data protection, as fundamental human rights, are respected.

If data subjects consider that EU-RAIL has infringed their rights, they can lodge a complaint to the European Data Protection Supervisor (EDPS). The EDPS, after assessing the admissibility, will carry out an inquiry and take appropriate measures to solve it. For more information regarding how to complain to the EDPS, please refer to the EDPS website.