Your privacy and trust are important to us and this Privacy Notice provides important information about how Keolis Amey Operations/Gweithrediadau Keolis Amey Limited (trading as Transport for Wales Rail Services, and referred to in this Privacy Notice as "Keolis Amey", "we", "us" and "our") treats your personal data. We are committed to keeping your personal data safe and confidential both online and offline.
The purpose of this Privacy Notice is to make you aware of the types of personal data we collect, how we process it, who it may be transferred to and the rights you have in relation to it. Please read this Privacy Notice carefully and contact us using the details in paragraph 16 below if you have any questions or complaints in relation to our privacy practices.
1. WHO WE ARE
Keolis Amey Operations/Gweithrediadau Keolis Amey Limited (trading as Transport for Wales Rail Services) is registered in England and Wales under Company Number 11389531 and our Registered Office is Keolis (UK) Limited, Evergreen Building North, 160 Euston Road, London, NW1 2DX.
We are a "controller" for the purposes of the General Data Protection Regulation 2016/679 ("GDPR"). This means we decide the "how" and "why" of the processing of your personal data and are responsible for making sure it is handled in accordance with data protection law.
We are listed on the Information Commissioner's Office register of fee payers and our registration number is ZA456547.
2. SUMMARY OF THIS NOTICE
We recommend that you read this Privacy Notice in full to understand how we treat your personal data and the purposes for which it is processed. The key points are:
- (a) We handle various categories of your personal data (including special categories of personal data such as passenger assistance requirements and information about your health) to provide our services to you and in accordance with certain obligations to which we are subject. We will process your personal data only in compliance with applicable laws, and only where we have a lawful basis for doing so.
- (b) We will send you our newsletters or other marketing communications where you have given us your consent to do so (you can withdraw consent at any time).
- (c) Generally, we collect your personal data direct from you. In some cases we may collect your personal data from third parties, such as ticket resellers, other rail operators or public agencies in order to provide you with our services.
- (d) We may share your personal data with third parties who will use it for their own purpose, such as Transport for Wales who are owned by the Welsh Government and are the train franchising authority. We may also share your personal data with third parties who perform services on our behalf (such as payment providers or cloud storage providers).
- (e) Under certain circumstances, we may transfer your personal data outside of the European Economic Area. We will ensure that appropriate safeguards are in place in respect of any such transfer.
- (f) We will retain your personal data only for as long as necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements.
- (g) You have rights over your personal data, which have been set out in paragraph 10. To exercise your rights, please contact us using the details in paragraph 16. If you consider that we have not treated your complaint properly or have otherwise breached your data protection rights, you have the right to complain to the UK's data protection regulator. Further information on how to do so is set out in paragraph 17.
3. WHAT PERSONAL DATA WE COLLECT ABOUT YOU
When we use the term "personal data", we mean any information which relates to a living person from which they can be identified. Your name, address and birth date are all examples of personal data.
"Processing" means any handling or operation involving your personal data. For example collection, recording, storage, alteration use, and transmission are all examples of "processing" of personal data.
When you use our services and products, or visit this website, we will typically process the following types of personal data about you:
(a) your name, residential address, email address, phone number, social media name and other contact details;
(b) your debit or credit card details, billing address and delivery address;
(c) details as to you journeys made on our services and about other products and services you have purchased from us;
(d) our correspondence with you and any compensation claims you may have made;
(e) details of your marketing preferences;
(f) your location data;
(g) details of your visits to our website, such as your browser type including any plug-ins and version, your operating system, your IP address and your login information for verification purposes; and
(h) videos and images of you obtained through CCTV cameras in operation on our trains and at stations from which we operate.
Sensitive personal data
When we use the term "sensitive personal data" or "special category data", we simply mean certain categories of personal data which are, by their nature, more sensitive and therefore require a greater level of protection under data protection law. These categories include health data, and data about an individual's ethnic origin.
You may opt to give us certain personal data relating to your medical conditions and any disabilities if you request accessibility assistance when, for example, getting on and off a train. If you book assistance in advance, we will need to share this information to our station and train staff so that they know the help you need, the services you are travelling on and any connections you may need to make.
Criminal offence data
If you are the victim of a crime or commit, are involved in, or are suspected of committing a crime while using our services or at a station from which we operate, we may process your personal data in relation to the incident.
4. HOW WE COLLECT YOUR PERSONAL DATA
We collect personal data direct from you when you:
(a) sign-up to receive our newsletter and marketing communications;
(b) contact us via email, telephone or one of the forms on our website or on our mobile app;
(c) register with us and/or fill in a form on our website or our mobile app;
(d) purchase tickets or season travel ticket from us using our website or via www.trainline.com;
(e) browse our website or use our mobile app;
(f) have your image captured on CCTV on our trains or in a station from which we operate;
(g) use our customer service or information points at any of the stations from which we operate;
(h) register a complaint with us;
(i) make a claim under "Delay Repay" compensation scheme for delays to our service;
(j) use our on-board Wi-Fi services. Collection from third parties We may also collect your personal data from third party sources and other organisations, including when you:
- (a) book a ticket through a third party re-seller, such as Trainline; and
- (b) contact us through a third party social media platform, such as Twitter and Facebook.
5. HOW WE PROCESS YOUR PERSONAL DATA LAWFULLY
We only use your personal data where we have a valid lawful basis. We have set out below the lawful basis we rely on that the ways in which we use your personal data. We will process your personal data as necessary and where:
(a) you have given your consent to such processing, which will include if you:
- (i) you opt-in to receive our marketing communications via email, SMS or post, by completing the form on our website;
- (ii) submit an enquiry or ask us for further information, either by completing the "contact us" for on this website, emailing us or speaking to one of our staff;
(b) the processing is necessary to perform our obligations under a contract with you, for example:
- (i) where you provide us with an email or residential address so we can deliver tickets to you;
- (ii) if you open an online account with us, we use your details to manage your account and record your journey history;
- (iii) to handle the administration of your payments, issue your tickets or other products, or confirm your order where this is necessary for us to provide our services under an agreement with you;
- (iv) to manage refunds, fees, compensation or charges; and
- (v) to recovering money owed to us or preventing us enabling fraud;
(c) the processing is necessary for compliance with our legal obligations, for example:
- (i) to share your personal data with government agencies or law enforcement authorities for the purposes of fraud prevention; and
- (ii) to maintain a suppression list if you decide to opt-out of our communications to ensure that we do not breach data protection laws by communicating with you when you have asked us not to;
(d) the processing is necessary to protect your vital interests or someone else's including:
- (i) if you are taken ill on a train or there is an emergency we may need to share your details with the emergency services;
- (ii) to carry out health and safety assessments, and keep records of incidents at stations from which we operate or on our services where it is necessary to comply with a legal obligation, necessary to protect the vital interests of any individual;
(e) the processing is necessary for our legitimate interests or those of any third party recipients that receive your personal data, for example:
- (i) to improve our services or develop our products or website;
- (ii) to contact you about your journey or notify you of any changes to our service;
- (iii) to notify you about changes to our website, terms of business, Privacy Notice or other terms and conditions in order to keep our customers up to date with our most recent policies, maintaining our network security and administering our IT services;
- (iv) to monitor our website and use data analytics to improve our website, products, services, and marketing, and to ensure that the content on our website is presented to you as effectively as possible;
- (v) to develop our products and services and in informing our marketing and corporate strategy; and
- (vi) comply with court orders and exercise and/or defend our legal rights.
Generally, we are only allowed to process your sensitive personal data under specific circumstances, these include where:
- (i) you have given your explicit consent to such processing for example, where we obtain consent from you for processing of your health data to provide you with passenger assistance services);
- (ii) the processing is necessary to protect your vital interests someone else's, or where you are incapable of giving consent for example, if you are taken ill on a train or there is an emergency we may need to share your details with the emergency services; and
- (iii) the processing is necessary for the establishment, exercise or defence of legal claims for example, where we need to provide personal data to the British Transport Police.
We will use your personal data to send you marketing communications and/or our newsletter where we have your consent to do so.
Where possible we tailor marketing to you based on your journey history and your chosen marketing preferences.
The types of communication you receive from us and the way in which we deliver it to you (by email, phone or SMS) will depend on the consent that you have given us.
You have the right to withdraw your consent to our marketing communications at any time. This can be done by contacting us at the details below, clicking the unsubscribe link in our emails, or replying STOP to an SMS marketing communication from us. You can also manage your marketing preferences by logging into your account at any time.
7. WHEN WE SHARE YOUR PERSONAL DATA
We do not and will not sell, rent out or trade your personal data. We may use third parties to carry out certain business functions on our behalf (such as our hosting or payment providers) and may transfer your personal data to these third parties so that they can perform those functions. We may also disclose your personal data to third parties who will process it for their own purposes and determine how the data is processed.
We will share your personal data only in the ways set out in this Privacy Notice, and in particular, with the following recipients:
(a) Transport for Wales, who are owned by the Welsh Government and are the franchising authority, where we or Transport for Wales have a legitimate interest in the sharing of your personal data, or where another lawful basis for such sharing applies;
(b) third parties who process your personal data on our behalf (such as cloud or hosting providers, payment providers, marketing and research providers, analytics and search engine optimisation providers, and customer satisfaction and service providers);
(c) our professional advisors (including auditors, lawyers and accountants);
(d) any of our group companies (meaning our parent company, any subsidiaries or our parent company, and any of their subsidiaries);
(e) other rail industry bodies including Network Rail, the Department for Transport, and other rail operators;
(f) any third party to whom we assign or novate any of our rights or obligations;
(g) any prospective buyer in the event we sell any part of our business or assets;
(h) any replacement franchisee (or prospective franchisee), Transport for Wales and/or any other franchising authority if our rail franchise is awarded to another operator in the future; and
- (i) law enforcement agencies, fraud prevention agencies and/or courts where we are required to do so by applicable law or regulation or at their request.
7.2 There may be links to third party websites of applications within our website, for example to Trainline.com. We are not responsible for the content or privacy compliance of such third party websites or applications. You should make sure you check those websites or applications for their privacy notices and terms that apply to them.
8. INTERNATIONAL TRANSFERS OF YOUR PERSONAL DATA
We may use suppliers located in or otherwise transfer your personal data to a country or territory outside the European Economic Area ("EEA"), including to countries whose laws may not offer the same level of protection of personal data as are enjoyed within the EEA.
We will ensure that any such international transfers are made subject to appropriate or suitable safeguards as required by data protection law. Where applicable, copies of the relevant safeguard documents are available on request to the contact details below.
9. HOW WE PROTECT YOUR PERSONAL DATA
We are committed to safeguarding and protecting personal data and will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to protect any personal data provided to us from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Any third parties we share or have access to your personal data are bound by contractual obligations to maintain the security and confidentiality of that data.
10. YOUR RIGHTS IN RELATION TO THE PERSONAL DATA WE COLLECT
If you wish to:
(a) rectify, delete or obtain a copy of the personal data that we hold on you;
(b) restrict or stop us from using any of the personal data which we hold on you, including by withdrawing any consent you have previously given to the processing of such data;
(c) where any personal data has been processed on the basis of your consent or as necessary to perform a contract to which you are a party, request a copy of such personal data in a suitable format which can be ported to another operator, you can request this by contacting us at the details below.
We endeavour to respond to such requests within one month or less, although we reserve the right to extend this period for complex requests.
In any of the situations listed above, we may request that you prove your identity by providing us with a copy of a valid means of identification for us to comply with our security obligations and to prevent unauthorised disclosure of data.
We reserve the right to charge you a reasonable administrative fee for any manifestly unfounded or excessive requests concerning your access to your personal data, and for any additional copies of the personal data you request from us.
Withdrawing your consent or objecting to processing
Where you have provided us with your consent, you have the right to withdraw this at any time. This will not affect the lawfulness of any processing performed before your withdrawal.
If you withdraw your consent for marketing communications and/or our newsletter (see paragraph 7 above), we will not be able to send you any further marketing communications unless you re-subscribe, and you may miss out on important offers and deals which are of interest to you.
Where we rely on your explicit consent to process your sensitive personal data to provide you with passenger assistance services and you withdraw such consent, we will no longer be able to provide you with the assistance you have requested unless an alternative legal basis applies to such processing.
You have the right to object to processing based on legitimate interests. [Gits to finish]
Failure to provide personal data
In certain circumstances it will be necessary for you to provide us with your personal data, to enable us to manage our operations, to provide services to you or to comply with our statutory obligations. In other circumstances, it will be at your discretion whether you provide us with personal data or not. However, failure to supply any of the personal data we request may mean that we are unable to maintain or provide services or products to you.
11. KEEPING YOUR PERSONAL DATA UP TO DATE
We make every effort to maintain the accuracy and completeness of your personal data and to ensure all of your personal data is up-to-date. However, you can assist us with this considerably by updating your data through your online account or otherwise on our website (where possible), or promptly contacting us if there are any changes to your personal data or if you become aware that we have inaccurate personal data relating to you.
12. HOW LONG WE WILL HOLD YOUR PERSONAL DATA FOR
We will retain your personal data only as long as necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements.
13. HOW WE UPDATE OR CHANGE THIS PRIVACY NOTICE
We may change or update parts of this Privacy Notice to maintain our compliance with applicable law and regulation or following an update to our internal privacy practices.
We will do this by updating this Privacy Notice on our website. You will not necessarily be directly notified of such a change. Therefore, please ensure that you regularly check this Privacy Notice so you are fully aware of any changes or updates.
15. HOW YOU CAN CONTACT US
If you have any queries about the contents of this Privacy Notice, wish to inform us of a change or correction to your personal data, would like a copy of the personal data we collect on you or would like to raise a complaint or comment, please contact us via email at firstname.lastname@example.org or writing to us at Evergreen Building North, 160 Euston Road, London, NW1 2DX.
16. HOW TO LODGE COMPLAINT TO THE SUPERVISORY AUTHORITY
You are entitled to lodge a complaint with our data protection supervisory authority if you consider that we have breached your data protection rights. Our data protection regulator is the Information Commissioner's Office, which can be contacted at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
17. CHANGES TO THIS PRIVACY NOTICE
We keep our Privacy Notice under regular review. This Privacy Notice was last updated on September 24th 2018.