Greater Anglia “GA” is committed to protecting and respecting your privacy when you use our services.
In practice, this means that all personal data which we hold about you will be:
- used lawfully, fairly and in a transparent way.
- collected only for valid purposes that we have clearly explained to you and not used in a way which is incompatible with those purposes.
- relevant to the purposes we have told you about and limited only to those purposes.
- accurate and kept up to date.
- kept only as long as necessary for the purposes we have told you about; and
- kept securely.
This Privacy Policy explains:
- what personal data we collect from you when you use our website, apps, visit our stations, travel on our trains, contact us, use our services, or Wi-Fi.
- how we will collect and use that information.
- how we keep information secure; and
- how you can contact us if you wish to exercise any of your rights in relation to the information or make a complaint.
- Information we may collect from you.
- How we use your information.
- Sharing or disclosure of your information.
- Types of information we collect:
- CCTV
- Website visits and purchases
- Ticket office purchases
- Revenue Protection and Penalty Fares
- Customer Relations database
- Station Help and Assistance Information Points
- Station and Train Wi-Fi
- Personal data to aid recruitment for jobs in GA
- Where we store your personal information
- Information Security
- Your rights
For the purposes of the Data Protection Law, the data controller is:
Transport UK East Anglia Limited
t/a Greater Anglia
St. Andrews House
Second Floor
18-20 St Andrew’s Street,
London, EC4A 3AG
Our Data Protection Manager (DPM) can be reached at:
Transport UK East Anglia Limited
11th Floor
One Stratford Place
Montfitchet Road
London
E20 1 EJ
Our nominated Data Protection Officer (DPO) can be reached:
Transport UK
St Andrews House
Second Floor
18-20 St Andrew Street
London
EC4A 3AG
More information about the General Data Protection Regulation and all related and subordinate legislation as amended or re-enacted from time to time can be found on the Information Commissioners website.
The Information Commissioner is our regulator for data protection matters.
“Personal Data” means any Data about an individual from which that person can be identified. It does not include data where the identity of the person concerned has been removed (Which is called “Anonymised Data”)
We may collect, use, store, transfer different kinds of personal data about you. This can be broken down to the following categories:
- Identity Data includes first name, surname, username or similar identifier, title, date of birth, gender, and CCTV footage.
- Contact Data includes billing address, delivery address, postcode, email address and telephone numbers.
- Financial Data includes bank account and payment card details.
- Transaction Data includes details as to your journeys, details about payments to and from you and other details of products and services you have purchased from us.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Profile Data includes your username and password, purchases or orders made by you, any interests communicated to us to enable the personalisation of services, travel preferences, feedback, and survey responses.
- Usage Data includes information about how you use the Website, products, and services.
- Health Data includes information relating to your mobility and disability status to enable us to provide assisted travel and ensure that you receive the correct pricing and any information detailed within any accident reports that relates to personal injury or receipt of medical attention.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
- When you apply to our Secure Cycle Compound Plus which is optional. To use this service, we will collect your full name, address, telephone number and email address. This is solely for us to provide you with this service.
- Occasionally, GA will conduct photo shoots on our trains and stations which may include images of customers. However, before we do that, we would inform customers on the day at our stations. We use these photos for publicity purposes only.
We may collect and process information about you when you:
- buy tickets.
- travel on our services.
- visit our stations or car parks.
- use our website, apps, or Wi-Fi.
- buy a product from us or make a sales enquiry.
- contact Customer Relations.
- enter a competition; or
- sign up to receive updates or marketing.
- Are involved in an accident/injury/incident on our network.
- Are in breach of Greater Anglia bylaws or any other applicable law.
- Apply for a job/vacancy at GA.
We collect information such as your contact details, ticket purchases, stations visited (for example for charging the correct fares on smart cards), payment and refund details. We may require additional details for some services, such as your age for age restricted tickets. This information is generally provided by you.
We may also process personal data that you choose to make public including via social media.
We may also collect personal data through automated technologies or interactions with our Website, Apps and Wi-Fi.
Sometimes we obtain details through third parties, who provide your data to us. This might include other members of our Group as well as our service providers.
We collect, where necessary, Special Category Data which includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. We do not seek to collect or otherwise process your Special Category Data, except where:
- we have obtained your explicit consent prior to processing your Special Category Data (e.g., you consent to us processing your Health Data to provide travel assistance services to you).
- the processing is necessary for compliance with a legal obligation.
- the processing is necessary for the detection or prevention of crime (including the prevention of fraud) to the extent permitted by applicable law.
- you have manifestly made those Special Category Data public.
- the processing is necessary for the establishment, exercise, or defence of legal rights; or
- processing is necessary for reasons of substantial public interest and occurs based on an applicable law that is proportionate to the aim pursued and provides for suitable and specific measures to safeguard your fundamental rights and interests.
We process your personal data based on our legitimate interests to provide our services to you in an efficient and secure manner.
We have set out below a list of some of the ways we may use your personal data and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate.
In some cases, we may use more than one legal basis for processing your personal data; this will depend on the specific purpose for which we are using your personal data. If you have any queries about the specific legal basis that we rely on for processing your personal data, please email [email protected].
| What we use your personal data for (purpose) Type of data Legal basis for processing (including basis of legitimate interest) | Type of data | Legal basis for processing (including basis of legitimate interest) |
|---|---|---|
| To register you as a new customer |
|
|
To carry out our obligations arising from any contracts entered between you and us including:
|
|
|
| To respond to your enquiries or to process your requests in relation to your information |
|
|
| To maintain a suppression list should you opt-out of receiving communications |
|
|
To manage our relationship with you which will include:
|
|
|
| To help provide a safe environment for our employees and customers; to reduce the number of assaults on our employees during revenue enforcement duties; and to improve the quality of evidence available for submission to the authorities. |
|
|
| To enable you to partake in a prize draw, competition or complete a survey |
|
|
| To administer and protect our business and the Website (including training our employees, troubleshooting, data analysis, testing, system maintenance, security audits, support, reporting and hosting of data) |
|
|
| To conduct health and safety assessments and record keeping, and compliance with related legal obligations |
|
|
| To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you |
|
|
| To use data analytics to improve the Website, products/services, marketing, customer relationships and experiences |
|
|
| To make suggestions and recommendations to you about goods or services that we feel may interest you (e.g. the provision and operation of referral marketing programmes, determining the effectiveness of promotional campaigns or advertising, etc) |
|
|
| To establish, exercise and defend our legal rights |
|
|
Our Legitimate Interests
Running our business and Group businesses, in a safe and socially and environmentally responsible manner, efficiently, to provide sustainable and high quality, locally focused passenger transport services, improve and expand our services, be a leading employer in the transport sector, investing in and developing our staff, operating with financial discipline, and reducing crime and fraud to provide shareholder value, provide and improve customer services.
We use data processors to provide or assist with some of our services, for example, the processing of bookings and customer support. Where we do so, they must agree to strict contractual terms and to keep your data secure. These Processors may be based outside the EEA, where this is the case, your personal information will be protected by the appropriate international safeguards. Where we share data across our Group Companies, this is only in accordance with a written data sharing agreement.
We will only share or disclose your information as set out in this Notice or in accordance with DPL and will obtain your consent where we are required to do so. We will only use third parties to process information where we are satisfied that they comply with these standards and can keep your data secure.
We may share or disclose information for the following reasons:
- To operate interoperable services - this includes use of some shared systems and processors, by the rail industry generally and overseen by the Rail Delivery Group.
- To respond to your complaints or administer requests you have made, either to us or another regulatory body such as the Department for Transport; Passenger Focus, London Travelwatch, the Rail Complaints Ombudsman, or other Train Operating Companies (TOCs).
- To process payment card transactions.
- To comply with requests from the British Transport Police under an Information Sharing Protocol, ensuring that any disclosure is lawful.
- To comply with the police or other law enforcement agencies for the purposes of crime prevention or detection, these are dealt with on a case-by-case basis, under a specific Information Sharing Protocol, to ensure that any disclosure is lawful.
- To comply with other legal obligations, for example, relating to crime and taxation purposes or regulatory activity.
- To protect our legitimate business interests, as outlined above.
- Where required because of the sale, merger, or acquisition of business assets. As the Railway Industry is run on a system of franchises, we are required to transfer our customer data to a successor franchise, or the Secretary of State, this is so that they can take over and continue the running of the railway service.
- In respect of information provided to us for marketing purposes only (including freely given consent), to the Department for Transport and/or any successor operator of the rail franchise in order that they may contact you for marketing purposes in the event that we cease to operate this rail franchise.
- If you have agreed (via freely given consent) to receive information for competition, promotion, survey, or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to in the terms and conditions of the purpose; and
- Where you have consented, to share with other members of the Transport UK Group (“Transport UK”), of which we are a member, where Transport UK has any services, promotions and offers which we feel may interest you.
1. CCTV
Camera systems we operate.
Our CCTV is used to capture, record, and monitor images of what takes place at our stations and car parks and on our trains, in real time. In limited circumstances, we use body worn cameras which make audio visual recordings.
Depending on the type of camera, images are recorded on video tape (analogue) or as digital information. Cameras can be fixed or set to scan an area. In some circumstances, they can be operated remotely by controllers.
Why we operate CCTV cameras.
We operate CCTV for the following purposes:
- Health and safety of employees, passengers, and other members of the public.
- Crowd management; and
- Prevention and detection of crime and anti-social behaviour.
Camera locations
We operate cameras at the stations and car parks we manage and on some of the trains that we run.
We operate cameras at some of the stations and car parks across our network, for a full list of stations and car parks and operators please visit https://www.greateranglia.co.uk/
Network Rail and other TOCs operate the cameras at some stations that our services stop at. These are shown below:
- London Liverpool Street
- Peterborough
- Stratford
- Kings Lynn
- Seven Kings
- Gidea Park
- Harold Wood
- Romford
- Brentwood
- Edmonton Green
- Hackney Downs
We operate CCTV on some of the trains that we run.
Length of time CCTV footage is kept.
CCTV footage at stations and on train is generally held for a maximum of 30 days from the time of recording.
Recordings from body worn cameras are generally held for a maximum 30 days, unless required for legitimate business reasons.
How to access your CCTV personal data
You can request copies of images or footage of yourself by making a Data Subject Access Request.
Disclosing CCTV/personal data to the police
At our discretion, we may disclose CCTV/personal data in response to valid requests from the police and other statutory law enforcement agencies.
Before we authorise any disclosure, the police must demonstrate that the CCTV/personal data is necessary to assist them in the prevention or detection of a specific crime, or in the apprehension or prosecution of an offender.
Requests from the police are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with the DPL.
Sharing CCTV footage with other third parties
Some of our CCTV infrastructure is shared with the British Transport Police, Local Authorities, Network Rail, and Car Park operators under formal data sharing agreement.
In certain agreed circumstances, they may take control of a limited number of cameras and use them for activities such as the prevention and detection of crime and anti-social behaviour, policing major events and crowd control. GA is not responsible for the CCTV when it is in the control of a third party.
We may also disclose personal data to third parties, if required to by law or it is necessary for a legitimate purpose such as defending or bringing legal action. DPL allows us to do this where the request is supported by:
- evidence of the relevant legislation
- a court order.
- satisfactory evidence and assurances of the legitimate interest.
Legitimate interest would include requests such as defending or making a legal claim, such as to insurers following a vehicle collision in a car park. When we are not required to provide CCTV, we will consider the circumstances and any potential harm to individuals. We may also charge a fee and seek indemnity for any use beyond which it is requested.
External guidelines and best practice
GA operates its CCTV systems in compliance with the CCTV Code of Practice issued by the Information Commissioner’s Office (ICO). The Code describes best practice standards which should be followed by organisations operating devices which view or record images of individuals. It also covers other information derived from those images that relates to individuals (for example vehicle registration marks).
2. Using Our Digital Services
This section shows the information we collect when you use our Websites, Apps, and On-train Wi-Fi. Before providing us with your details, please read the following important information regarding:
- Collection of visitor information.
- Hyperlinks.
- Cookies; and
- Other storage technologies
a) Collection of visitor information
We will only use the information that we collect about you lawfully, in accordance with the DPL.
The details you provide about yourself and any other information which identifies you (‘Personal Information’) is held by GA on this website (the "Site") for operational purposes, for example, account registration or processing payments. We may also use your Personal Information to personalise your experience on the Site by informing you of new products or services that we may think are of interest to you.
GA gathers general information about users, for example, what services users access the most and which areas of the GA site are most frequently visited. Such data is used in the aggregate to help us to understand how the GA site is used. We gather this information so that we can continue to improve and develop our services to the benefit of our users. We may make this aggregated information available to users of the GA site and to auditors. These statistics are anonymous and contain no personal information and cannot be used to gather such information.
When you register with GA, set up a travel alert, enter a competition, or buy a ticket, we ask for personal information such as your name, contact details, and other details. Once you register with GA and accept our Terms & Conditions, you are not anonymous to us. We may use information that you provide to alert you to our own products and services. We may contact you regarding site changes or changes to the GA products or services that you use.
If you buy a ticket online with GA, we will record your personal details and send you a confirmation email. Your personal data will be used principally to communicate with you with reference to your purchase.
You may opt-in to receive newsletters, exclusive discounts, special offers and other marketing emails from GA. You may unsubscribe at any time by logging in to your account and updating your preferences. Please note changes to your subscription preferences can take up to 14 days to take effect.
Alternatively contact our Customer Relations Team via our webform or by writing to the Customer Relations Team via email at [email protected].
b) Hyperlinks
We may provide hyperlinks from the site to third party websites. No liability is accepted for the contents of any site operated by a third party which may be accessed via links from the site. These links are provided for your convenience only and do not imply that GA approves or recommends the content of such sites. We encourage our users to be aware when they leave our site to read the privacy statements of every website that collects personal data.
This Privacy Notice applies solely to information collected by GA.
c) Cookies
Our website uses cookies to help us to provide you with a good experience when you browse our website and also allows us to improve our website.
What is a cookie?
A "cookie" is a small text file that is placed on your equipment when you visit a website (equipment like a computer, phone, or tablet). There are several types of cookies:
Necessary cookies
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies. These cookies are automatically enabled and cannot be blocked.
Preference cookies
Preference cookies are used to enable basic web browsing functionality such as navigating from one page to another or storing your website preferences. For example, we will use preference cookies to:
- remember the products you purchase during online purchase.
- remember and pass on the information that you enter during the log-in process or that you leave behind on the various web pages during the ordering process, so that you do not have to enter the same data every time.
- save your preferences; and
- detect abuse of our website.
Statistical cookies
These cookies are used to analyse your visit to - and interaction with - our website. For example, we may analyse the following:
- the number of visitors to our website and how often they visit.
- the duration of the visit
- the order of the pages visited; and
- whether the pages of a website need to be adjusted.
With the help of the information we collect using analytical cookies we can make our websites more user-friendly as well as identify and solve possible technical problems on the websites. One such tool we use to gather analytical information is Google Analytics. On the web, you can choose to opt-out of Google Analytics by installing Google’s opt-out browser add-on.
Marketing cookies
Our website is supported by advertising. Advertising cookies, often placed by third parties, are used to track visitors across different websites. This helps us offer relevant and engaging advertisements during your visit to our website.
d) JavaScript and Other techniques
In addition to cookies, GA also uses Javascripts and web beacons.
By using Javascript in your browser we can make our sites interactive and develop applications for the web.
A web beacon is a small graphic image on our sites. By means of this image, we can, for example, determine how many visitors saw the page at which times. These techniques can also be used for marketing and tracking purposes.
Cookies from external parties
Some of the cookies are placed with the consent of GA by third parties with the aim to bring certain products and services to your attention or to give you direct access to social media:
- Google Analytics
- Google Maps
- Captify
- Affectv
- Iotec
- Flashtalking
- Adform
- Doubleclick
- YouTube
- GoogleAdwords
- Instagram and
- Facebook.
For the cookies that these external parties place, the information they collect with them and the purpose for which that information is used, we refer to the privacy statements of these parties on their own websites. These statements can change regularly, and GA has no control whatsoever.
Visit the All About Cookies website to learn more.
Privacy Options
Because modern browsers are frequently updated with new menus and interfaces, we recommend following the guides provided by each browser creator for the most up-to-date information.
Please follow the link for your preferred browser below to find the current guide.
For all other browsers, please follow the instructions provided by the relevant browser, usually located within the "Help", "Tools" or "Edit" facility.
If you only disable third party cookies, you will still be able to use this Website, but some of its content will not be as relevant to you. If you disable all cookies, this will result in our website not working properly.
If you do choose to disable cookies, this choice will only apply to the device you are using at the time. If you want to stop cookies being set on other devices, you will need to follow the relevant steps on each device. Please note that disabling cookies does not delete cookies from your browser, you will need to do this from within your browser.
Access to our database containing personal information on registered users of the site is restricted. In order to increase security, we ask you to input a password when you register as a user of the site. Please keep this password secret. As you may be aware, no data transmission over the Internet can be entirely secure. As a result, while we will always use reasonable endeavours to protect the personal information you provide to us, we cannot guarantee the security of your information and the use of our facilities (e.g. e-mail) is at your own risk. If you have any questions about paying for your ticket through the Site, please contact Customer Relations.
3. Online Booking and Planning.
This section sets out the procedures we have in place in relation to the collection, use and disclosure of information you may provide, or we may collect via the Booking Service for the planning and booking of tickets online (for example with Trainline).
Your Consent
By using this Booking Service, you agree with the terms of this Privacy Notice and whenever you submit information via the Booking Service, or otherwise use the Booking Service, you consent to the collection, use and disclosure of that information in accordance with this Privacy Notice.
Collection of visitor information
Some parts of the Booking Service require you to actively submit information in order for you to benefit from specific features or make ticket bookings. Some of this information may be personal (namely, information that can identify you, such as your name, address, or phone number). We only collect such information when you choose to supply it to us. You confirm that you will only enter information about yourself and that such information is true.
We may collect and process anonymous information about your use of the Booking Service, such as some of the pages you visit and some of the searches you perform. We use such information to help us improve the contents of the site and to compile, for internal market research purposes, aggregate statistics about individuals using it. This kind of anonymous information can be obtained by our use of “cookies” as well as other means. Please see our “Cookies” section above for more information on our use of cookies.
How we use your personal data
Your personal information submitted to us is used for operational purposes, for example, producing tickets, processing payments (including fraud screening) or confirming orders, alerting you about your booked journeys, constantly improving and adding to the tools and features that we provide to you on our Website and Mobile Application, and to personalise your shopping experience by using your purchases and browsing activity to make recommendations to you about products and services that we think may be of interest to you.
We and/or our authorised third parties (including the Rail Delivery Group ("RDG") may also use your personal information: (a) for internal market research and analysis purposes; and (b) to carry out survey related activities with you.
If you contact us, we may be able to see information about your recent activity on our website - such as your recent searches, recent error messages shown and/or your recent purchases. This enables us to provide you with an efficient service and reduce the need for you to repeat information to us that you have already input into the Website.
Sharing data with third parties
We will share your personal information with third parties for the purpose of (processing payment (including fraud screening) and for undertaking any other permitted use of your personal information on our behalf. These service providers will only have access to the personal information needed to perform the relevant service and may not use your personal information for any other purpose. They will also be required to use your personal information strictly in accordance with data protection laws, including maintaining adequate security measures to protect such personal information.
We may share your personal information with third party service providers:
- for improving your booking experience with them and analysing the performance of their service to us.
- for analysis and market research related services.
- to carry out survey related activities with you.
- for the purpose of alerting you about your booked journeys; and
- to contact you about new features, services, products, and special offers ("Marketing Information") in line with any consent that you have provided.
If you do not wish to receive Marketing Information, you may choose not to do so by clicking where indicated on the registration page. If you initially wish to receive such material but you change your mind later, you may tell us by using the "update your personal details" page.
Use of location data
Information about your location or approximate location may be used by our Booking Service. We obtain and use this information in two main ways:
- Internet traffic information, such as your IP address: This information is provided automatically as you use our Booking Service and can allow us to infer your approximate location. We use this information:
- For analysis purposes to understand the distribution of our customers
- To tailor messages or advertisements shown on our website - for example, if we identify that you are likely to be located in Cambridge, we may show you promotions relating to journeys starting in Cambridge.
- Location information provided by your browser or device: Many web browsers, particularly on mobile phones and tablet devices, are able to accurately report your location, for example using GPS technology. The same is true for apps on mobile phones and tablets. These browsers and devices normally ask your permission before sharing your location with a website or app, and you can usually disable the feature altogether in the device settings. We use this information for features that need to know your location - for example, if you select "nearest station" or "next train home" and for other search functionality features.
Security
We take the security of your data very seriously. We employ physical, electronic, and administrative security measures to protect the information that we collect about you from access by unauthorised persons and against unlawful processing, accidental loss, destruction, and damage. You acknowledge and agree that we shall not be responsible for any unauthorised use, distribution, damage, or destruction of personal data, except to the extent we are required to accept such responsibility by the data protection laws.
Links to third party Internet sites
The booking service may contain links to other sites and sources of information. By clicking on these, you will leave the Website or Mobile Application (as appropriate) and this Privacy Notice will not apply to your use of any other sites.
Access to Personal Information
You are entitled to see the personal information we hold about you and may obtain these details by submitting a Data Subject Access Right request. We are entitled by law to charge an administrative fee to meet our costs in providing you with such details and we may require proof of your identity before we supply the information to you.
Deactivating your Account
Upon request from you (by contacting us by our DSAR portal) we will deactivate your account and render your personal information unusable as soon as reasonably possible, in accordance with applicable law. We do retain personal information from closed accounts to comply with law, prevent fraud, collect any fees owed, resolve disputes, troubleshoot problems, assist with any investigations, enforce our terms and conditions, and take other actions otherwise permitted by law.
4. Ticket Office Purchases – Season Ticket Records
Personal details we hold
When you buy a season ticket valid for one month or more, we keep a record of this on a database. We keep the following details:
- Name, address and photo card number.
- Phone number, email, and date of birth if you provide them.
- The origin, destination and start and end date of season tickets you have purchased, along with any duplicate, replacement, or refund of these; and
- The method of payment used, but not any payment card details.
How we use your personal data
We use this information for Contractual obligations, Customer Relations and administration, customer research, marketing, and fraud prevention.
We will only send you information about offers and promotions if you chose to receive it and you can change your marketing preferences at any time. We will not pass your personal information to any other organisation outside of our Group of Companies (and Successor franchise or Secretary of State for Transport) for marketing purposes without your prior consent.
Sharing data with third parties
If you have agreed to receive information for survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to.
5. Revenue Protection And Penalty Fares
Personal details we hold
We may collect a range of personal detail during revenue protection activity. This may include name, address, proof of ID, journey details, payment details, personal descriptions, and other information you provide to support an appeal. This data is processed by GA and held in archive by ITEL (3rd Party).
How we use your personal data
We only use this information for the administration of the Penalty Fares scheme, collection of unpaid fares, fraud prevention and the prosecution of travel offences.
Sharing data with third parties
We may share your correspondence with:
- British Transport Police under a data sharing agreement to prevent and detect crime.
- The ITEL if you appeal a Penalty Notice issued to you.
- Passenger Focus if you have asked them to act on your behalf under a complaint handling procedure. Requests from ombudsmen are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with DPL.
- We may also share information with other TOCs for fraud prevention. We will only do this where there is a formal data sharing agreement in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with DPL.
Collection of data at station gate lines
GA may collect data from customers at station gate lines. The data collected is the ticket number of the ticket presented and will then be matched against the season ticket database. The data is collected to counter fraudulent behaviour from customers regarding ticketless travel.
6. Customer Relations Database
We collect your information and comments when you contact us by letter, email, web form, phone, or social media.
Personal details we hold
We may hold your name, address, date of birth, email address, phone number, social media name, ticket details, photocard image, our correspondence with you, the compensation claims you have made, and payment made by us, proof of journey or other supporting information you may provide.
To ensure that we have an accurate record of dealings between us (and for training purposes) we may, in certain circumstances, record or monitor telephone calls, however you will always be told when this happens.
How we use your personal data
This information is used for administration of correspondence or processing claims you have made, such as delay repay as well as for fraud prevention purposes. We also use it to respond to complaints.
Sharing data with third parties
We are required to provide details of your complaint to another TOC if it relates to their services instead of ours. We may share your correspondence with Passenger Focus or London Travel Watch or the Ombudsman if you have asked them to act on your behalf under a complaint handling procedure.
We may also share information with other TOCs for the purpose of fraud prevention. We will only do this where there is a formal data sharing agreement in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with DPL.
7. Station Help And Assistance Information Points
At our stations, we maintain Customer Help and Assistance Points. Depending on the service requested these are linked directly to our Control Centre or to National Rail Enquiries.
Calls for Information or Assistance made to National Rail Enquiries are recorded and monitored, but no advance notice is given as this could result in a delay in the provision of assistance.
8. Station & Train Wi-Fi
When using our station or train Wi-Fi service we collect device MAC addresses, timestamps and accounting which is stored for a limited amount of time in order to authenticate devices to the Wi-Fi service.
This data will be retained for a short period in line with our retention policy and deleted thereafter.
9. Children’s Data
When processing children's data, we obtain parental consent to the processing of children who are under the age of 16. We rely on this legal basis for processing these data. Only registered parents can make these purchases on behalf of their children.
GA sells scholar tickets (discounted season tickets) to allow children to travel to certain schools. The details taken are the child’s name, school (to ensure that school is within the GA network) and photocard number. The payment and invoice address details are provided by the parents when the ticket is ordered.
10. Parking - National Car Parks “NCP”
NCP in conjunction with GA operate car parks at GA stations. Season ticket passes are available to customers and employees of GA, in such cases the customer/employee will need to supply their name, address and car registration numbers to ensure that they are not charged for using the car park.
11. Safety Forms & Claims
GA processes safety forms and potential claims where a customer or employee has had an accident/or reported an accident whilst within a GA leased area or travelling on our trains. The data taken is the name, address, date of birth and contact number of the customer or employee.
If a claim is received this data will be sent to our third-party claims handler and is collected in order to manage the claim and will be held until the claim is resolved.
The information that we collect from you will only be stored in the European Economic Area (“EEA”) or, where it is necessary to disclose it to our processors located outside the EEA, other jurisdictions which are acceptable according to guidance provided by the Information Commissioner and/or where appropriate legal and security safeguards are in place. Please contact the Data Protection Manager ([email protected]) if you wish to find out more about the safeguards.
We use a range of appropriate technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its confidentiality, integrity, and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal data where practical.
Unless stated otherwise we will aim to satisfy your instruction or inform you as to why we are unable to, without undue delay and within 30 days. If we anticipate that we will not meet with this timeframe we will let you know within 30 days and explain what the problem is.
1. Object To Direct Marketing
To prevent marketing to you, you have the right to ask us not to process your personal information for marketing purposes. We will usually inform you before collecting your information if we intend to use or disclose it for such purposes. If you do not want us to use your information for marketing purposes either:
- indicate this by NOT ticking the box to be sent marketing emails (or offers).
- if you have an account with us, by logging in and changing your contact preferences.
- click the unsubscribe link on direct marketing emails; or
- contact us.
- Submit a Data Subject Access Request (DSAR).
2. Ask For A Copy Of Your Personal Data
You are entitled to request a copy of the personal information we hold about you.
We may need to ask for some further information, such as checking who you are. Please let us know in what format you wish to receive your information.
Sometimes we may hold information that we do not have to provide, for example, if it would prejudice a police investigation or if the disclosure would cause harm to another person whose personal data is inseparable from your data.
In most cases, we provide the copy of your data to you for free. We have set out some information about when it might not be free or provided below.
- Submit a Data Subject Access Request (DSAR)
3. Rectification / Restriction
If you believe the information, we hold about you is inaccurate or incomplete you can contact us and ask us to correct it. You may also request any data processing we are carrying out on your data is halted whilst a request for rectification, objection, or a dispute over the lawfulness of processing is being considered. We will provide a response confirming the action we have taken or disagree with taking.
- Submit a Data Subject Access Request (DSAR)
4. Deletion/Close my Account Request
This is also known as the “Right to be forgotten;” you can request deletion or removal of personal information in some circumstances, such as where there is no compelling reason for its continued processing. We will also take reasonable steps to notify third parties of your instruction and request that they act upon it, in a similar manner.
- Submit a Data Subject Access Request (DSAR)
5. Withdrawal Of Consent
If we relied on consent as the ground for processing your personal data, you can withdraw this consent at any time. It does not affect the processing conducted beforehand. You can withdraw consent by contacting.
Where you have consented to receive direct marketing communications, you can withdraw your agreement at any time, as above or where available updating your preference centre or clicking on the appropriate link in the communication.
- Submit a Data Subject Access Request (DSAR)
6. Portability
Where you have provided us with personal data and the reasons, we are processing it are based on consent or our contract with you, and the processing is automated, you have a right to ask for that information be provided to you or another data controller in a structured, commonly used, and machine-readable format. The right may be restricted if it is not practical for us to provide the information in this way or it adversely affects the rights of others.
- Submit a Data Subject Access Request (DSAR)
7. Information About Profiling And Automated Decision Making
We target some of our marketing and service communications so that they are more relevant to you, based on the type of ticket(s) you bought and your location/travel stations. We will try and ensure where possible the communications are compatible with the device you are using.
We use automated decision making to calculate the validity and value of Delay Repay claims made through our website. You will receive a notification of the outcome of your claim. At this stage, you are able to request that your claim is manually reviewed by a member of the Delay Repay team. If you remain dissatisfied, you are able to escalate to our Customer Relations team.
8. How We Deal With Rights Requests
We are not able to charge you a fee for dealing with rights requests unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case, so that you can decide about what you wanted to do next.
There are various limitations and exemptions in relation to the exercise of rights in DPL - for example if it would affect another’s rights and freedoms or if we need to retain the information to make or defend a legal claim. We intend only to rely on limitations and exemptions where it is fair to do so and always bearing in mind that it is your personal data.
9. Complaints
The Data Protection Manager (DPM) role has been established in a manner to remain independent of business decisions. If you wish to lodge a complaint against:
- the business, please contact our DPM; or
- the DPM or DPO, please contact the ICO.
We also have a complaints policy. If you are not happy with the way in which we deal with your data or have dealt with a rights request, then please us know. Our DPM is the first point of contact for dealing with Rights Requests and complaints and they are assisted by Customer Relations. If you are not satisfied with the way in which they have handled your complaint or rights request, then you can contact the DPO.
If you are not satisfied with the response you can complain to the ICO. Their contact details are:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
Fax: 01625 524 510
10. How Long We Keep Your Personal Data For?
We will store your information for as long as we have to by law or regulatory requirement. If there is no legal or regulatory requirement, we will only store it for as long as we need it. We will also keep some personal information for a reasonable period after your last contact with us – just in case you decide to use our services again. We, or one of our partners, may contact you about our services during this time if you have not opted out of receiving marketing communications from us.
We may also keep your personal data for the purposes of our legitimate interests in running our Group businesses, including anonymising or pseudonymising data for analysis.
Changes to this privacy policy
We may revise this Privacy Policy from time to time. The most current version of this policy will govern use of your information and will always be on this website. By continuing to access or use the Service after those changes become effective, you agree to be bound by the revised Privacy Notice.
This Policy was last updated on 24 July 2024.