Skip to main content Skip to page footer

Data privacy policy

Your trust is important to us. The protection of your data is our top priority, and we hereby gladly inform you how we ensure compliance with the relevant legal regulations. 

Your personal data are collected on this website. This privacy policy provides you with information on the nature, scope and purpose of the data processing. The terms used correspond to the definitions contained in Article 4 of the EU General Data Protection Regulation (GDPR). 


On Rail Gesellschaft für Eisenbahnausrüstung und Zubehör mbH
Steinesweg 10
D-40822 Mettmann

Phone: +49 (0)2104/9297-0
Fax: +49 (0)2104/9297-33

Types of data processed

  • Contact data (such as first/last name, phone number)
  • Usage data (such as websites visited, interest in contents, access times)
  • Communication data (such as IP address, browser version)

Categories of data subjects

Users of this website.

Purpose of processing

  • Provision of company information
  • Provision of contact options
  • Security measures to protect the website
  • Marketing and analysis of user behaviour

Terminology used

Personal data include any information relating to an identified or identifiable natural person (hereinafter referred to as “the data subject”). Identifiable refers to a natural person who, directly or indirectly, can be identified in particular by assignment to an identifier such as a name, an identification number, location data, an online identifier or using one or more special characteristics, such as the expression of physical, physiological, genetic, psychological, economic, cultural or social identity.

Processing is any process performed with or without the aid of automated procedures or any process associated with personal information, such as collecting, organizing, storing, adapting or altering, reading, querying, disclosure through transmission, dissemination or any other form of provision, reconciliation or association, restriction, erasure or destruction. 

The controller shall be the natural or legal entity, authority, institution or other body that decides alone or jointly with others about the purposes and means of processing personal data. 

Relevant legal bases

The basis of data protection law is the informational right of individual self-determination. In accordance with Article 13 GDPR, we hereby inform you about the legal basis of our data processing. The legal basis for obtaining consent is Article 6 (1) (a) and Article 7 GDPR, the legal basis for the processing of our services and the performance of contractual measures and answering requests is Article 6 (1) (b) GDPR, the legal basis for processing for compliance with our legal obligations is Article 6 (1) (c) GDPR, and the legal basis for processing in order to safeguard our legitimate interests is Article 6 (1) (f) GDPR. In the event that vital interests of the data subject or any other natural person require the processing of personal data, Article 6 (1) (d) GDPR serves as the legal basis.

Cooperation with third parties or processors

If, in the course of our processing, we disclose data to other persons and companies (third parties), transmit them or otherwise grant access to the data, this will only be done on the basis of a legal authorisation, if you have given your consent, or if a legal obligation so provides or based on our legitimate interest.

If we commission third parties to process data for order processing, this is done on the basis of Article 28 GDPR.

Transfers to third countries

If we process data in a third country or in the context of the use of third party services or disclose or transmit data to third parties, we shall only do so to fulfil our contractual or pre-contractual obligations, based on your consent, due to a legal obligation or on the basis of our legitimate interest. As far as permissible processing is concerned, this takes place on the basis of special guarantees, such as the officially acknowledged determination of an EU level of data protection or observance of officially recognised special contractual obligations.

Rights of the data subject

Information (Article 15 GDPR)
The data subject has the right to request confirmation as to whether any personal data relating to him or her will be processed. If this is the case, the data subject shall have the right to obtain information on such data and also about the processing purposes, their origin, the recipient, the duration of the storage and their rights.

Correction (Article 16 GDPR)
The data subject has the right to demand rectification or completion of any incorrect personal data. 

Deletion (Article 17 GDPR)
Data subjects have the right to request the deletion of their data - for example, if they are no longer required for the purpose for which they were originally collected or processed, or if they revoke their consent. A special form of the claim for deletion – the “right to be forgotten” – exists in cases where the controller has made the data to be deleted public. It must then take reasonable steps to inform the entities handling this information that the data subject requires them to delete all links to that data, copies or replications. 

Limitation of processing (Article 18 GDPR)
The data subject may also request the restriction of processing in certain cases. For example: if the data subject has objected to the processing and it is not yet certain whether the legitimate reasons of the controller outweigh those of the data subject.

Right to transferability (Article 20 GDPR)
The right to data transfer entitles data subjects, under certain conditions, to receive a copy of their personal data in a standard and machine-readable file format.

Complaints (Article 77 GDPR)
Data subjects have the right to lodge a complaint with the competent supervisory authority.

Right of withdrawal (Article 7 (3) GDPR)
Data subjects have the right to revoke granted consent with effect for the future.

Right of objection (Article 21 GDPR)
Data subjects can object to the future processing of your data at any time. The objection may in particular be made against processing for direct marketing purposes.

Deletion of data

The data processed by us will be deleted or limited in accordance with Articles 17 and 18 GDPR. Unless explicitly stated in this privacy policy, the data stored by us are deleted as soon as they are no longer required for their purpose and the deletion does not conflict with any statutory storage requirements. Unless the data is not deleted because it is required for other and legitimate purposes, its processing will be limited. This applies, for example, to data that must be retained for commercial or tax reasons.

Collection of access and log data

Based on our legitimate interest (Article 5 (1) (f) GDPR), we store data on every access to the web server to ensure availability. The access data includes the name of the retrieved web page, file, date and time of the retrieval, data volume, status messages, browser type and version, the user’s operating system, IP address and possibly further technical information.

For security reasons, log files are stored for a maximum of 7 days and then deleted. Data for evidence will be exempted from the deletion requirement until clarification of the incident.


When contacting us (such as via email, contact form, telephone) user details are processed to handle the request and to take the steps necessary to settle the request. User information may be stored in a suitable client management programme or equivalent organisational system.

We delete the data that has been saved as a result of the requests, if these are no longer required and do not contradict the legal archiving obligations.

Cookies and right to object to direct advertising

Cookies are small files that are stored on users’ computers. Different information can be stored within the cookies. A cookie may serve to store information about a user (such as browser version, user’s interest) during or after his or her visit to a web page. These cookies can be stored temporarily or permanently.

We can use temporary and permanent cookies and clarify this in the context of our privacy policy. If the data subject does not want cookies stored on their computer, they will be asked to disable the corresponding option in their browser’s system settings. Preventing cookies can lead to functional limitations of this website.

Data protection officer

If you have questions about data protection, you can also contact our data protection officer directly:

Guido Petermann
Siemensstraße 34
40227 Düsseldorf

Phone: +49 (0) 211 72139550