Privacy Statement
Version 1.0
Date: 2023-07-25
Identity and contact details of the processing controller
This privacy statement applies to all personal data processed by LunaTrain BV , with address at 8450 Bredene, Populierenlaan 102 , with company number VAT BE0804348546, which is the controller of this website.
The Controller attaches great importance to your privacy and therefore processes your personal data in accordance with the European Regulation 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter “GDPR”) as well as any future or additional legislation implementing it, insofar applicable.
For further questions or comments regarding how we handle your personal data, you can always contact us, either by e-mail to info@lunatrain.com or by mail to the aforementioned postal address.
What does “processing personal data” mean?
Processing personal data (hereinafter “data”) includes any processing of data that can identify you as a natural person. In this privacy statement, you can read what data is concerned. The term “processing” is very broad and covers, among other things, collecting, storing, using your data, or sharing it with third parties.
What data do we process?
Below we clarify what data we may process from you. Depending on the specific situation, your preferences and the way you contact us, we do not process all of the following data about you.
General
Of all our contacts (such as visitors to our website and individuals who send an inquiry via the contact form), we may process the information below:
- Electronic identification and usage data (e.g., IP address, browser type, location data, device data);
- Contact information (e.g., name, first name, e-mail address, etc.);
- Contact history (e.g., e-mail messages, messages sent through web forms, etc.);
Main business activities
From our customers, we may additionally process the following data:
- Order details (e.g. ticket details, departure date, arrival date, itinerary, etc.);
- Identification details of the trip members (e.g. first and last name, date of birth, nationality, gender, etc.)
- Additional data of the customer who booked a trip (e.g. address, e-mail address, phone number, VAT number if business customer, etc.);
- Online user account login information
- Payment and billing information (e.g. payment card details, invoices, etc.);
- Aftersale data
- Feedback, testimonials and promotional content such as photos and videos (e.g., reviews and experiences related to our (collaboration), testimonials, quotes, attendance at events, etc.)
Suppliers – service providers
From our suppliers and service providers, we may additionally process the following data:
- Contractual data (e.g. company name, address, company number, agreement, etc.);
- Payment and billing information (e.g. payment card details, invoices, etc.);
- Feedback, testimonials, quotes, promotional content such as photos and videos (e.g., reviews and experiences related to our (collaboration), testimonials, quotes, attendance at events, etc.)
Staff Candidates
In addition, we may process the following data on candidate employees. Of course, this will largely depend on what data you yourself wish to provide us with in relation to your application.
- Personal details;
- Work-related data;
- Personality data;
- Photos
For what purposes do we process your data?
We process your data for the purposes described below and do not collect and process more and no other types of data than those necessary for these purposes. Personal data is processed exclusively within the framework of the business and in particular for the following purposes:
- Within the scope of our main activities: selling railroad company tickets as an intermediary, as well as follow-up after sales
- Organizing events
- Participating in trade fairs
- Meeting legal, administrative and tax obligations
- Communication with customers and prospects
- Employee recruitment purposes
On what grounds do we process your data?
We process your data only to the extent based on one of the processing grounds listed in the GDPR, and as shown below.
Legal obligation
Certain data are processed by us to comply with legal or regulatory obligations. For example, in the context of tax and accounting obligations or in the area of data protection.
Necessary for the performance of the agreement
Certain data are processed by us because it is necessary for the conclusion, performance or termination of a contract with you as a data subject. For example, for contacting, scheduling, responding to a request or requesting information with a view of entering into a contractual relationship, as well as the effective performance of the contract, in order to provide you with our services or receive them from you.
Legitimate interest
Certain data are processed by us based on our legitimate interest which in specific cases outweighs any potential harm to your rights. For example, to promote our business to existing customers; to improve the quality of our services; to send you offers and advertising within an existing customer relationship; to train employees and evaluate and maintain data and statistics related to our business, in the broad sense; to preserve and use evidence in the context of liability, litigation or disputes and for the purpose of archiving the business; and to ensure security, both online on this website and on our premises.
Permission
Certain data is processed by us based on your consent. For example, to promote activities to potential business contacts; the use of certain analytical or marketing cookies; the posting of photos containing personal data on our website and social media channels. Data of job applicants after the recruitment process will be kept only with permission.
Origin of data
We also obtain most of the data we process from you directly. Within the scope of our services, we may obtain data from you through external service providers or public sources.
With whom do we share your data?
We do not disclose your information to third parties, except when strictly necessary considering the above-mentioned purposes, or if we are required to do so by law.
Where necessary, we use external service providers (processors) to support our operational purposes such as the management of our websites and IT systems. Where appropriate, these external service providers carry out certain data processing operations on our behalf. We will only share your data with these external service providers to the extent necessary for the relevant purpose. The data may not be used by them for other purposes. In addition, these service providers are contractually bound to ensure the confidentiality of your data by means of a “processing agreement” concluded with these parties.
Specifically, where relevant in your situation, we share your data with the following third parties for the following purposes, with these third parties acting as processors on our behalf in certain cases:
- Postal, transportation and delivery companies if we need to send you something by mail;
- Payment service providers if we receive payments from you, or vice versa;
- External representatives and consultants or any other parties involved as part of our main or ancillary activities;
- The processors who assist us in IT to operate our organization for the purpose of secure and efficient digital data management within our organization;
- Government bodies, judicial authorities and practitioners of regulated professions such as accountants and lawyers, for the purpose of complying with our legal obligations and defending our interests, as required.
How long do we keep your data?
We do not retain your data longer than necessary for the purpose for which the data was collected or is processed. Since the period for which the data can be kept depends on the purposes for which the data was collected, the storage period may vary in each situation. Sometimes specific legislation will require us to keep the data for a certain period of time. Our retention periods are always based on legal requirements and a balancing of your rights and expectations with what is useful and necessary to fulfill the purposes. At the end of the retention period, your data will be deleted or anonymized.
Where do we keep your data and how is it protected?
We provide appropriate security measures on a technical and organizational level, to avoid, within the scope of our activities, the destruction, loss, falsification, modification, unauthorized access or unauthorized notification to third parties as well as any other unauthorized processing of this data.
We are also careful to ensure that the processors we rely on also take appropriate security measures to minimize risks of incidents as much as possible.
If, when using specific services or software tools, your data is processed outside the European Economic Area (EEA), it will only be processed in/to countries that the European Commission has confirmed as providing an adequate level of protection for your data, or measures will be taken to ensure the lawful processing of your data in these third countries.
What are your rights?
You have various rights regarding the data we process about you. If you wish to exercise any of the rights set out below, please contact our GDPR Officer using the contact details included under the first heading of this privacy notice.
Right of access and copy
You have the right to access your data and obtain a copy. This right also includes the possibility of requesting further information about the processing of your data, including the categories of data processed about you and for what purposes.
Right to rectification
You have the right to have your data amended if you believe we have incorrect data.
Right to erasure
You have the right to request that we delete your data without unreasonable delay. However, we will not always be able to comply with such a request, including when we still need the data in function of an ongoing contract, or when keeping certain of your data for a certain period of time is required by law.
Right to restrict processing
You have the right to restrict the processing of your data. In this way, the processing is temporarily stopped until, for example, there is certainty about its accuracy.
Right to withdraw your consent
Where processing is based on your consent, you have the right to withdraw this consent at any time by contacting us. For marketing messages you receive from us via e-mail based on your consent, you can easily withdraw this consent by clicking on the unsubscribe link at the bottom of any such message.
Right to object
You have the right to object to the processing of your data based on legitimate interest. This should be based on reasons specific to your situation. You can also object to the use of your data for direct marketing purposes. For marketing messages by e-mail, an opt-out will always be provided.
Right to data portability
You have the right to obtain in electronic form your data that you yourself have provided to us with your consent or in performance of a contract. In this way, they can be easily transferred to another organization. You also have the right to request us to transfer your data directly to another organization, if this is technically possible.
Right to file a complaint with your supervisory authority
Should you believe that we are processing your data in an incorrect manner, you always have the right to lodge a complaint with your data protection supervisory authority.
Belgian Data Protection Authority (GBA).
Printing Press Street 35
1000 Brussels
How can you exercise your rights?
You may exercise your rights by contacting us, either by e-mail to info@lunatrain.com or by mail to 8450 Bredene, Populierenlaan 102, Belgium, provided that you enclose a copy of the front of your identity card or other document identifying you. The copy will only be used to identify you in accordance with the GDPR.
Changes to the privacy statement
We reserve the right to change this privacy statement. The most recent version is available on our websites at all times. The date this privacy statement was last modified can be found at the top. In the event of a substantial change to the privacy statement, we will directly inform the data subjects on whom this may have an impact, if possible.