Personal data management policy
[PURPOSE AND LEGAL BASIS OF PROCESSING]
The personal data provided by Users is collected and processed by SNCF Voyageurs in its capacity as data controller, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 in force since 25 May 2018 and Law no. 2018-493 of 20 June 2018.
The information that Users must provide in order to benefit from the My SNCF ID authentication service is as follows:
- Title
- Surname
- First name
- Date of birth
- Password
It is not mandatory to provide the other information requested when creating an account via the My SNCF ID authentication service. Not providing this information will not affect the provision of the My SNCF ID authentication service.
Users are responsible for the compulsory or optional personal data communicated to SNCF Voyageurs, its partners and subsidiaries mentioned in article 3.2 of the General Conditions of Use and Confidentiality of My SNCF ID.
The personal data collected from Users is used by SNCF Voyageurs for the following purposes:
|
Purposes of processing |
Sub-purposes |
Legal basis for processing |
|
Management of personalised travel support |
- Connection to User SNCF Voyageurs customer journeys and personalised support on all channels using the My SNCF ID authentication service - Personalised support for User purchases/travel, including the provision of Traveller Information to Users - Smooth creation, processing and follow-up of complaints |
Performance of the contract (in accordance with the General Conditions of Use and Confidentiality of My SNCF ID) |
|
Analysis of My SNCF ID customer needs and journeys |
Identification of functional improvements to be made to the service |
Legitimate interest |
Specific case of cookies:
First of all, what are cookies?
The CNIL defines a cookie it as "a small computer file, a tracker, placed on a user’s hard disk, for example, when a website is consulted, an e-mail is read, software or a mobile application is installed or used, whatever the type of terminal used (computer, smartphone, digital reader, video game console connected to the Internet, etc.)".
Cookies linked to the use of the My SNCF ID authentication service are placed on the Users’ terminals.
|
Cookies |
Purposes |
Retention period |
|
otp-jwt |
Avoids having to send a one-time password by e-mail if the user can be identified from a known terminal/browser |
364 days |
|
mid-session-id |
Enables the logged-in user to access the various authorised resources |
29 minutes |
|
datadome |
Enables DataDome controls |
one year |
|
SCFP12OAM / SCFP11OAM |
Ensures reliable access to the service |
Length of user session |
|
SCFP12API / SCFP11API |
Ensures reliable access to the service |
Length of user session |
|
SCFP12WEB / SCFP11WEB |
Ensures reliable access to the service |
Length of user session |
|
mid-site-id |
Ensures reliable access to the service |
Length of user session |
|
session-jwt |
Determines whether the sncfauth or sncfauthpersistent tree is used in OAM |
5 hours |
[RETENTION]
If the User does not log in to a customer area using the My SNCF ID authentication service for a period of 2 years and 11 months, an automatic e-mail will be sent to the User informing them that their authentication details will be deleted within one month. They are asked to log in again if they wish for their data to be stored again for a maximum of 3 years from the last connection.
If the User does not log in within one month, their authentication details will be permanently deleted. A new e-mail informs them of this. The User will then no longer be able to connect to the digital areas using the My SNCF ID authentication service.
The User may, at any time, request the deletion of their My SNCF ID credentials (see article TRANSPARENCY).
[TRANSFERS]
SNCF Voyageurs may share personal data with various types of third parties.
1. Service providers
Data is transferred to service providers for the purposes of:
- Supervising the proper operation of My SNCF ID and complying with security standards relating to personal data
- Providing operational and functional support for users of My SNCF ID
These services are provided by SNCF Connect & Tech Services, which uses processors.
|
Authorised processors |
Entrusted operations |
Location of operations |
|
AMAZON WEB SERVICES |
Data hosting |
Paris |
|
COMM VAULT |
Archiving back-ups |
Ile de France |
|
DATADOME |
Securing the tool |
Paris |
The service providers in question have been rigorously selected and have undertaken to comply with a certain number of security measures, all in line with the state of the art. SNCF Voyageurs reserves the right to audit service providers at any time to ensure the proper application of these measures.
2. Approved travel agencies
SNCF Voyageurs is required to share essential User data (i.e. title, surname, first name and e-mail) with SNCF sites and applications and approved travel agencies using the My SNCF ID authentication service from the moment a User decides to create a My SNCF ID account.
If the User modifies their essential data from a digital space, these updates will be reflected in all the customer spaces to which the customer has subscribed.
3. Authorities or any other third party where required by law
SNCF Voyageurs may also be required to transmit personal data to third parties, and in particular to the authorities, when required by law. SNCF Voyageurs may not be held liable in this respect.
[SECURITY]
SNCF Voyageurs shall take the necessary security measures to prevent any personal data breach that would impact Users of the My SNCF ID authentication service, be it caused by a malicious or accidental act. These measures cover a number of areas, such as:
- The integration of security into projects, including the formalisation of a risk analysis relating to cyber security in particular,
- The strict management of authorisations for SNCF Voyageurs staff and service providers who need to access Users' data as part of their activities,
- An obligation of confidentiality for all service providers who have access to Users' data,
- A security and regulatory watch enabling the authentication service to be regularly upgraded to maintain its level of security,
- The organisation of regular technical and functional audits leading to action plans, the implementation of which is monitored.
[TRANSPARENCY]
In accordance with current regulations, Users have various rights with regard to how their personal data is used. These rights are:
|
Access |
Rectification |
Portability |
|
Exercising their right of access allows a User to check the accuracy of the data concerning them and, if necessary, to have it rectified or deleted. |
Exercising their right to rectification allows a User to update their data. |
Exercising their right to data portability allows a User to transmit their data to a third party of their choice. |
|
Deletion |
Opposition |
Restriction |
|
Exercising their right of deletion allows a User to have their data deleted. |
Exercising their right to object allows a User to object to their data being processed for a specific purpose. |
Exercising their right to restriction allows a User to ask an organisation to temporarily freeze the processing of some of their data. |
Users may also have additional rights provided for by the national legislation to which they are subject, such as the definition of directives relating to the retention, deletion and communication of personal data after their death.
In the absence of instructions given by the User during their lifetime, a relative may request the deletion of personal data relating to the User's "My SNCF ID" authentication service by sending a document justifying their legitimacy as well as a document proving the User's death (in particular a death certificate).
The User may exercise these rights via several channels:
|
SNCF Voyageurs Equipe Protection des Données 1/3 rue Camille Moke CS 20012 93212 La Plaine Saint-Denis Cedex FRANCE |
|
|
Request to exercise rights form |
Users may also request the deletion of data relating to the authentication service via the SNCF Connect applications and websites.
Users may also contact their supervisory authority to report any irregularity in the use of their personal data.