Privacy Statement

INTRODUCTION

Abellio Transport Holdings Limited is committed to protecting and respecting your privacy when you use our services.

This Privacy Policy explains:

  • What personal data we collect from you when you use our website, apps, visit our offices, contact us, use our services, or WiFi;
  • How we will collect and use that information;
  • How we keep information secure; and
  • How you can contact us if you wish to exercise any of your rights in relation to the information or make a complaint.

CONTENTS

  • Information we may collect from you
  • How we use your information
  • Sharing or disclosure of your information
  • Types of information we collect
    • Website visits
    • CCTV
    • Customer Relations database
  • Where we store your personal information
  • Information Security
  • Your rights

For the purposes of Data Protection Law, the data controller is:

Abellio Transport Holdings Limited
Abellio UK HQ
36 Renfield St
5th Floor, The Culzean Building
Glasgow
G2 1LU

Our Data Protection Manager (DPM) is:

Gabe Barrett

Second Floor
St Andrews House
18-20 St Andrew Street
London
EC4A 3AG

Our nominated Data Protection Officer (DPO) is:

Sheryl Campbell

Abellio UK HQ
36 Renfield St
5th Floor, The Culzean Building
Glasgow
G2 1LU

More information about the General Data Protection Regulation and all related and subordinate legislation as amended or re-enacted from time to time can be found on the Information Commissioners website.

The Information Commissioner is our regulator for data protection matters.

INFORMATION WE MAY COLLECT FROM YOU

We may collect and process information about you when you:

  • use our website, apps or Wifi;
  • make an enquiry;
  • contact Customer Relations; or
  • enter a competition; 

We collect information such as your contact details. This information is generally provided by you.

Sometimes we obtain details from third parties, for example if our Group structure changes or for legitimate business reasons.

HOW WE USE YOUR INFORMATION

We will only use the information you provide as permitted by Data Protection Law (DPL). Our reason(s) for using your data will vary depending on: how you contact us, the consent you have given, our legitimate interests, or legal obligations we may have. Reasons for use of your data include:

  • To provide you with the service - things like carrying out our obligations arising from any contracts. We mostly rely on the legal ground of contractual performance to process your data, but sometimes the data is also used for our legitimate interests of customer service, health and safety, improving our services and other legal obligations, like providing information to our regulators
  • To provide you with details of our services, information about travelling and customer service - this is based on our legitimate interests, to run train and associated services. Sometimes it is part of our contract or our other legal obligations

We are part of a Group of Companies and share administrative services and support. Your data may therefore be shared with other Group companies where appropriate. We are also required to pass certain customer data to successor franchisees, Secretary of State or Department for Transport.

Our Legitimate Interests

Running our business and Group businesses, in a safe and socially and environmentally responsible manner, efficiently, to provide sustainable and high quality, locally focused passenger transport services, improve and expand our services, be a leading employer in the transport sector, investing in and developing our staff, operating with financial discipline and reducing crime and fraud to provide shareholder value, provide and improve customer services.

SHARING OR DISCLOSURE OF YOUR INFORMATION

We will only share or disclose your information as set out in this Policy or in accordance with DPL and will obtain your consent where we are required to do so. We will only use third parties to process information where we are satisfied that they comply with these standards and can keep your data secure.

Due to the nature of the services we provide, we process a large range of data, in a manner of ways, across a number of solutions. Accordingly, it was deemed impractical to set out the details of all the third parties that we may share your data with below. You can find out more about the information we collect and how we use, share or disclose it below or by contacting us at [email protected].

We may share or disclose information for the following reasons:

  • We use data processors to provide or assist with some of our services. Where we do so, they must agree to strict contractual terms and to keep your data secure;
  • To comply with the police or other law enforcement agencies for the purposes of crime prevention or detection, these are dealt with on a case-by-case basis, under a specific Information Sharing Protocol, to ensure that any disclosure is lawful;
  • To comply with other legal obligations for example, relating to crime and taxation purposes or regulatory activity;
  • To protect our legitimate business interests, as outlined above;
  • If you have agreed (via freely given consent) to receive information for competition, promotion, survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to in the terms and conditions of the purpose; and
  • Where you have consented, to share with other members of the Abellio Group UK ("Abellio"), of which we are a member, where Abellio has any services, promotions and offers which we feel may interest you. Details of other members of Abellio can be found here.

TYPES OF INFORMATION WE COLLECT

CCTV

Camera systems we operate

Our CCTV is used to capture, record and monitor images of what takes place at our offices, in real time.

Depending on the type of camera, images are recorded on video tape (analogue) or as digital information. Cameras can be fixed or set to scan an area. In some circumstances, they can be operated remotely by controllers.

Why we operate CCTV cameras

We operate CCTV for the following purposes:

  • Health and safety of employees, passengers and other members of the public;
  • Prevention and detection of crime and anti-social behaviour.

Camera locations

We operate cameras at our offices.

Length of time CCTV footage is kept

CCTV footage at offices is generally held for a maximum of 31 days from the time of recording.

How to access your CCTV personal data

You can request copies of images or footage of yourself by making a Subject Access Request.

Disclosing CCTV/personal data to the police

At our discretion, we may disclose CCTV/personal data in response to valid requests from the police and other statutory law enforcement agencies.

Before we authorise any disclosure, the police have to demonstrate that the CCTV/personal data is necessary to assist them in the prevention or detection of a specific crime, or in the apprehension or prosecution of an offender.

Requests from the police are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with the DPL.

Sharing CCTV footage with other third parties

We may disclose personal data to third parties, if required to by law or it is necessary for a legitimate purpose such as defending or bringing legal action. DPL allows us to do this where the request is supported by:

  • evidence of the relevant legislation
  • a court order
  • satisfactory evidence and assurances of the legitimate interest.

Legitimate interest would include requests such as defending or making a legal claim, such as to insurers following a vehicle collision in a carpark. When we are not required to provide CCTV, we will take into account the circumstances and any potential harm to individuals, we may also charge a fee and seek indemnity for any use beyond which it is requested.

External guidelines and best practice

Abellio Transport Holdings Limited operates its CCTV systems in compliance with the CCTV Code of Practice issued by the Information Commissioner's Office (ICO) in 2017. The Code describes best practice standards which should be followed by organisations operating devices which view or record images of individuals. It also covers other information derived from those images that relates to individuals (for example vehicle registration marks).

WEBSITE VISITS

This section shows the information we collect when you use our website. Before providing us with your details, please read the following important information regarding:

  • Collection of visitor information;
  • Hyperlinks;
  • Cookies; and
  • Session Cookies;
  • Other storage technologies.

Collection of visitor information

We will only use the information that we collect about you lawfully, in accordance with the DPL.

The details you provide about yourself and any other information which identifies you ('Personal Information') is held by Abellio Transport Holdings Limited on this website (the "Site") for operational purposes, for example if you contact us using this website.

Abellio Transport Holdings Limited gathers general information about users, for example, what services users access the most and which areas of the Abellio Transport Holdings Limited site are most frequently visited. Such data is used in the aggregate to help us to understand how the Abellio Transport Holdings Limited site is used. We gather this information so that we can continue to improve and develop our website user experience to the benefit of our website visitors. We may make this aggregated information available to users of the Abellio Transport Holdings Limited site and to auditors. These statistics are anonymous and contain no personal information and cannot be used to gather such information.

Hyperlinks

We may provide hyperlinks from the site to third party websites. No liability is accepted for the contents of any site operated by a third party which may be accessed via links from the site. These links are provided for your convenience only and do not imply that Abellio Transport Holdings Limited approves or recommends the content of such sites. We encourage our users to be aware when they leave our site to read the privacy statements of each and every website that collects personal data. This Privacy Policy applies solely to information collected by Abellio Transport Holdings Limited.

Cookies

Our website uses cookies to help us to provide you with a good experience when you browse our website and also allows us to improve our website.

So what is a cookie?

A "cookie" is a small text file that is placed on your equipment when you visit a website (equipment like computer, phone, tablet).

There are several types of cookies:

Functional cookies

The functional or session cookies are used to provide services or to store your preferred settings. For example for:

  1. remembering the products you purchase during online shopping;
  2. memorizing and passing on the information that you enter during the log-in process or that you leave behind on the various web pages during the ordering process, so that you do not have to enter the same data every time;
  3. saving your preferences;
  4. detecting abuse of our websites.
Analytical cookies

These cookies are used to analyze your visit to our websites. For example, we analyze the number of visitors visiting our websites, the duration of the visits, the order of the pages visited and whether the pages of a website need to be adjusted. With the help of the collected information we can organize our websites more user-friendly. Furthermore, these cookies are used to solve possible technical problems on the websites.

Marketing and tracking cookies

Only if you have given us permission in advance will we use tracking cookies for commercial purposes. These cookies, often placed by third parties, help us to be able to offer you personalized offers. Third parties can follow your internet behavior with tracking cookies. Abellio Transport Holdings uses a Tag Management System from Google Tag Manager to manage the choice of cookies. This way we can guarantee that no cookies are processed that you have not explicitly given permission for.

Other techniques

In addition to cookies, Abellio Transport Holding also uses Javascripts and web beacons. By using Javascript in your browser we can make our sites interactive and develop applications for the web. A web beacon is a small graphic image on our sites. By means of this image, we can, for example, determine how many visitors saw the page at which times. These techniques can also be used for marketing and tracking purposes.

Cookies from external parties

Some of the cookies are placed with the consent of Abellio Transport Holdings by third parties with the aim to bring certain products and services to your attention or to give you direct access to social media:  Google Analytics , Google Maps , Twitter , YouTube , LinkedIn , Google Adwords , Cloudfront and Facebook . For the cookies that these external parties place, the information they collect with them and the purpose for which that information is used, we refer to the privacy statements of these parties on their own websites. These statements can change regularly and Abellio Transport Holdings has no control whatsoever.

Would you like to know more about cookies? Then go to http://www.allaboutcookies.org/

An overview of the cookies & similar techniques that we use can be found here.

CUSTOMER RELATIONS DATABASE

We collect your information and comments when you contact us by letter, email, web form, phone or social media.

Personal details we hold

We may hold your name, address, date of birth, email address, phone number, social media name, our correspondence with you, or other supporting information you may provide.

To ensure that we carry have an accurate record of dealings between us (and for training purposes) we may, in certain circumstances, record or monitor telephone calls, however you will always be told when this happens.

How we use your personal data

This information is used for administration of correspondence as well as for fraud prevention purposes. We also use it to respond to complaints.

Length of time records are kept

Records are kept for 2 years.

Sharing data with third parties

We do not routinely share your personal data with any third parties. We may disclose personal data to third parties, if required to by law or it is necessary for a legitimate purpose such as defending or bringing legal action.

CHILDREN'S DATA

We do not routinely process children's data, however in the rare instances that we do we may be required to gain consent from a parent or guardian to process the child's data.

Where we chose to rely on consent as the legal basis for processing children's personal data, consent may be required from a person holding 'parental responsibility' (note that under the GDPR the UK could chose to implement a lower age boundary than 16 in defining a "child" in law, as long as it is not below 13).
The children's consent must be freely given, specific, informed and unambiguous.

WHERE WE STORE YOUR PERSONAL INFORMATION

The information that we collect from you will only be stored in the European Economic Area ("EEA") or, where it is necessary to disclose it to our processors located outside the EEA, other jurisdictions which are acceptable according to guidance provided by the Information Commissioner and/or where appropriate legal and security safeguards are in place. Please contact the DPO/DPM if you wish to find out more about the safeguards.

INFORMATION SECURITY

We use a range of appropriate technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its integrity and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal data where practical.

YOUR RIGHTS

Unless stated otherwise we will aim to satisfy your instruction, or inform you as to why we are unable to, without undue delay and within 30 days. If we anticipate that we will not meet with this timeframe we will let you know within 30 days and explain what the problem is.

ASK FOR A COPY OF YOUR PERSONAL DATA

You are entitled to request a copy of the personal information we hold about you.

We may need to ask for some further information, such as checking who you are. You can download and send this form to [email protected], which will help us deal with your request more efficiently.

Please let us know in what format you wish to receive your information.

Sometimes we may hold information that we don't have to provide, for example if it would prejudice a police investigation or if the disclosure would cause harm to another person whose personal data is inseparable from your data.

In most cases we provide the copy of your data to you for free. We have set out some information about when it might not be free, or provided below.

RECTIFICATION / RESTRICTION

If you believe the information we hold about you is inaccurate or incomplete you can contact us and ask us to correct it. You may also request any data processing we are carrying out on your data is halted whilst a request for rectification, objection or a dispute over the lawfulness of processing is being considered. We will provide a response confirming the action we have taken or disagree with taking.

DELETION

This is also known as the "Right to be forgotten", you can request deletion or removal of personal information in some circumstances, such as where there is no compelling reason for its continued processing. We will also take reasonable steps to notify third parties of your instruction and request that they act upon it, in a similar manner.

HOW WE DEAL WITH RIGHTS REQUESTS

We do not charge you a fee for dealing with rights requests, unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case, so that you can make a decision about what you wanted to do next.

There are various limitations and exemptions in relation to the exercise of rights in DPL - for example if it would affect another's rights and freedoms or if we need to retain the information to make or defend a legal claim. We intend only to rely on limitations and exemptions where it is fair to do so and always bearing in mind that it is your personal data.

COMPLAINTS

The DPO role has been established in a manner to remain independent of business decisions. If you wish to lodge a complaint against:

  • the business, please contact our DPO; or
  • the DPO, please contact the ICO.

We also have a complaints policy. If you are not happy with the way in which we deal with your data or have dealt with a rights request, then please us know. Our DPO is the first point of contact for dealing with Rights Requests and complaints and they are assisted by Customer Relations. If you are not satisfied with the way in which they have handled your complaint or rights request then you can contact the Group DPO (by emailing [email protected]).

If you are not satisfied with the response you can complain to the ICO. Their contact details are:

Head office
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
Fax: 01625 524 510

Website

HOW LONG WE KEEP YOUR PERSONAL DATA FOR?

We'll store your information for as long as we have to by law or regulatory requirement. If there's no legal or regulatory requirement, we'll only store it for as long as we need it. We'll also keep some personal information for a reasonable period after your last contact with us – just in case you decide to use our services again. We, or one of our partners, may contact you about our services during this time if you have opted in to receiving marketing communications from us.

We may also keep your personal data for the purposes of our legitimate interests in running our Group businesses, including anonymising or pseudonymising data for analysis.

CHANGES TO THIS PRIVACY POLICY

We may revise this Privacy Policy from time to time. The most current version of this policy will govern use of your information and will always be at www.abellio.com/privacy-statement. By continuing to access or use the Service after those changes become effective, you agree to be bound by the revised Privacy Policy.


This Policy was last updated on [18/05/2018].