Privacy Policy

London North Eastern Railway, East Coast House, 25 Skeldergate, York, YO1 6DH, (“LNER”, “we”, “us” and “our”) values the personal information you provide to us and wouldn’t want to use your personal data in a way that you wouldn’t expect. This Privacy Policy explains what we do with your personal information, what our lawful reasons are for this under data protection laws, what your rights are under data protection laws and how you can exercise them, and how you can control the way we use your personal information.

“Personal information” or personal data (these two terms are used interchangeably) is any information that relates to an identifiable natural person. Your name, address and contact details are all examples of your personal data.

The term “process” means any activity relating to personal data, including, by way of example, collection, storage, use and transmission.

LNER is a "controller" of your personal data. This means that we make decisions about how and why we process your personal data and, because of this, we are responsible for making sure it is used in accordance with data protection laws.

We have appointed a data protection officer. If you have a question about how your personal information is used or if you wish to exercise your rights under data protection laws, please contact us or our data protection officer using one of the methods below:

  • Send an email to our Data Safe team
  • Write to us at Data Safe, East Coast House, 25 Skeldergate, York, YO1 6DH

We are listed on the Information Commissioner’s Office (“ICO”) register of fee payers. Our registration number is ZA429672.

 

Contents

 

Where and how we collect your personal information

Collection from you. We collect personal information about you in several ways:

  • When you fill in a form on our website or contact us via phone, email or another method
  • When you register with us and fill in a form on our website or mobile app, whether directly or via a social media account
  • When you subscribe to our services
  • When you purchase anything from us (this includes the purchase of tickets)
  • When you opt in to receive marketing messages, ticket alerts, or news by email, post, SMS or other means
  • When you register with us to use our Wi-Fi services
  • When you enter a competition or promotion, or fill in a survey run by us or on our behalf
  • When you browse our website or app, or use our onboard, lounge or station Wi-Fi
  • When you open or click on any emails or push notifications we send you.

Collection from the device used to access our website or used on our trains to access WIFI. Please see the next section where we mention website information and how we collect that. This will be collected from the device you use to access our website including when you are travelling on our trains or when you use WIFI on our trains.

Collection from publicly available sources. We also collect your personal information from other organisations and sources, including publicly available sources, for example when you contact us through a social media company such as Facebook, Twitter, LinkedIn or Instagram. Before providing information to us via these channels, you should check these companies’ privacy policies and settings to understand how they use your personal information.

Collection from law enforcement agencies/rail station operators. We may also obtain or collect your personal information from law enforcement agencies (including the police and the British Transport Police) and from rail station operators if you are involved in any incidents when you are on our trains or otherwise at the train stations from where we operate our rail passenger services.

Collection from Virgin Trains East Coast: LNER has taken over the rail franchise from the East Coast Main Line Company Limited, trading as Virgin Trains East Coast (as mentioned in emails to you). This means that LNER will have obtained your personal data from Virgin Trains East Coast if you were a passenger and/or if you had signed up for newsletters or alerts (or other marketing) previously and if your details were for this reason included in the passenger databases or marketing databases of Virgin Trains East Coast.

Collection via CCTV. When your image is captured on CCTV on our trains or in rail stations we will be able to view that image. More details below on this.

 

What personal information do we hold about you?

We collect personal information in relation to the following broad categories:

  • Contact information
  • Payment card information
  • Website information
  • Sensitive information (known as ‘special categories of personal data’ and ‘criminal convictions and offences data’ under data protection laws).
  • CCTV information

Here are the particular types of personal information we collect within the categories above.

Contact information; payment card information. When you fill in a form or buy tickets, we normally ask you to provide us with:

  • Your name
  • Your contact details including your address, phone number, email address
  • Your bank or credit card details (if you're buying tickets or other items from us), including billing information
  • Details of how you would like us to contact you.

We don’t collect age information (except in the case of alcohol-related competitions, promotions or sales), but it is possible that this would be provided to us by law enforcement agencies/rail station operators, or in the course of ticket examinations carried out by authorised staff where a breach of Railway laws has occurred.

We recognise that young people use our services and are legally able to provide consent after the age of 13 years. If you are using our travel services and are aged between 13 and 16 years of age, we recommend that you read our terms and conditions because they are relevant to you in the same way as to other passengers.

Sensitive information. If you need help with things like getting on and off a train, you may choose to give us confidential information about medical conditions and the type of assistance you require.  All UK train companies use a system called Passenger Assist to book help on stations and on trains for all services. This makes sure that if you book help in advance, our staff on stations and on the trains know that you're travelling, where you are seated on the train, any connections you have to make, and the help you need.  You have the option to save those assistance details to your account, and can edit or remove them at any time. If you commit or are suspected of committing or are the victim of a fraud or other crime or other serious incident on our trains or in railway stations or in relation to your delay repay claim or ticket purchase we will process information about that too in relation to you.

Website information. When you visit our website or use our Wi-Fi services, we may collect the following information automatically:

  • Technical information, including the IP address (which is a category of personal information) which is used to connect your computer to the Internet, your login information, the browser you’re using, time zone setting, browser plug in types and versions, the operating system and the train that you're on
  • Location data and Wi-Fi usage
  • Information about your visit that will help us to improve our service and make your online experience more relevant. This can include your approximate geographical location, the date and time you visited, which of our products you looked at or searched for, which pages you looked at, how long you spent on certain pages, and how you clicked to, through, and from our website.

In our communications with you by email, SMS, or push notification, we automatically collect data relating to:

  • How you interact with our communications, such as which emails you opened or clicked a link within, and how long the email was opened for
  • Where you are when you interact with our messages
  • What type of device, model and operating system you’re using.

We also collect information about your visits to our websites using cookies. More information about how we use cookies and how you can change your settings can be found in our Cookie Policy.

While we mainly use the personal information that you give us about yourself, we may sometimes use other sources of information about our customers and prospective customers where you've given your permission for your data to be shared. We do this to help us understand more about our customers, to ensure that our messages are relevant, and to make sure that the marketing information we send you, with your consent, is also relevant. We take great care in sourcing this information, but if you prefer us not to use your data in this way, please let us know by emailing our Data Safe team

 

CCTV information.

We employ CCTV on our trains and in our stations in order to:

  • prevent, deter and detect crime
  • apprehend and prosecute offenders, and provide evidence to take action in the courts
  • help provide a safer environment for our staff
  • protect public safety
  • monitor operational and safety-related incidents
  • assist with the verification of claims.

You have the right to make a Subject Access Request for CCTV images of yourself and to ask for a copy of them. Please direct any such request to our Data Safe team.

We reserve the right to withhold information where permissible by the applicable data protection laws, and we will only retain CCTV images for a reasonable period (this means 28 days or less) or for longer as is required by law or to protect our own legitimate interests. For more details please see below. In certain circumstances, we may need to disclose CCTV images to law enforcement agencies. When this is done, there is a statutory requirement for the organisation that has received the images to adhere to the relevant data protection laws.

 

General overview: Our legal basis for using your personal information

Here is a broad overview of the data protection law reasons we have for using and otherwise processing your personal information. In the next section we will explain the purposes for which we use and otherwise process it and which of the following legal reasons apply to justify that.

Under UK data protection law, we must have a valid basis for using your personal information and we may not collect store or use information other than as described in this policy. There are seven ways we may have a valid basis for using your personal information:

  1. Fulfilling the contract: Most of the information we collect from you is necessary to allow us to fulfil our contract with you or to enter into a contract with you e.g. you provide a billing address when you purchase tickets via our website; we may need to contact you to notify you about changes to our services. We may also need information from you to ensure that we can provide you your tickets in the event you have lost important information like your booking reference. Essentially, we need that information to ensure you’re the real you and provide assistance to you post purchase.
  2. Consent: When you register and open an online account with us you will be invited to give your consent to use your personal information as described in ‘How we use your personal information for marketing’ below. By opting in you are giving your permission for us to process your data using ‘consent’ as our legal basis. If you have given consent to our use of your personal information, you are entitled to withdraw this consent at any time. There are more details about withdrawing that consent below.
  3. Legitimate interest: We may also have a legitimate interest in using your personal information e.g. to ensure that the content on our website is presented to you and your computer as effectively as possible.  Sometimes the legitimate interests will be those of third parties for instance when we share personal information about you with a replacement operator of the rail franchise (this includes our trains and our stations) for our legitimate interests in sharing our passenger database(s) with any replacement operator and for the incoming provider’s legitimate interest in having that personal information in order to fulfil its contractual obligations under the franchise arrangement (which is a contract with The Secretary of State for Transport). If this is our reason for using your personal information, we must make sure that our interests do not override yours and you can object to this use of your personal information. We are required by data protection laws to explain each of the legitimate interest we rely upon. Please see the next section for this detail.
  4. Legal obligation: We may have a legal obligation to use your personal information in certain ways or to protect your interests e.g. we may exchange information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
  5. Vital interests: If it is necessary for us to use and share your sensitive information with law enforcement agencies, next of kin who can be identified or medical professionals in order to protect your vital interests (for instance in an emergency situation where you are taken ill on a train or in a station or when a major incident has occurred), we will do so.
  6. Reasons of substantial public interest: If it is necessary for us to use and share your sensitive information with law enforcement agencies, next of kin who can be identified or medical professionals, for substantial public interest reasons, we will do so; likewise in order for us to adhere to and deal with the system called Passenger Assist to book help on stations and on trains for all services; likewise in order for us to know information about fraud or other crimes or other serious incidents on our trains or in railway stations or in relation to your delay repay claim or ticket purchase.
  7. Explicit consent: If we have your explicit consent in relation to your sensitive information that is relevant to Passenger Assist we will rely on this as the legal basis for our use of that sensitive information.

Under data protection laws you have the right to withdraw your consent at any time including when we rely on this for our marketing communications. The consequence of this is that we would not be able to send you any further marketing communications unless you re-subscribed. If we rely on your explicit consent for Passenger Assist and you withdraw that then unless an alternative legal basis applies (such as reasons of substantial public interest) the consequence will be that we cannot provide all the assistance we would like to give under that system.

 

For what purposes do we use your personal information and what is our legal basis for this

Here is a broad overview. We use the personal information you provide to:

  • respond to your enquiries and/or complaints
  • fulfill the service or provide the information you’ve requested 
  • handle the administration of your payment, issue your tickets/products, or confirm orders
  • send you information and communications (including service communications and direct marketing communications)
  • contact you when we have updated this Policy and considering whether it is necessary to advise you about any changes to the way we are processing your personal data
  • alert you about your booked journeys or tickets coming on sale
  • provide post-sales support and deal with any complaints, refunds or other ticketing or travel issues
  • personalise your experience of our website by using your purchases and browsing activity to make recommendations that we think may be of interest to you
  • improve our website and the range of services and products we provide
  • carry out market research and survey related activities
  • analyse and optimise our marketing activities
  • facilitate loyalty schemes
  • contact you with your consent to tell you about our super savings, loyalty programmes and partners, latest news, events and personalised travel suggestions, services and special offers where you have given us permission to do so
  • to ensure our technical helpdesk can assist you if you have trouble with the Wi-Fi service
  • help you in an emergency situation or by way of Passenger Assist
  • deal with law enforcement agency requests for CCTV and otherwise deal with crimes and other serious incidents on our trains or at our stations

 

Here we explain these use purposes by reference to the legal basis we rely upon under data protection laws.

 

Your consent

Purposes of processing

Your consent

Contact Information and payment card information

 

Send you information and communications (including service communications and direct marketing communications)

 

(Where we send you direct marketing)

Alert you about your booked journeys or tickets coming on sale

 

(Where we send you the alert at your request and with your consent about tickets coming on sale)

Contact you with your consent to tell you about our super savings, loyalty programmes and partners, latest news, events and personalised travel suggestions, services and special offers where you have given us permission to do so

(Where we send you direct marketing)

Website Information

 

Marketing and partner services

(So we can link to services provided by third parties such as social networks and direct marketing)

 

To perform a contract with you

Purposes of processing

To perform a contract with you

Contact Information and payment card information

 

Responding to your enquiries and/or complaints

Fulfill the service or provide the information you’ve requested

Handle the administration of your payment, issue your tickets/products, or confirm order

Provide post-sales support and deal with any complaints, refunds or other ticketing or travel issues

 

Facilitate loyalty schemes

(So you can earn loyalty points when you book, and use points to buy eVouchers to pay for tickets)

 

To ensure our technical helpdesk can assist you if you have trouble with the Wi-Fi service

(If you have paid to use Wi-Fi we are in a contract with you for this and we need to provide Wi-Fi under that contract)

All categories

 

For our general record-keeping and passenger relationship management

Resolving any complaints from or disputes with you

To share your personal data with third parties (such as our service providers who assist us administer or process ticket purchase or refund or delay repay claim transactions on our behalf)

 

 

To comply with a legal obligation

Purposes of processing

To comply with a legal obligation

Contact Information and payment card information

 

Contact you when we have updated this Policy and considering whether it is necessary to advise you about any changes to the way we are processing your personal data

 

CCTV Information

 

We employ CCTV on our trains and in our stations in order to:

prevent, deter and detect crime

apprehend and prosecute offenders, and provide evidence to take action in the courts

help provide a safer environment for our staff

protect public safety

monitor operational and safety-related incidents

assist with the verification of claims

(We have a legal obligation to protect the safety of passengers and to keep our trains and stations operating safely and efficiently and we may have requests for sharing of CCTV with law enforcement agencies based on a court order or statutory compulsion)

All categories

 

Establishing and enforcing our legal rights

 

(We have a legal obligation to keep our trains and stations operating safely and efficiently and we have a number of other legal rights)

To comply with requests made by you when exercising your legal rights (such as those contained within this Privacy Policy

 

Complying with instructions from law enforcement agencies, any court or otherwise as required by law

 

(In addition see reference to sensitive information and CCTV in table below)

Managing the proposed sale, restructuring or merging of any or all part(s) of our business, including to respond to queries from the prospective buyer or merging organisation

 

To keep records required by law or to evidence our compliance with laws, including tax laws, consumer protection laws and data protection laws

 

 

For our legitimate interests

 

Purposes of processing

For our legitimate interests

Contact Information and payment card information

 

Responding to your enquiries and/or complaints

(It’s important that we can respond to you in relation to such matters)

 

Fulfill the service or provide the information you’ve requested

(It’s important that we can respond to you in relation to such matters)

 

Handle the administration of your payment, issue your tickets/products, or confirm order

(It’s important that we can respond to you in relation to such matters)

 

Send you information and communications (including service communications and direct marketing communications)

 

(It is important to keep you updated of ticket purchases and orders made with us and notified of factual updates to our contract and our engagement with you for those purposes)

 

Alert you about your booked journeys or tickets coming on sale

 

(Where we need to send you information only communications to keep you updated of ticket purchases and orders made with us and notified of factual updates to our contract and our engagement with you for those purposes)

 

Provide post-sales support and deal with any complaints, refunds or other ticketing or travel issues

 

(We have a legitimate interest to make sure passengers are happy with the service)

 

Personalise your experience of our website by using your purchases and browsing activity to make recommendations that we think may be of interest to you

(We have a legitimate interest to make sure passengers are happy with the service)

 

Improve our website and the range of services and products we provide

(We have a legitimate interest to make sure passengers are happy with the service)

 

Carry out market research and survey related activities

(We have a legitimate interest to make sure passengers are happy with the service)

 

Analyse and optimise our marketing activities

(We have a legitimate interest to make sure passengers are happy with the service)

 

Facilitate loyalty schemes

(We have a legitimate interest to make sure passengers are happy with the service)

 

To ensure our technical helpdesk can assist you if you have trouble with the Wi-Fi service

(We need to ensure the Wi-Fi functions correctly)

Website Information

 

Ensure the operation and performance of the Website

(please also see our cookie policy)

 

(We need to ensure the Website functions correctly)

To improve the functionality of the Website

 

(It is in our interest to keep the Website up to date and improve its functionality for the benefit of users)

 

CCTV Information

 

We employ CCTV on our trains and in our stations in order to:

prevent, deter and detect crime

apprehend and prosecute offenders, and provide evidence to take action in the courts

help provide a safer environment for our staff

protect public safety

monitor operational and safety-related incidents

assist with the verification of claims

(It is in our interest to deal with all these matters and it is in the legitimate interest of law enforcement agencies to have CCTV in some cases where they do not have a court order or statutory compulsion)

All categories

 

For our general record-keeping and passenger relationship management

(We need to store passenger related information so we can refer back to it)

 

Managing the proposed sale, restructuring or merging of any or all part(s) of our business, including to respond to queries from the prospective buyer or merging organisation

 

(We have a legitimate interest in being able to sell any part of our business)

When we share personal information about you with a replacement operator of the rail franchise (this includes our trains and our stations)

(This is for our legitimate interests in sharing our passenger database(s) with any replacement operator and for the incoming provider’s legitimate interest in having that personal information in order to fulfil its contractual obligations under the franchise arrangement (which is a contract with The Secretary of State for Transport)

Resolving any complaints from or disputes with you

(We need to be able to try and resolve any complaint or dispute you might raise with us)

 

To share your personal data with third parties (such as our service providers who assist us administer or process ticket purchase or refund or delay repay claim transactions on our behalf)

 

(Where it is not required by law or to comply with our contract with you, we will have a legitimate interest to outsource some of our processing in order to provide you with the best service in a manner most cost effective to our business)

 

 

 

 

 

We may also use information in aggregate, where personally identifiable information is removed, for marketing and strategic development to improve and support our business. We may also convert your personal information into statistical or aggregated form to better protect your privacy, or so that you are not identified or identifiable from it. Anonymised data cannot be linked back to you. We may use it to conduct research and analysis, including to produce statistical research and reports. For example, to help us determine the appropriate target markets for our services. We do this conversion into anonymised form for our legitimate interests which we have explained here.

 

 

Sensitive information (this is the term we use to mean special categories and criminal convictions and offences data) - lawful basis

 

Purposes of processing

You have given your explicit consent to the processing

It is necessary to protect somebody’s vital interests or they are incapable of giving consent

It is necessary for the establishment, exercise or defence of legal claims

It is necessary for reasons of substantial public interest

Helping you in an emergency situation

 

 

Helping you by way of Passenger Assist

 

 

Dealing with law enforcement agency requests for CCTV

 

 

 

Dealing with fraud or other crime or other serious incident on our trains or in railway stations or in relation to your delay repay claim or ticket purchase

 

 

 

How we use your personal information for marketing

We use your personal information for marketing where we have your consent for this.

Where you’ve given us permission to do so, we use some of your personal information for marketing. For example, we may use information like name, address, location and past journeys to ensure we make our marketing relevant, accurate, and measure its effectiveness.

The marketing content may include tailored marketing messages about travel offers, ideas and news, and is dependent on the consent you have given us.

By using the information you provide, we may contact you with specific marketing messages about travel offers, ideas and news and, depending on the consent you have given us. This may be by post, email, phone, SMS, social media, or other means.

We also use your personal information to provide personalised experiences on our website, and to show you offers or rewards which are relevant to you.

If you’ve given us your consent to use your personal information for marketing, you have the right to withdraw your consent at any time by contacting our Data Safe team. You can click the “unsubscribe” link in our marketing emails. You can reply STOP to a text message which is a marketing communication (distinct from an information-only message such as a passenger update communication about your ticket for travel). You can also log in to your account on our website at any time to update your marketing opt-in permissions.

If you’re a corporate customer and would like to opt out of marketing, please send your request to us. You can call, email or write to our Data Safe team.

 

Sharing your personal information

We may ask third parties to carry out certain business functions for us, such as the administration of our website and IT support. These third parties will process your personal data on our behalf and this means they are our data processors under data protection laws. We will disclose your personal data to these parties so that they can perform those functions. Before we disclose your personal data to these third parties, we will seek to ensure that they have appropriate security standards in place to protect your personal data. Examples of these third party service providers include our outsourced IT systems software and maintenance, back up, and server hosting providers.

In certain circumstances, we will also disclose your personal data to third parties who will receive it as data controllers of your personal data in their own right, where the relevant disclosure is in relation to the following:

(a) sharing of your personal information with a replacement operator of the rail franchise (this includes our trains and our stations) as mentioned above; this means we may share it with any company who takes over the LNER franchise to enable them to use that information for their legitimate interest in operating the franchise and in to comply with the contract they have with the Secretary of State for Transport; we operate our rail franchise for a given period under license from the Secretary of State for Transport; if at the end of that period the franchise is granted to another rail operator and we are required to disclose your personal information to the new operator and/or franchising authority; they are required to process your data lawfully and as described in this Privacy Policy;

(b) purchase or sale of our business (or part of it) in connection with a share or asset sale, for which we may disclose or transfer your personal data to the prospective seller or buyer and their advisors; and

(c) the disclosure of your personal data in order to comply with a legal obligation, to enforce a contract or to protect the rights, property or safety of our employees, customers or others.

In summary, we have set out below a list of the categories of recipients with whom we share personal data:

(a) replacement operator of the rail franchise;

(b) payment processors in relation to card payments for ticket purchases you make with us;

(c) IT support and data hosting providers and administrators;

(d) other service providers as follows:

(e) mailing houses to send you pre-booked tickets

(f) website development and hosting companies which we use to administer our website content, including personalised messaging

(g) our onboard Wi-Fi supplier

(h) agencies which we use to manage season tickets and loyalty programmes

(i) agencies which we use to analyse traffic on our website and use of our services

(j) customer feedback and market research organisations

(k) the organisations that run our online ticket booking systems

(l) the organisation that sends our booking confirmation emails, registration emails, etc.

(m) agencies supporting customer service activity carried out by rail staff

(n) suppliers who we use to help us with marketing:

(i) an email service provider to send our emails and make sure you only receive what you have asked for 

(ii) a mailing house to send out marketing by post

(iii) a telemarketing agency to contact you by phone or SMS

(iv) online media owners who help us target, deliver and track our marketing campaigns using cookies. You can view our cookie policy.

(o) consultants and professional advisors including legal advisors and accountants;

(p) courts, court-appointed persons/entities, receivers and liquidators;

(q) business partners and joint ventures;

(r) insurers; and

(s) governmental departments, statutory and regulatory bodies including (in the UK) Department for Work & Pensions, Financial Conduct Authority, Information Commissioner’s Office, the police and Her Majesty’s Revenue and Customs.

All personal information sent to suppliers is transferred securely. Where suppliers are our data processors we require these companies to comply strictly with our instructions and they are not allowed to use your information for their own business purposes. We also require these companies to have sufficient organisational and technical measures in place to ensure the security of your personal information.

Where is your personal information

Your personal information may be transferred outside the UK and the European Economic Area. Whilst some countries already have adequate protections for personal information under applicable laws, in other countries steps will be necessary to ensure appropriate safeguards apply to maintain the same levels of protection as are needed under data protection laws in the UK.

Safeguards can include contractual obligations imposed on the recipients of your personal data. Those obligations require the recipient to protect your personal data to the standard required in the European Economic Area. Safeguards can also include requiring the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing and where the framework is the means of protection for the personal information. For more information about what are those appropriate safeguards and how to obtain a copy of them or to find out where they have been made available you can call, email or write to our Data Safe team.

 

Your rights regarding our use of your personal information

Your personal information is protected under data protection law and you have a number of rights. You should be aware that these rights do not apply in all circumstances. If you seek to exercise one against us it will at that stage be explained to you whether or not the right does apply to you based on the facts. Your rights are as follows:

  • The right to be informed - including about our processing of your personal information. That is the reason for this Privacy Policy.
  • To have your personal information corrected if it is inaccurate and to have incomplete personal information completed in certain circumstances.
  • The right in some cases to object to processing of your personal information (as relevant). This right allows individuals in certain circumstances to object to processing based on legitimate interests, direct marketing (including profiling) and processing for purposes of statistics.
  • The right in some cases to restrict processing of your personal information, for instance where you contest it as being inaccurate (until the accuracy is verified); where you consider that the processing is unlawful and where this the case; and where you request that our use of it is restricted; or where we no longer need the personal information.
  • The right to have your personal information erased in certain circumstances (also known as the “right to be forgotten”). This right is not absolute – it applies only in particular circumstances and where it does not apply any request for erasure will be rejected. Circumstances when it might apply include where the personal information is no longer necessary in relation to the purpose for which it was originally collected/processed, if the processing is based on consent which you then withdraw, when there is no overriding legitimate interest for continuing the processing, if the personal information is unlawfully processed, or if the personal information has to be erased to comply with a legal obligation. Requests for erasure will be refused where that is lawful and permitted under data protection law for instance where the personal information has to be retained to comply with legal obligations or to exercise or defend legal claims.
  • To request access to the personal information held about you and to obtain certain prescribed information about how we process it. This is more commonly known as submitting a “data subject access request”. This right will enable you to obtain confirmation that your personal information is being processed, to obtain access to it, and to obtain other supplementary information about how it is processed. In this way you can be aware of and you can verify the lawfulness of our processing of my personal information.
  • To move, copy or transfer certain personal information. Also known as “data portability”. You can do this where we are processing your personal information based on a consent or a contract and by automated means. You should note that this right is different from the right of access (see above) and that the types of information you can obtain under the two separate rights may be different. You are not able to obtain through the data portability right all of the personal information that you can obtain through the right of access.
  • Rights in relation to some automated decision making about you including profiling (as relevant) if this has a legal or other significant effect on you as an individual. This right allows individuals in certain circumstances to access certain safeguards against the risk that a potentially damaging decision is taken without human intervention.
  • The right to complain to the Information Commissioner’s Office who has the power to investigate whether we are complying with the data protection law. You can do this if you consider that we have infringed it. You can visit its website for more information: https://ico.org.uk/

For more information about all of these rights and how to exercise them against us, you can contact the Data Safe team.

 

Additional information about Accessing your Data by Subject Access Request (SAR)

You have the right to request a copy of the information that we hold about you. This is known as a Subject Access Request (SAR). We will provide this to you free of charge (except in some very limited cases such as repeat or vexatious requests) once we have confirmed your identity within one month of receipt of your request (except in some very limited cases such as requests which are so broad that it is impossible to deal within one month and in that case we will send you the personal data that we can send within one month and we will keep you updated and provide the remainder data as soon as we possibly can where this is permitted under data protection laws and subject to codes of practice and guidance from the ICO).

If you would like a copy of some or all of your personal information, please email our Data Safe team, or write to us. Unless you specify otherwise we will provide your personal information electronically. In particular if you send your SAR to us in an electronic way (eg email or social media) we will provide your personal information electronically.

If we do hold personal information about you we will:

  • give you a description of it
  • tell you why we are holding it
  • tell you who it could be shared with
  • tell you how long we will keep the information
  • if the information was not provided by you, we will give you any available information such as the source of the data
  • tell you if the information has been used for automated decision making
  • tell you if the information is stored outside of the European Economic Area, and if so what safeguards are in place to protect your personal information
  • let you have a concise and clear copy of the information.

 

How we keep your personal information up-to-date

We have a legal obligation to keep the personal information we collect accurate and up–to-date. You have the right to ask us to correct any inaccuracies in the personal information we hold about you and to restrict the use of your information until it has been corrected. 

The simplest way to keep your data accurate is to log in to your account on our website at any time to update your data. You can also update your data by contacting our Data Safe team.

We keep your information accurate as follows:

  • By giving you the opportunity at any time to contact us to correct or change your information
  • If you contact us we may ask you to confirm certain details. 
  • When we receive undelivered mail or email we will update our records accordingly.

 

How we keep your personal information safe

We use administrative, electronic and physical security measures to ensure the information we collect about you is protected from access by unauthorised persons and protected against unlawful processing, accidental loss, destruction and damage.

How long we keep your personal information

We need to keep your personal information for as long as necessary to fulfil the purposes for which it was collected (and those purposes are as described above). This includes retaining it in order to comply with legal and regulatory requirements and in case of claims. If you would like further information about our data retention policy you can contact our Data Safe team.

The criteria we use to determine data retention periods includes:

  • Retention for the duration of the contract. We will retain the personal information relevant to your ticket booking until you have made your journey and for a necessary period in case of delay repay claims or in case of complaints or disputes about your journey. We will not retain it after that necessary period unless we need to for the reasons below.
  • Retention in case of claims. We will retain certain of your personal information for the period in which you might legally bring claims against us. We will not retain it after that unless we need to for the reason below.
  • Retention in accordance with legal and regulatory requirements. We will retain your personal information in case of a legal or regulatory requirement.
  • CCTV. We will usually retain CCTV images for up to 28 days. In rare cases we may retain them for longer. We will do this for instance when we have been asked to share a copy of CCTV images with law enforcement agencies including the police or British Transport Police and when we in turn retain those images because of a crime or other serious incident on our passenger trains or in our stations.

 

What to do if you have a complaint about our use of your personal information

If you have a complaint about the information we hold or how we use that information, please contact our Data Safe team who will deal with your request promptly. If you are not satisfied with the way your complaint was handled, you can refer your complaint to the ICO. Please see the details above. 

 

Links to other websites

We may link from our websites directly to other sites. For instance there is a link to the ICO’s own website within this Privacy Policy. This Privacy Policy does not cover other websites and organisations we may link out to from our websites or apps. We strongly encourage you to read the privacy statements on the other websites you visit.

 

Changes to this privacy policy

We keep our Privacy Policy under regular review. This Privacy Policy was last updated on 29 August 2018.