Skip to main content

Privacy Policy

1. Introduction.

Purpose & Scope: 

  • The purpose of this policy is to ensure that Railscape Limited protects personal and sensitive data in accordance with standards and applicable data protection regulations, such as, e.g. GDPR. This policy defines the principles, responsibilities, and procedures for handling personal data to maintain confidentiality, integrity, and privacy.

This policy applies to: 

  • All personal data processed by Railscape Limited, including data on employees, customers, partners, and vendors.
  • All employees, contractors, and third-party vendors handling or accessing personal data on behalf of Railscape Limited.
  • All systems, processes, monitoring and activities that involve the collection, storage, processing, and transfer of personal data.
2. Roles and Responsibilities.

Data Protection Officer (DPO): 

  • Oversees compliance with data protection regulations and this policy.
  • Manages data protection impact assessments (DPIAs) and provides guidance on data privacy matters.
  • Acts as the point of contact for data subjects and regulatory authorities regarding data protection.

Information Security Manager: 

  • Implements technical and organizational measures to ensure data security.
  • Coordinates with the DPO to enforce data protection controls.
  • Monitors data security incidents and ensures timely reporting of data breaches.

Department Managers: 

  • Ensure that personal data within their departments is processed in line with this policy.
  • Ensure employees in their departments complete data protection training.

All Employees 

  • Comply with this policy when handling personal data.
  • Report any data breaches or privacy concerns to the DPO.
3. Data Protection Principles.

Railscape processes personal data in compliance with the following principles: 

Lawfulness, Fairness, and Transparency: 

  • Personal data must be processed lawfully, fairly, and in a transparent manner.
  • Data subjects must be informed of the purposes, legal basis, and use of their data.

Purpose Limitation: 

  • Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

Data Minimisation: 

  • Collect only the personal data necessary for the purposes specified, avoiding unnecessary collection.

Accuracy: 

  • Ensure that personal data is accurate and kept up to date.
  • Take measures to rectify any inaccurate data promptly.

Protection of Records: 

  • Records will be protected using appropriate access controls, encryption, secure storage, and regular backups to ensure that they are available when needed and safeguarded against loss or unauthorized access.

Storage Limitation: 

  • Retain personal data only for as long as necessary for the purposes for which it was collected and processed, as specified in the Data Retention Policy.

Monitoring Activities: 

  • Monitoring activities are conducted to detect and prevent unauthorized access, ensure compliance with organizational policies, and protect personal and sensitive data from misuse or breaches.

Accountability: 

  • Maintain documentation of data processing activities, DPIAs, and compliance records to demonstrate adherence to data protection requirements.

Logs to Monitor: 

  • User access logs.
  • Application usage data.
  • System performance metrics.
4. Data Subject Rights.
  • Right to Access: Data subjects have the right to request access to their personal data.
  • Right to Rectification: Data subjects can request correction of inaccurate or incomplete data.
  • Right to Erasure (“Right to be Forgotten”): Data subjects can request deletion of their personal data under certain conditions.
  • Right to Restrict Processing: Data subjects can request limitations on how their data is processed.
  • Right to Data Portability: Data subjects can request their personal data in a commonly used format.
  • Right to Object: Data subjects can object to certain processing activities, such as direct marketing.
  • Right to Withdraw Consent: Where consent is the legal basis for processing, data subjects can withdraw it at any time.
5. Data Collection, Processing, and Storage.

Legal Basis for Processing: 

  • Personal data is processed based on one or more of the following legal bases: consent, contractual necessity, legal obligation, legitimate interests, or protection of vital interests.
  • Consent must be obtained for any processing activities not covered by other legal bases.

Data Collection and Use: 

  • Collect personal data only as needed for specific, legitimate purposes.
  • Ensure transparency with data subjects about the data collected and its intended use.

Data Storage: 

  • Store personal data in secure environments, applying access controls based on data sensitivity.
  • Encrypt sensitive data in storage and use secure backup methods as specified in the Backup Policy.
6. Third-Party Data Processing and Transfer.

Third-Party Processors: 

  • Third-party service providers that process personal data on behalf of Railscape Limited must comply with this policy and applicable data protection laws.
  • Data Processing Agreements (DPAs) must be in place with all third-party processors to outline data protection responsibilities.

International Transfers: 

  • Personal data transferred outside the EEA must have adequate safeguards, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
  • Approval from the DPO is required for any international data transfers.

Verification of Third-Party Compliance: 

  • The DPO periodically assesses third-party compliance with data protection requirements.
  • Non-compliant vendors may be subject to contract termination.
7. Data Security Measures.

Access Control: 

  • Restrict access to personal data to authorized individuals based on job requirements.
  • Use multi-factor authentication (MFA) for access to systems with sensitive personal data.

Encryption: 

  • Encrypt personal data at rest and in transit, using industry-standard encryption protocols (e.g., AES-256).

Data Masking: 

  • Railscape Limited will implement data masking techniques to protect sensitive information, ensuring that data is anonymised or obfuscated in non-production environments. 
  • Data masking will be applied to sensitive data sets to prevent unauthorised access and exposure of personally identifiable information (PII) during development, testing, or external data sharing in compliance with privacy regulations such as GDPR.

Techniques and Methods: 

  • Substitution: Replace sensitive data with realistic but fictional data.
  • Tokenization: Replace sensitive data with tokens that have no exploitable value.
  • Encryption: Encrypt sensitive data for added protection in certain contexts.
  • Shuffling: Reorganize data randomly while maintaining structure.

Logging and Monitoring: 

  • Monitor access to personal data and maintain activity logs, for sensitive information.

Data Protection Impact Assessments (DPIA): 

  • Conduct DPIAs for high-risk data processing activities to identify and mitigate privacy risks.

Incident Response: 

  • In case of a data breach, follow the Incident Management Policy for timely containment, investigation, and reporting.
8. Data Breach Management.

Incident Reporting: 

  • Employees must report any suspected data breaches to the DPO immediately.

Investigation and Mitigation: 

  • The DPO and Information Security Manager will investigate, mitigate, and document each incident.

Breach Notification: 

  • Notify affected data subjects and regulatory authorities within 72 hours if required by law.
9. Training and Awareness.

Employee Training: 

  • All employees receive training on data protection principles and this policy during onboarding and as part of annual training.

Ongoing Awareness: 

  • Regular awareness initiatives, such as newsletters and reminders, reinforce data protection best practices.
10. Compliance and Audit.

Internal Audits: 

  • Conduct regular audits to ensure compliance with this policy and data protection regulations.

Corrective Actions: 

  • Implement corrective actions promptly if any deficiencies are identified during audits.

Regulatory Compliance: 

  • Data masking will be used to comply with privacy regulations such as GDPR, CCPA, and other applicable laws requiring the protection of sensitive data.

Data leakage prevention: 

  • Content filtering, encryption, and data classification will be applied to ensure compliance with data protection laws and organisational standards. Special attention will be given to protecting personal data, intellectual property, and business-critical information.