2 Who we are
Transport for Wales Rail Ltd is registered in England and Wales under Company Number 12619906 and our Registered Office is 3 Llys Cadwyn, Pontypridd, Wales, CF37 4TH.
We are a “controller” of the personal data we collect. This means we decide the “how” and “why” of the processing of your personal data and are responsible for making sure it is handled in accordance with data protection law.
We are listed on the Information Commissioner’s Office register of fee payers and our registration number is ZA856002.
3 Summary of this notice
(a) We handle various categories of your personal data (including special categories of personal data such as passenger assistance requirements and information about your health) to provide our services to you and in accordance with certain obligations to which we are subject. We will process your personal data only in compliance with applicable laws, and only where we have a lawful basis for doing so.
(b) We will only send you our newsletters or other marketing communications where you have given us your consent to do so (you can withdraw consent at any time).
(c) Generally, we collect your personal data directly from you. In some cases we may collect your personal data from third parties, such as ticket resellers, other rail operators or public agencies in order to provide you with our services.
(d) We may share your personal data with third parties who will use it for their own purpose, such as Transport for Wales who are owned by The Welsh Ministers and are the train franchising authority. We may also share your personal data with third parties who perform services on our behalf (such as payment providers or cloud storage providers).
(e) Under certain circumstances, we may transfer your personal data outside of the UK or outside of the European Economic Area. We will ensure that appropriate safeguards are in place in respect of any such transfer.
(f) We will retain your personal data only for as long as necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements.
(g) You have rights over your personal data, which have been set out in section 12 below. To exercise your rights, please contact us using the details in section 17 below. If you consider that we have not treated your complaint properly or have otherwise breached your data protection rights, you have the right to complain to the UK’s data protection regulator. Further information on how to do so is set out in section 18 below.
4 What personal data we collect about you
When we use the terms “personal data” and “processing”:
- “personal data” means any information that relates to a living person from which they can be identified. Your name, address and birth date are all examples of “personal data”; and
- “processing” means any handling or operation involving your personal data. Collection, recording, storage, alteration use, and transmission are all examples of “processing” of personal data.
When you use our services and products, or visit this website, we will typically process the following types of personal data about you:
(a) your name, residential address, email address, phone number, social media user name / display name and other contact details;
(b) your debit or credit card details, billing address and delivery address;
(c) details about the journeys you have made on our services and about other products and services you have purchased from us;
(d) our correspondence with you and any compensation or delay repay claims you may have made;
(e) details of your marketing preferences;
(f) your location data;
(h) videos and images of you obtained through CCTV cameras in operation on our trains and at stations from which we operate; and
(i) other video and audio capture technology (for example, but not limited to, body-mounted cameras) which we may use for the purposes of ensuring safety and for the prevention and detection of crime on our services.
Special categories of personal data
When we use the term “special category data”, we simply mean certain categories of personal data, which are, by their nature, more sensitive and therefore require a greater level of protection under data protection law. These categories include health data, and data about an individual’s ethnic origin.
You may opt to give us certain personal data relating to your medical conditions and any disabilities if you request accessibility assistance when, for example, getting on and off a train. If you book assistance in advance, we will need to share this information to our station and train staff so that they know the help you need, the services you are travelling on and any connections you may need to make.
Criminal offence data
If you are the victim of a crime or commit, are involved in, or are suspected of committing a crime while using our services or at a station from which we operate, we may process your personal data in relation to the incident.
5 How we collect your personal data
5.1 Collection from you
We collect personal data direct from you when you:
(a) sign-up to receive our newsletter and marketing communications;
(b) contact us via email, telephone or one of the forms on our website or on our mobile application (the “TFW Rail App”);
(c) register with us and/or fill in a form on our website or the TFW Rail App, including (but not limited to) fault reporting, submitting an enquiry to us, registering a complaint with us, submitting praise to us for one of our employees or submitting an enquiry relating to lost property;
(d) purchase a ticket, a season travel ticket or a smart card from us using our website (including via www.buytickets.tfwrail.wales or m.buytickets.tfwrail.wales (accessible through our website’s homepage)) or using the TFW Rail App;
(e) browse our website or use the TFW Rail App;
(f) have your image captured on CCTV or other video and audio capture technology - for example, but not limited to, body-mounted cameras - which we may use for the purposes of ensuring safety and for the prevention and detection of crime on our services on our trains or in a station from which we operate;
(g) use our customer service or information points at any of the stations from which we operate;
(h) signing up for an email or SMS alert from us relating to a journey;
(i) make a claim under “Delay Repay” compensation scheme for delays to our service;
(j) request accessibility assistance from us (as described in section 4 above, under the heading “special categories of personal data”);
(k) use our on-board Wi-Fi services.
5.2 Collection from third parties
We may also collect your personal data from third party sources and other organisations, including when you:
(a) book a ticket through a third party re-seller, such as Trainline (www.thetrainline.com); and
(b) contact us through a third party social media platform, such as Twitter and Facebook.
6 How we process your personal data lawfully
We only use your personal data where we have a valid lawful basis. We have set out below the lawful basis we rely on that the ways in which we use your personal data. We will process your personal data as necessary and where:
6.1 you have given your consent to such processing, which will include if you:
(a) you opt-in to receive our marketing communications via email, SMS or post, by completing the form on our website;
(b) submit an enquiry or ask us for further information, either by completing the “contact us” form (or another enquiry form, such as the “lost property” enquiry form) on this website, emailing us or speaking to one of our staff;
6.2 the processing is necessary to perform our obligations under a contract with you, for example:
(a) where you provide us with an email or residential address so we can deliver tickets to you;
(b) if you open an online account with us, we use your details to manage your account and record your journey history;
(c) to handle the administration of your payments, issue your tickets or other products, or confirm your order where this is necessary for us to provide our services under an agreement with you;
(d) to manage refunds, fees, compensation or charges; and
(e) to recovering money owed to us or preventing us enabling fraud;
6.3 the processing is necessary for compliance with our legal obligations, for example:
(a) to share your personal data with government agencies or law enforcement authorities for the purposes of fraud prevention; and
(b) to maintain a suppression list if you decide to opt-out of our communications to ensure that we do not breach data protection laws by communicating with you when you have asked us not to;
6.4 the processing is necessary to protect your vital interests or someone else’s including:
(a) if you are taken ill on a train or there is an emergency we may need to share your details with the emergency services;
(b) to carry out health and safety assessments, and keep records of incidents at stations from which we operate or on our services where it is necessary to comply with a legal obligation, necessary to protect the vital interests of any individual;
6.5 the processing is necessary for our legitimate interests or those of any third party recipients that receive your personal data, for example:
(a) to improve our services or develop our products or website;
(b) to contact you about your journey or notify you of any changes to our service;
(d) to monitor our website and use data analytics to improve our website, products, services, and marketing, and to ensure that the content on our website is presented to you as effectively as possible;
(e) to develop our products and services and in informing our marketing and corporate strategy; and
(f) comply with court orders and exercise and/or defend our legal rights.
Generally, we are only allowed to process your special category data under specific circumstances, these include where:
(a) you have given your explicit consent to such processing for example, where we obtain consent from you for processing of your health data to provide you with passenger assistance services;
(b) the processing is necessary to protect your vital interests someone else’s, or where you are incapable of giving consent for example, if you are taken ill on a train or there is an emergency we may need to share your details with the emergency services; and
(c) the processing is necessary for the establishment, exercise or defence of legal claims for example, where we need to provide personal data to the British Transport Police.
7 Automated decision making
In limited circumstances, we may make entirely automated decisions about you. Currently this only applies for decisions we make relating to the “Delay Repay” compensation scheme. You can make a claim for Delay Repay compensation, or check the status of your application at: https://tfwrail.wales/help-center/delay-repay-compensation. We use automated decision making for this purpose to enable us to issue compensation to eligible passengers as quickly and effectively as possible. This automated decision making processes could result in your claim for compensation being rejected.
If this has significant effect on you, you have the right to object to this automated decision making process and request human intervention. If you believe your claim has been incorrectly rejected, you will have the option to appeal. Please submit an appeal with additional information to support your claim and a member of our team will investigate your claim further.
You can make an appeal by clicking on the Check My Claim Status button on the Delay Repay Claim Form and logging in using your claim reference number and the email address you entered when the claim was submitted. You have 1 month to submit an appeal for a claim.
More information can be found in the “FREQUENTLY ASKED QUESTIONS” section of the Delay Repay page of the Site.
We will use your personal data to send you marketing communications and/or our newsletter where we have your consent to do so.
Where possible we tailor marketing to you based on your journey history and your chosen marketing preferences.
The types of communication you receive from us and the way in which we deliver it to you (by email, phone, post or SMS) will depend on the consent that you have given us.
You have the right to withdraw your consent to our marketing communications at any time. This can be done by contacting us at the details below, clicking the unsubscribe link in our emails, or replying STOP to an SMS marketing communication from us. You can also manage your marketing preferences by logging into your account at any time.
9 When we share your personal data
We do not and will not sell, rent out or trade your personal data. We may use third parties to carry out certain business functions on our behalf (such as our hosting or payment providers) and may transfer your personal data to these third parties so that they can perform those functions. We may also disclose your personal data to third parties who will process it for their own purposes and determine how the data is processed.
(a) Transport for Wales, who are owned by The Welsh Ministers and are the franchising authority, where we or Transport for Wales have a legitimate interest in the sharing of your personal data, or where another lawful basis for such sharing applies;
(b) third parties who process your personal data on our behalf (such as cloud or hosting providers, payment providers, marketing and research providers, analytics and search engine optimisation providers, and customer satisfaction and service providers);
(c) our professional advisors (including auditors, lawyers and accountants);
(d) any of our group companies (meaning our parent company, any subsidiaries of our parent company, and any of their subsidiaries), including (but not limited to) Transport for Wales;
(e) other rail industry bodies including (but not limited to) Network Rail, the Department for Transport, and other rail operators;
(f) any third party to whom we assign or novate any of our rights or obligations;
(g) any prospective buyer in the event we sell any part of our business or assets;
(h) any replacement franchisee (or prospective franchisee), Transport for Wales and/or any other franchising authority if our rail franchise is awarded to another operator in the future; and
(i) law enforcement agencies, including (but not limited to) the British Transport Police, fraud prevention agencies and/or courts where we are required to do so by applicable law or regulation or at their request or where we are validating a claim.
There may be links to third party websites of applications within our website, for example to Trainline.com. We are not responsible for the content or privacy compliance of such third party websites or applications. You should make sure you check those websites or applications for their privacy notices and terms that apply to them.
10 International transfers of your personal data
We may use suppliers located in or otherwise transfer your personal data to a country or territory outside of the United Kingdom, either within the European Economic Area (“EEA”) or in another third country. This may include countries whose laws may not offer the same level of protection of personal data as are enjoyed within the UK.
We will ensure that any such international transfers are made subject to appropriate or suitable safeguards as required by data protection law.
Such safeguards include (but are not limited to) putting in place Standard Contractual Clauses as approved from time-to-time by the relevant UK data protection authority or the EU Commission (as appropriate). The UK form of these Standard Contractual Clauses (as adopted from time-to-time by the relevant authority) can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/sccs-after-transition-period/.
Where applicable, copies of the relevant safeguard documents are available on request to the contact details below.
11 How we protect your personal data
We are committed to safeguarding and protecting personal data and will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to protect any personal data provided to us from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Any third parties we share or have access to your personal data are bound by contractual obligations to maintain the security and confidentiality of that data.
12 Your rights in relation to the personal data we collect
12.1 Your rights
If you wish to:
- rectify, delete or obtain a copy of the personal data that we hold on you;
- restrict or stop us from using any of the personal data which we hold on you, including by withdrawing any consent you have previously given to the processing of such data; or
- where any personal data has been processed on the basis of your consent or as necessary to perform a contract to which you are a party, request a copy of such personal data in a suitable format which can be ported to another operator, you can request this by contacting us at the details below.
We endeavour to respond to such requests within one calendar month or less, although we reserve the right to extend this period for complex requests.
In any of the situations listed above, we may request that you prove your identity by providing us with a copy of a valid means of identification for us to comply with our security obligations and to prevent unauthorised disclosure of data.
We reserve the right to charge you a reasonable administrative fee for any manifestly unfounded or excessive requests concerning your access to your personal data, and for any additional copies of the personal data you request from us.
12.2 Withdrawing your consent or objecting to processing
Where you have provided us with your consent, you have the right to withdraw this at any time. This will not affect the lawfulness of any processing performed before your withdrawal.
If you withdraw your consent for marketing communications and/or our newsletter (see section 8 above), we will not be able to send you any further marketing communications unless you re-subscribe, and you may miss out on important offers and deals which are of interest to you.
Where we rely on your explicit consent to process your special category data to provide you with passenger assistance services and you withdraw such consent, we will no longer be able to provide you with the assistance you have requested unless an alternative legal basis applies to such processing.
You have the right to object to processing based on legitimate interests.
12.3 Failure to provide personal data
In certain circumstances it will be necessary for you to provide us with your personal data, to enable us to manage our operations, to provide services to you or to comply with our statutory obligations. In other circumstances, it will be at your discretion whether you provide us with personal data or not. However, failure to supply any of the personal data we request may mean that we are unable to maintain or provide services or products to you.
13 Keeping your personal data up to date
We make every effort to maintain the accuracy and completeness of your personal data and to ensure all of your personal data is up-to-date. However, you can assist us with this considerably by updating your data through your online account or otherwise on our website (where possible), or promptly contacting us if there are any changes to your personal data or if you become aware that we have inaccurate personal data relating to you.
14 How long we will hold your personal data for
We will retain your personal data only as long as necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory, reporting or internal policy requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
17 How you can contact us
Address: Data Protection Officer, Transport for Wales, 3 Llys Cadwyn, Pontypridd, Wales, CF37 4TH
18 How to lodge a complaint to the supervisory authority
You are entitled to lodge a complaint with our data protection supervisory authority if you consider that we have breached your data protection rights. Our data protection regulator is the Information Commissioner’s Office (ICO) (www.ico.org.uk), which can be contacted at:
Postal address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://ico.org.uk/make-a-complaint/
We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.