Privacy Notice

Abellio East Anglia Limited “AEA” is committed to protecting and respecting your privacy when you use our services.

This Privacy Notice explains:

  • What personal data we collect from you when you use our website, apps, visit our stations, contact us, use our services, or Wi-Fi;
  • How we will collect and use that information;
  • How we keep information secure; and
  • How you can contact us if you wish to exercise any of your rights in relation to the information or make a complaint.

Abellio East Anglia is a reputable train operator which commutes customers around the United Kingdom. Our aim is to provide customers with excellent services.

We are committed to applying appropriate security measures to keep your information safe and secure. At Abellio East Anglia, we use the information you provide for legitimate business purposes only.

This privacy notice applies to personal data we collect about you through our website (, by telephone, in person (for example in stations and on board), through our apps and when you communicate with us. This privacy notice may change often and when it does, the updated version will always be available on our website. We will also inform you about any important changes to our privacy notice.

For the purposes of the General Data Protection Regulation, the data controller is:

Abellio East Anglia Ltd

11th Floor

One Stratford Place

Montfitchet Road


E20 1 EJ

Our Data Protection Officer (DPO) is: Matt Dolphin

If you have any question(s) about how we use your personal information not answered here, or if you want to exercise your rights regarding your personal data, contact our Data Protection Officer via [email protected]

We may collect, use, store and transfer various kinds of personal data about you which we have grouped together as follows:

  • Identity Data includes first name, surname, username or similar identifier, title, date of birth, gender, and CCTV footage.
  • Contact Data includes billing address, delivery address, postcode, email address and telephone numbers.
  • Financial Data includes bank account and payment card details.
  • Transaction Data includes details as to your journeys, details about payments to and from you and other details of products and services you have purchased from us.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
  • Profile Data includes your username and password, purchases or orders made by you, any interests communicated to us to enable the personalisation of services, travel preferences, feedback, and survey responses.
  • Usage Data includes information about how you use the Website, products, and services.
  • Health Data includes information relating to your mobility and disability status to enable us to provide assisted travel and ensure that you receive the correct pricing and any information detailed within any accident reports that relates to personal injury or receipt of medical attention.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
  • When you apply to our Secure Cycle Compound Plus which is optional. To use this service, we will collect your full name, address, telephone number and email address. This is solely for us to provide you with this service.
  • Occasionally, GA will carry out photo shoots on our trains and stations which may include images of customers. However, before we do that, we would inform customers on the day at our stations. We use these photos for publicity purposes only.

We collect, where necessary, Special Category Data which includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. We do not seek to collect or otherwise process your Special Category Data, except where:

  • we have obtained your explicit consent prior to processing your Special Category Data (e.g., you consent to us processing your Health Data to provide travel assistance services to you).
  • the processing is necessary for compliance with a legal obligation.
  • the processing is necessary for the detection or prevention of crime (including the prevention of fraud) to the extent permitted by applicable law.
  • you have manifestly made those Special Category Data public.
  • the processing is necessary for the establishment, exercise, or defence of legal rights; or
  • processing is necessary for reasons of substantial public interest and occurs based on an applicable law that is proportionate to the aim pursued and provides for suitable and specific measures to safeguard your fundamental rights and interests.

We process your personal data based on our legitimate interests to provide our services to you in an efficient and secure manner.

We have set out below a list of all the ways we may use your personal data and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate.

In some cases, we may use more than one legal basis for processing your personal data; this will depend on the specific purpose for which we are using your personal data. If you have any queries about the specific legal basis that we rely on for processing your personal data, please email [email protected].

What we use your personal data for (purpose) Type of data Legal basis for processing (including basis of legitimate interest) Type of data Legal basis for processing (including basis of legitimate interest)
To register you as a new customer
  • Identity
  • Contact

Contract Performance

To carry out our obligations arising from any contracts entered between you and us including:
  • managing payments, paying refunds or compensation, fees, and charges
  • collecting and recovering money owed to us
  • running fraud checks if we have reasonable suspicions
  • provide you with necessary information, products, and services that you request from us including, but not limited to, contacting you about your journey
  • Identity
  • Contact
  • Financial
  • Transaction
  • Health
  • Marketing and Communications
  • Contract Performance
  • Necessary for our legitimate interests (to recover debts due to us, to pay refunds or compensation owed to you and to prevent us facilitating fraud)
To respond to your enquiries or to process your requests in relation to your information
  • Identity
  • Contact
Contract Performance
To maintain a suppression list should you opt-out of receiving communications


Necessary for our legitimate interests (to ensure that we are not at risk of breaching data protection laws by communicating with you where you have asked us not to).
To manage our relationship with you which will include:
  • notifying you about changes to our website, services, terms, or privacy notice
  • asking you to leave a review, take a survey or participate in market research
  • Identity
  • Contact
  • Profile
  • Marketing Communications
  • Performance of a contract with you
  • Necessary to comply with a legal obligation
  • Necessary for our legitimate interests (to recover debts due to us)
To help provide a safe environment for our employees and customers; to reduce the number of assaults on our employees during revenue enforcement duties; and to improve the quality of evidence available for submission to the authorities.


Necessary for our legitimate interests (to protect employee and customer safety and assist with the verification of claim)

To enable you to partake in a prize draw, competition or complete a survey
  • Identity
  • Contact
  • Profile
  • Usage
  • Marketing and Communication
  • Performance of a contract with you
  • Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)
To administer and protect our business and the Website (including training our employees, troubleshooting, data analysis, testing, system maintenance, security audits, support, reporting and hosting of data)
  • Identity
  • Contact
  • Profile
  • Necessary for our legitimate interest (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
  • Necessary to comply with a legal obligation
  • Performance of a contract with you
To conduct health and safety assessments and record keeping, and compliance with related legal obligations
  • Identity
  • Contact
  • Profile
  • Health
  • Necessary for our legitimate interest (in providing a safe and secure environment at our premises)
  • Necessary for compliance with a legal obligation
  • Necessary to protect the vital interests of any individual
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you
  • Identity
  • Contact
  • Profile
  • Usage
  • Marketing Communications
  • Technical
Necessary for our legitimate interest (to study how you use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve the Website, products/services, marketing, customer relationships and experiences
  • Technical
  • Usage
Necessary for our legitimate interests (to define types of customers for our products and services, to keep the Website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about goods or services that we feel may interest you
  • Identity
  • Contact
  • Technical
  • Usage
  • Profile
  • Marketing Communications
Necessary for our legitimate interest (to develop our products/services and grow our business)
To establish, exercise and defend our legal rights
  • Identity
  • Contact
  • Financial
  • Transactional
  • Technical
  • Profile
  • Usage
  • Health
  • Marketing Communications
  • Necessary for compliance with a legal obligation
  • Necessary for our legitimate interest (for the purpose of establishing, exercising, or defending our legal rights)

We will only share or disclose your information as set out in this notice and in accordance with data protection laws. We will not share your personal data without your consent unless when required to do so by law.

Where and when appropriate, we will share your personal data with you, your family, your associate, and your representatives.

Personal data will be, when required, disclosed to the British Transport Police or any other law enforcement agency or court to the extent necessary for the following purposes: preventing, investigating, detecting, and prosecuting criminal offences and preventing threats to public security in accordance with applicable law or validating a claim.

We share or disclose information for the following reasons:

  • To suppliers, data processors and business partners for the purpose of performance of contract with you or them
  • Where we share data across our Group Companies, this is only in accordance with a written data sharing agreement;
  • To operate interoperable services - this includes the use of some shared systems and processors, by the rail industry generally and overseen by the Rail Delivery Group;
  • To respond to your complaints or administer requests you have made, either to us or another regulatory body such as the Department for Transport; Passenger Focus, London Travelwatch, the Rail Complaints Ombudsman, or other Train Operating Companies (TOCs);
  • To process payment card transactions;
  • To protect our legitimate business interests, as outlined above;
  • Where required because of the sale, merger, or acquisition of business assets.
  • If you have consented to receive information for competition, promotion, survey, or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to in the terms and conditions of the purpose; and
  • Where you have consented, to share with other members of the Abellio Group UK (“Abellio”), of which we are a member, where Abellio has any services, promotions and offers which we feel may interest you. Find more details about other members of Abellio.

Why do we operate CCTV cameras?

We operate CCTV for the following purposes:

  • Health and safety of employees, passengers, and other members of the public;
  • To monitor what takes place at our offices, stations, car parks and on our trains to provide a safe environment for our employees and customers
  • For crowd management
  • For prevention and detection of crime and anti-social behaviour.

We adhere to strict standards in processing CCTV footage in accordance with data protection laws.

Camera systems we operate

Depending on the type of camera, images are recorded on videotape (analogue) or as digital information. Cameras can be fixed or set to scan an area. In some circumstances, they can be operated remotely by controllers. When necessary, our officers will have to use body-worn cameras which take audio-visual recordings.

Camera locations

We operate cameras at the stations, car parks we manage and on some of the trains that we run.

Network Rail and other Train Operating Companies operate the cameras at some stations that our services stop at. These are:

  • London Liverpool Street
  • Peterborough
  • Stratford
  • Kings Lynn
  • Seven Kings
  • Gidea Park
  • Harold Wood
  • Romford
  • Brentwood
  • Edmonton Green
  • Hackney Downs

Length of time CCTV footage is kept

CCTV footage at stations and on trains is held for a maximum of 30 days from the time of recording.

On train CCTV footage varies depending on the classification of the train.

Class 317 - 7 days

Class 379 - 10 days

Class 321 - 30 days

Class 360 - 30-40 days

Recordings from body worn cameras are held for 28 days, unless required for legitimate business reasons.

How to access your CCTV personal data

You can request copies of images or footage of yourself by making a Subject Access Request to [email protected]

Please note that it may not always be possible to fulfil these requests because of the necessity to protect third party data.

Disclosing CCTV/personal data to the police

At our discretion, we may disclose CCTV/personal data in response to valid requests from the police and other statutory law enforcement agencies.

Before we authorise any disclosure, the police must demonstrate that the CCTV/personal data is necessary to assist them in the prevention or detection of a specific crime, or in the apprehension or prosecution of an offender.

Requests from the police are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with the Data Protection Act 2018.

Sharing CCTV footage with other third parties

Some of our CCTV infrastructure is shared with the British Transport Police, Local Authorities, Network Rail, and Car Park operators under a formal data sharing agreement.

In certain agreed circumstances, they may take control of a limited number of cameras and use them for activities such as the prevention and detection of crime and anti-social behaviour, policing major events and crowd control. GA is not responsible for the CCTV footage in these circumstances.

We may also disclose personal data to third parties, if required to by law or when necessary for a legitimate purpose such as defending or bringing legal action. Data Protection Law allows us to do this where the request is supported by:

  • evidence of the relevant legislation
  • court orders

Legitimate interest would include requests such as defending or making a legal claim, such as to insurers following a vehicle collision in a car park. When we are not required to provide CCTV, we will consider the circumstances and any potential harm to individuals, we may also charge a fee and seek indemnity for any use beyond which it is requested.

External guidelines and best practice

GA operates its CCTV systems in compliance with the Information Commissioner's Office’ CCTV Code of Practice. The Code describes best practice standards which should be followed by organisations operating devices that view or record images of individuals. It also covers other information derived from those images that relates to individuals (for example vehicle registration marks).

Personal details we hold

When you buy a season ticket valid for one month or more, we keep a record of this in our secured database. We keep the following details:

  • Name, address, and photo card number;
  • Phone number, email, and date of birth if you provide them;
  • The origin, destination and start and end date of season tickets you have purchased, along with any duplicate, replacement, or refund of these; and
  • The method of payment used, but not any payment card details.

Why we retain your information

We retain your information to allow us to contact you e.g. if you lose your season ticket and to aid the renewal process once your season ticket is close to expiring.

Length of time records are kept

Records of ticket purchases are retained for a period of seven years.

Personal details we hold

We collect a range of personal detail during revenue protection activity. This includes name, address, proof of ID, journey details, payment details, personal descriptions, and other information you provide to support an appeal or for us to issue fines.

How we use your personal data

We only use this information for the administration of the Penalty Fares scheme, collection of unpaid fares, fraud prevention and the prosecution of travel offences.

Why we retain your information

We retain your information to undertake analysis to identify any patterns in the data and to minimise future fraudulent activities.

Length of time records are kept

Records are kept for a minimum of 12 months and where required, for example during a fraud investigation, we would keep information indefinitely for litigation issues.

Sharing data with third parties

To carry out other revenue protection duties, we will share your information with:

  • British Transport Police for prevention and detection of crime.
  • ITAL if you appeal a Penalty Notice issued to you.
  • Passenger Focus if you have asked them to act on your behalf under a complaint handling procedure.
  • We also share information with other TOCs for fraud prevention. We will only do this where there is a formal data sharing agreement in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with data protection laws.

Collection of data at station gate lines

GA collects data from customers at station gate lines. The data collected is the ticket number of the ticket presented and will then be matched against the season ticket database.

The data is collected to counter fraudulent behaviour from customers regarding ticketless travel.

We collect your information and comments when you contact us by letter, email, web form, phone, or social media.

Personal details we hold

We may hold your name, address, date of birth, email address, phone number, social media name, ticket details, photocard image, our correspondence with you, the compensation claims you have made, and payment made by us, proof of journey or other supporting information you provide.

To ensure that we have an accurate record of dealings between us (and for training purposes) we, in certain circumstances, record or monitor telephone calls. However, you will always be told when this happens.

How we use your personal data

This information is used for administration of correspondence or processing claims you have made, such as delay repay as well as for fraud prevention purposes. We also use it to respond to complaints.

Why we retain your information

We retain your information to ensure that all claims are processed properly, to undertake analysis to minimise potential fraud and identify themes and patterns in the data.

Length of time records are kept

Records are kept for a minimum of seven years for analysis and to identify themes and patterns.

Sharing data with third parties

We are required to provide details of your complaint to another TOC (Train Operating Companies) if it relates to their services instead of ours. We share your correspondence with Passenger Focus or London Travel Watch or the Ombudsman if you have asked them to act on your behalf under a complaint handling procedure.

We may also share information with other TOCs for the purpose of fraud prevention. We will only do this where there is a formal data sharing agreement in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with data protection laws.

On our stations, we maintain Customer Help and Assistance Points. Depending on the service requested these are linked directly to our Control Centre or to National Rail Enquiries.

Calls for Information or Assistance made to National Rail Enquiries are recorded and monitored, but no advance notice is given as this could result in a delay in the provision of assistance.

When using our station or train Wi-Fi service we collect device MAC addresses, timestamps and accounting which is stored for a limited amount of time to authenticate devices to the Wi-Fi service. This data will be retained for a period of 14 days after such time it will be deleted automatically.

To gain employment your data will be processed by Greater Anglia for but not limited to assessments, interviews, medical and reference checks.

The data is retained on the following basis:

Unsuccessful candidates – 6 months

Successful candidates – 7 years after leaving employment

The information that we collect from you will mostly be stored in the United Kingdom and European Economic Area (“EEA”). However, certain information we collect from you may be transferred to, and stored at, a destination outside the United Kingdom (UK). When we transfer and store your personal data outside of the UK, we will ensure that it is protected by using appropriate safeguards as further detailed below.

Where your personal data is transferred from the UK to a recipient outside the UK in a country not recognised by the United Kingdom as providing an adequate level of protection for personal data, such transfer shall be covered by a framework recognised by the relevant authorities or courts as providing an adequate level of protection for personal data including but not limited to:

View Standard Contractual Clauses the agreement in the form annexed to the European Commission's decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries.

We use a range of appropriate technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its confidentiality, integrity, and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal data where practical.

Unless stated otherwise we aim to satisfy your instruction or inform you as to why we are unable to, without undue delay and within 30 days. If we anticipate that we will not meet this timeframe, we will let you know within 30 days and provide further information if there is any need for an extension.

To prevent marketing to you, you have the right to ask us not to process your personal information for marketing purposes. We will usually inform you before collecting your information if we intend to use or disclose it for such purposes. If you do not want us to use your information for marketing purposes either:

  • if you have an account with us, by logging in and changing your contact preferences;
  • click the unsubscribe link on direct marketing emails; or
  • contact us.

You are entitled to request a copy of the personal information we hold about you or execute your right as a data subject.

To make such requests, please email: [email protected] or write to:


Information Requests

The Hub

Colchester North Station

North Station Road



If you believe the information, we hold about you is inaccurate or incomplete you can contact us and ask us to correct it. You may also request any data processing we are carrying out on your data is halted whilst a request for rectification, objection, or a dispute over the lawfulness of processing is being considered. We will provide a response confirming the action we have taken or disagree with taking.

This is also known as the “Right to be forgotten” you can request deletion or removal of personal information in some circumstances, such as where there is no compelling reason for its continued processing. We will also take reasonable steps to notify third parties of your instruction and request that they act upon it.

Where you have provided us with personal data and the reasons, we are processing it are based on consent or our contract with you, and the processing is automated, you have a right to ask for that information to be provided to you or another data controller in a structured, commonly used, and machine-readable format. The right may be restricted if it is not practical for us to provide the information in this way or affects the rights of others.

We target some of our marketing and service communications so that they are more relevant to you, based on the type of ticket(s) you bought and your location/travel stations. We will try and ensure where possible the communications are compatible with the device you are using.

We use automated decision making to calculate the validity and value of Delay Repay claims made through our website. You will receive a notification of the outcome of your claim. After, you can request your claim to be manually reviewed by a member of the Delay Repay team. If you remain dissatisfied, you can escalate to our Customer Relations team.

We will not charge you a fee for dealing with rights requests unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case so that you can decide about what you wanted to do next.

There are various limitations and exemptions in relation to the exercise of rights in data protection laws - for example, if it would affect another’s rights and freedoms or if we need to retain the information to make or defend a legal claim.

If you wish to lodge a complaint about how we process your information, please contact:

  • our Data Protection Officer; or
  • the ICO Head office:

Information Commissioner's Office

Wycliffe House

Water Lane




Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Fax: 01625 524 510

When processing children's data, we obtain parental consent to the processing of children who are under the age of 16. We rely on this legal basis for processing these data. Only registered parents can make these purchases on behalf of their children.

The AEA business sells scholar tickets (discounted season tickets) to allow children to travel to certain schools. The details taken are the child’s name, school (to ensure that school is within the AEA network) and photocard number. The payment and invoice address details are provided by the parents when the ticket is ordered.

NCP in conjunction with AEA operates car parks at AEA stations. Season ticket passes are available to customers and employees of AEA, in such cases, the customer/employee will need to supply their name, address and car registration numbers to ensure that they are not charged for using the car park.

AEA process safety forms and potential claims where a customer or employee has had an accident/or reported an accident while at a station or travelling on one of our trains. The data taken is the name, address, and data of birth of the customer or employee concerned. To help with litigation, claims and as required by industry standards, we would hold keep safety information indefinitely.

For customers, claim data will be sent to our third-party claims handler to manage claims and will be held for a minimum of ten years except for claims involving minors and those lacking legal capacity. For employees, the data will be held indefinitely to manage any future claims that the employee could raise later.

Privacy Notice Update

We revise this Privacy Notice frequently. The most current version of this policy will govern our use of your information and will always be on this website. We will inform you of any changes. By continuing to access or use the service after those changes become effective, you agree to be bound by the revised Privacy Notice.

This Policy was last updated on March 2022.