CER 09 May 2023

CER Privacy Statement

Community of European Railway and Infrastructure Companies AISBL, an international non-profit association under Belgian Law, with the registered office at Avenue des Arts, 53, 1000 Brussels, Belgium, registered under number 0459.235.909 (hereinafter referred to as “CER”) may collect and processes your personal data in certain cases.

CER will collect and process your personal data if you belong to one of the following groups of individuals: representatives of CER members, participants to CER events, members and officials of the institutions and authorities of the European Union and its Member States, various specialists in particular in the fields of European and public affairs, transport and railways, CER contacts and other people CER has a relationship with or may need to contact (hereinafter referred to as “data subjects”) as well as job applicants.

Principles that CER follows in processing your personal data

  • CER is committed to collecting and processing your personal data in compliance with applicable European and national data protection laws, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) which will apply from 25 May 2018;
  • CER is transparent about processing your personal data;
  • CER only collects your personal data for legitimate purposes that are specified below. If CER intends to further process your personal data for a purpose other than that for which the personal data were collected, CER will inform you about it prior to that further processing;
  • CER strictly limits collection, processing and retention of your personal data to what is necessary for CER to be able to perform its tasks in accordance with its general mission;
  • CER puts every effort into keeping your personal data accurate and up-to-date by performing regular corrections;
  • CER keeps your personal data for no longer than it is necessary for the purposes for which your personal data were collected;
  • CER takes reasonable steps to ensure appropriate security of your personal data by adequate IT security measures.

This privacy statement explains what personal data, on which bases and for which purposes CER collects and processes.

What personal data CER collects and processes

Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

CER collects and processes your personal data which are necessary to be able to perform its tasks in accordance with its general mission. Most of such personal data you provide to CER directly, such as when you register for an event CER organises or give your business card to one of CER’s advisers. Sometimes CER also obtains personal data from third parties such as your employer or your colleagues or publicly available sources.

The precise personal data CER collects and processes depends on the context of your interactions with CER. The personal data CER collects and processes can include the following:

  • Name and contact information. CER may collect your first and last name, email address, postal address, phone number, and other similar contact data.
  • Payment information. In case you are selected as a winner of a contest or an award organised by CER, CER may collect the data necessary for the payment of a prize, such as your account and/or card number.
  • Content of emails. CER may collect content of your email communications sent to CER.
  • Photo and video. If you attend an event organised by CER, your image may be captured and become a part of photo and video materials we produce.
  • Dietary information. If you attend an event organised by CER, we may ask you to provide information on your allergies and diet constraints in order to provide you with the meal that suits your dietary needs.
  • Professional information. CER may collect data on the company which you represent and your function. If you respond to a CER job opening, CER also may collect information on your previous work experience and education, as well as other information provided in your job application.

How CER uses your personal data

CER has a legitimate interest in collecting and processing personal data of individuals that belong to one of the groups listed above as part of its general mission and for the following purposes:

  • For general membership administration: CER processes personal data of relevant employees and representatives of the CER members for the purpose of administering the membership, organising General Assemblies and Management Committee meetings, granting access to the members only area of the CER website;
  • For organising meetings and working groups: CER processes personal data of the data subjects for the purpose of organising meetings and working groups;
  • For public relations purposes: CER processes personal data of the data subjects for the purposes of carrying out its advocacy activities;
  • For targeted communication purposes: CER processes personal data of the data subjects to communicate on the topics related to CER advocacy work, to share publications and invitations to CER’s activities and events;
  • For organising events: CER processes personal data of individuals that participate in the events organised by CER for the purpose of managing such events and in some cases gathering subsequent feedback or other input;
  • For press purposes: CER processes personal data of individuals working as journalists or in related areas to disseminate press materials;
  • For recruitment purposes: CER processes personal data of individuals who respond to CER job openings to process and follow up on job applications.

Your rights in regard to your personal data:

You have the following rights in regard to your personal data that CER processes:

  • Confirm whether CER processes your data: You can ask CER to provide you with (the categories of) your personal data that are being processed;
  • Copy or port your personal data: You can ask CER for a copy of your personal data that are being processed as well as for a copy of personal data you provided to CER directly in a structured, commonly used and machine-readable format or that CER transmits those data directly to another undertaking[1];
  • Correct or complete your personal data: You can ask CER to update, correct or complete your personal data in case it is inaccurate or incomplete;
  • Erase your personal data: You can ask CER to erase all or some of your personal data in certain cases[2];
  • Object to processing of your personal data: You can ask CER to stop processing all or some of your personal data at any time. CER will no longer process your personal data unless there are overriding legitimate grounds for such processing;
  • Restrict processing of your personal data: You can ask CER to restrict processing of all or some of your personal data in certain cases[3];
  • Complain to a data protection authority: You can complain about collection and processing of your personal data by CER to a data protection authority in the Member State of your residence, place of work or place of the alleged infringement of your rights;
  • Withdraw your consent at any time: You can withdraw your consent at any time if CER processes your personal data based on your consent. Withdrawing your consent will not affect the lawfulness of any processing CER conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent (performance of a contract or legitimate interests);
  • Ask for more information regarding your personal data: You can ask CER to provide supporting and explanatory information in regard to:
    - why CER processes your personal data;
    - which categories of your personal data CER processes;
    - to whom and where CER transfers your personal data;
    - the retention period for your personal data;
    - your right to correct your personal data, to erase it, to restrict its processing or to object to processing of your personal data by CER;
    - your right to lodge a complaint to a data protection authority;
     -from which source CER obtained your personal data in case CER didn’t collect it directly from you;
     -whether CER uses any automated decision-making process in regard to your personal data.

If you wish to exercise any of the above rights please contact CER at the following email address: This email address is being protected from spambots. You need JavaScript enabled to view it.. Please attach a copy of your ID to such email in order for CER to verify your identity. CER will respond to your request free of charge and within 30 days. CER will charge a fee to cover the administrative costs of providing the information or will refuse to act on the request only in case your request is manifestly unfounded or excessive, in particular because of its repetitive character.

Security of your personal data

CER is committed to protecting your personal data. To protect your personal data from unauthorized access, use or disclosure, CER employs, in particular, the following IT security measures: firewall, strong password protection, regular software updates, antivirus programs, restricted user access to the CER database and regular backups of the CER server. Apart from that, cyber security policies are observed by all CER employees at all times. Besides this, the CER office is protected with an alarm system while the room where the CER server is located is additionally protected with a badge entry system and kept locked any time the room is unoccupied. Only the CER employees responsible for the data processing and the IT maintenance team are in possession of the badges for the CER server room. Furthermore, CER ensures that all necessary measures of protection of the CER website are being taken, namely:

  • monthly maintenance and checks;
  • monthly back up of the CER website database;
  • limitation of administrator-level access to the website to a small number of CER employees and protection of this access with a strong password that is changed regularly.

Where CER processes your personal data

CER processes your personal data in Belgium and transfers your personal data outside of the European Economic Area (EEA) only if an adequate level of protection of such personal data is ensured.

To whom CER transfers your personal data

In order to organise and administer events CER may transfer your contact information to co-organiser(s) or hosting venue(s) of the event. In order to manage its communications, CER transfers personal data of the data subjects to a marketing automation platform outside of the EU which treats all personal data received from the EU in accordance with the Privacy Shield framework’s applicable principles.

How long CER retains your personal data

CER only retains your personal data for as long as it is strictly necessary to achieve the purpose(s) for which those data were collected. As soon as CER becomes aware of the fact that an individual no longer belongs to one of the groups of individuals listed above, CER will erase all the personal data of such individual. In particular, personal data provided by a job applicant and collected by CER as the result of a recruitment process, will be processed only for the duration of the application process and will be erased at the moment of its completion.


[1] You have the right to port your personal data or ask it to be ported by CER only when (a) CER processes your personal data based on your consent or when processing is necessary for the performance of a contract to which you are party; and (b) the processing is carried out by automated means.
[2] You can ask CER to erase your personal data if (a) it is no longer necessary for CER to process your personal data; (b) you withdrew your consent on which the processing was based and there is no other legal ground for the processing; (c) you objected to the processing and there are no overriding legitimate grounds for the processing; (d) your personal data have been unlawfully processed; (e) your personal data have to be erased for compliance with a legal obligation.
[3] You can ask CER to restrict processing of your personal data if a) you contested the accuracy of your personal data, for a period enabling CER to verify its accuracy; (b) the processing is unlawful and you opposed the erasure of your personal data and requested the restriction of their use instead; (c) CER no longer needs your personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; (d) you have objected to processing pending the verification whether the legitimate grounds of CER override yours.