Introduction
This Privacy policy is intended to inform the users of this site and of the services provided by RATP Dev Australia Pty Ltd (herein after referred to as “you” or the “users”) of the terms and conditions for the collection and processing of personal data (as defined in the applicable laws, including the Privacy Act 1988 (Cth)) by RATP Dev Australia Pty Ltd (herein after referred to as the “Company”). In this policy, any reference to “Company” is also a reference to any of the Company’s subsidiaries in Australia and overseas.
Moreover, this Privacy policy also aims to inform users of their rights and the implementation of these rights in accordance with the Privacy Act 1988 (Cth).
The Company has appointed a Data Protection Officer (hereinafter referred to as “DPO”). You may contact them at the following email address: ratpdevaustralia@ratpdev.com or at the postal address:
RATP Dev Australia Pty Ltd
Level 26
44 Market Street
SYDNEY NSW 2000
Australia
I. Persons concerned by this Privacy policy
The Company and its subsidiaries operate transportation networks and offer rail and road services. You are concerned by this Privacy policy when you subscribe to those services proposed by the Company.
II. Type of personal data collected and how personal data is collected
The personal data collected by the Company as part of the services it offers are as follows:
- contact data (last name, first name, email address, company);
- navigation data (searches, number of visits, date of the last visit…).
The Company will collect most personal data directly from you whether in person, on the phone or electronically (e.g. by email), for example when you interact with the Company to:
- do business with the Company;
- enquire about the services offered by the Company;
- contacting the Company;
- visit the Company’s website; and
- provide feedback or make a complain.
III. Purposes of processing
The Company processes data of the users of this site in the context of the performance of the services that the Company offers, for the legitimate purposes necessary for the proper functioning of the services as well as in accordance with legal obligations.
This first concerns the management of email alert subscriptions, customer relations management, the conducting of satisfaction surveys, the performance of the proposed service and the sending of information on the modification or evolution of services of the Company. The Company also processes some data for statistical and archival purposes.
IV. Data retention period
The time during which the Company retains the personal data of the users includes the duration of the contractual relationship as well as statutory limitation periods.
V. Recipients of personal data
1. The Company
The Company collects data necessary to ensure the proper functioning of its services. Every employee of the Company entitled to access personal data must sign a confidentiality agreement.
2. Processors
The Company may work with processors in order to perform some of its services. The processors process personal data only for the execution of the services offered by the Company.
The Company contractually requires its subcontractors to comply with security and confidentiality obligations, to implement technical and organizational measures so that data processing operations meet applicable legislation and ensure protection of the rights of the users.
3. Competent authorities
The Company may be required to transmit some personal data collected to the competent authorities, such as law enforcement, regulatory authorities and enforcement bodies. In such cases the information will be disclosed only if the Company believes it is reasonably necessary for the enforcement conducted by the mentioned authorities or authorised under a court or tribunal order.
VI. Users’ rights over personal data
1. Right of access
Users have the right to access the personal data that concerns them. Users have the right to receive confirmation from the controller that the data about them is or is not being processed. If the users exercise this right, the Company will provide them with a copy of the characteristics of the processing operations carried out on their personal data (the purposes of the processing, the categories of data concerned, etc.).
This information will be provided either electronically or in paper format. Users may obtain a copy of their personal data, subject to compliance with others’ rights.
2. Right to rectification
Any user that finds the data concerning himself or herself are incorrect or incomplete have the right to ask for the correction or the completeness of this information.
3. Right to limit processing
Users have the right to obtain a limitation on the processing of their personal data, in particular when they contest the accuracy of the data, when the processing is unlawful and they wish to obtain the limitation and not the deletion of their data or when the controller no longer needs the data but they are still necessary for the users to establish, exercise or defend a legal claim.
4. Right to object to processing
Users may object to their personal data being processed if they have a legitimate reason and if the processing is based on their consent.
Once you use your right to object, your data will no longer be processed. Where the processing is based on a legal regulation, the right to object is not applicable.
The Company informs you that the modification or deletion will take place as soon as possible.
VII. Exercise of rights
You can exercise your rights by contacting the DPO named by the Company at the address email ratpdevaustralia@ratpdev.com or at the postal address:
RATP Dev Australia Pty Ltd
Level 26
44 Market Street
SYDNEY NSW 2000
Australia
For any request to exercise your rights, the Company may ask you to send an official identity document (ID card, passport, license driver) to verify that you are the data subject of the personal data you are requesting.
The answers to your requests will be communicated to you electronically or in paper form.
The Company undertakes to respond to any request as soon as possible and within a maximum period of one month from the receipt of your request. However, this period may be extended by two months where the request is complex or due to the number of requests received.
If the Company cannot respond to your request, you will be informed within one month of receipt of your request. The reasons for this refusal will be clearly indicated. You will then have the opportunity to file a complaint with the Office of the Australian Information Commissioner.
You are informed that in the case of requests that are manifestly unfounded or excessive, in particular because of their repetitive nature, the Company may refuse to respond to your requests or require payment of a fee to offset the administrative costs incurred in responding to your requests.
If you believe any of the Australian Privacy Principles have been breached by the Company then you may complain to the DPO via the email address specified above. The company will attempt to resolve the complaint within 30 days. If the complaint is not resolved or you are not happy with the response you can complain to the Office of the Australian Information Commissioner.
VIII. Personal data security
The Company implements all appropriate security measures to ensure the protection of the personal data collected, and in particular to prevent the destruction, loss, alteration, disclosure or unauthorized access of the data. To this end, security measures such as anonymization or data encryption will be implemented. Measures to ensure the ongoing confidentiality, integrity, availability and resiliency of treatment systems and services will also be taken. Any breach of security affecting your data and likely to create a high risk for your rights and freedoms will be notified to you as soon as possible.
IX. Storing of personal data
The servers used by the Company to store your personal data are located in France.
The Company transmits certain personal data to its processors providing services necessary for the performance of services. Some processors host personal data on servers located outside of Australia, including US. The Company therefore ensures that they are able to guarantee the same level of data protection as that required by the Privacy Act 1988 (Cth).
X. Modification of the Privacy policy
When this Privacy policy is modified, the update is published on the Company website or via an e-mail indicating the date of update. We invite the users to consult it regularly.