Privacy and Cookie Policy

East Midlands Railway is committed to protecting and respecting your privacy when you use our services

This Privacy Policy explains:

  • What personal data we collect from you when you use our website, apps, visit our stations, contact us, use our services, or WiFi
  • How we will collect and use that information
  • How we keep information secure
  • How you can contact us if you wish to exercise any of your rights in relation to the information or make a complaint
  • Additional information in relation to the planning and ticket booking service

If you want to change the way in which we use your data or if you have a question about how your personal information is used, contact the Data Controller, East Midlands Railway: [email protected] Find out more under 'Your rights' below.

Contents

  • Information we may collect from you
  • How we use your information
  • Sharing or disclosure of your information
  • Types of information we collect
  • Where we store your personal information
  • Information security
  • Your rights

Information we may collect from you

We may collect and process information about you when you:

  • Buy tickets
  • Travel on our services
  • Visit our stations or car parks
  • Use our website, apps or WiFi
  • Buy a product from us or make a sales enquiry
  • Contact Customer Services
  • Enter a competition
  • Sign up to receive updates or marketing

We collect information such as your contact details, ticket purchases, stations visited (for example for charging the correct fares on Smartcards), payment and refund details. We may require additional details for some services, such as your age for age restricted tickets. This information is generally provided by you.

Sometimes we obtain details from third parties, for example if our Group structure changes or for legitimate business reasons.

How we use your information

We will only use the information you provide as permitted by the Data Protection Law (DPL). Depending on how you contact us, use our services, the consent you have given, our legitimate interests, or legal obligations we may have, this will include:

To provide you with the service - things like carrying out our obligations arising from any contracts - selling tickets, making and taking payments. We mostly rely on the legal ground of contractual performance to process your data, but sometimes the data is also used for our legitimate interests of customer service, health and safety, improving our services and other legal obligations, like providing information to our regulators.

To provide you with details of our services, information about travelling and customer service - this is based on our legitimate interests, to run train and associated services. Sometimes it is part of our contract or our other legal obligations.

To provide you with details of promotions and offers which we feel may interest you; this is based on our legitimate interests to try and sell more train tickets when you have given consent for us to contact you and you have an absolute right to ask us to stop sending marketing emails/SMS.

To run our services and improve them - we believe in investing in our railway services, not just to benefit passengers but also the wider community, environment, and economy. There are lots of activities we do to achieve this, some are administrative and we also do things like monitoring passenger numbers, and popular stations, improving technology to help plan journeys - make money, run our services safely and be a good employer - we call these our legitimate interests. Some of these are also covered in our legal obligations, not just to customers, but under Franchise Contracts/Local Authority Contracts, the Department for Transport or Regulators. Some data is also shared to run interoperable services – in the Rail Industry this is overseen by the Rail Delivery Group - this is how you are able to use a ticket on a train and tube for example or use a Railcard.

For your safety and security.

  • For fraud and crime prevention
  • To enhance your experience of our website, as described in our cookie policy
  • To run competitions

We are part of a Group of Companies and share administrative services and support. Your data may therefore be shared with other Group companies where appropriate. We are also required to pass certain customer data to successor franchisees, Secretary of State or Department for Transport.

Our Legitimate Interests

Running our business and Group businesses, in a safe and socially and environmentally responsible manner, efficiently, to provide sustainable and high quality, locally focused passenger transport services, improve and expand our services, be a leading employer in the transport sector, investing in and developing our staff, operating with financial discipline and reducing crime and fraud to provide shareholder value, provide and improve customer services.

Sharing or disclosure of your information

We will only share or disclose your information as set out in this Policy or in accordance with DPL and will obtain your consent where we are required to do so. We will only use third parties to process information where we are satisfied that they comply with these standards and can keep your data secure. We may share or disclose information for the following reasons:

We use data processors to provide or assist with some of our services, for example, the processing of bookings. Where we do so, they must agree to strict contractual terms and to keep your data secure. Where we share data across our Group Companies, this is only in accordance with a written data sharing agreement:

  • To operate interoperable services - this includes use of some shared systems and processors, by the rail industry generally and overseen by the Rail Delivery Group
  • To respond to your complaints or administer requests you have made, either to us or another regulatory body such as the Department for Transport; Passenger Focus, London Travelwatch, the Rail Complaints Ombudsman or other Train Operating Companies (TOCs)
  • To process payment card transactions
  • To comply with requests from the British Transport Police under an Information Sharing Protocol, ensuring that any disclosures are lawful
  • To comply with the police or other law enforcement agencies for the purposes of crime prevention or detection, these are dealt with on a case-by-case basis, under a specific Information Sharing Protocol, to ensure that any disclosure is lawful
  • To comply with other legal obligations for example, relating to crime and taxation purposes or regulatory activity
  • To protect our legitimate business interests, as outlined above
  • Where required because of the sale, merger, or acquisition of business assets. As the Railway Industry is run on a system of franchises, we are required to transfer our customer data to a successor franchise, or the Secretary of State, this is so that they can take over and continue the running of the railway service
  • In respect of information provided to us for marketing purposes only (including freely given consent), to the Department for Transport and/or any successor operator of the rail franchise in order that they may contact you for marketing purposes if we cease to operate this rail franchise
  • If you have agreed (via freely given consent) to receive information for competition, promotion, survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to in the terms and conditions of the purpose; and
  • Where you have consented, to share with other members of the Abellio Group UK (“Abellio”), of which we are a member, where Abellio has any services, promotions and offers which we feel may interest you. Details of other members of Abellio can be found here

You can find out more below about the information we collect and how we use, share or disclose it by contacting us at [email protected]

Types of information we collect

CCTV

Camera systems we operate

Our CCTV is used to capture, record and monitor images of what takes place at our stations and car parks and on our trains, in real time. We may use body worn cameras which make audio visual recordings.

Depending on the type of camera, images are recorded on video tape (analogue) or as digital information. Cameras can be fixed or set to scan an area. In some circumstances, they can be operated remotely by controllers.

Why we operate CCTV cameras

We operate CCTV for the following purposes:

  • Health and safety of employees, passengers and other members of the public;
  • Crowd management; and
  • Prevention and detection of crime and anti-social behaviour

Camera locations

We operate cameras at our stations and car parks we manage and we also operate CCTV on some of the trains that we run.

Network Rail and other TOCs also operate cameras at some stations that our services stop at. East Midlands Railway is not responsible for the CCTV when it is in the control of a third party.

Length of time CCTV footage is kept

CCTV footage at stations and on train is generally held for a maximum of 31 days from the time of recording.

Recordings from body worn cameras are generally held for 24 hours, unless required for legitimate business reasons.

How to access your CCTV personal data

You can request copies of images or footage of yourself by making a Data Subject Access Request.

Disclosing CCTV/personal data to the police

At our discretion, we may disclose CCTV/personal data in response to valid requests from the police and other statutory law enforcement agencies.

Before we authorise any disclosure, the police must demonstrate that the CCTV/personal data is necessary to assist them in the prevention or detection of a specific crime, or in the apprehension or prosecution of an offender.

Requests from the police are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with the DPL.

Sharing CCTV footage with other third parties

We may also disclose personal data to third parties, if required to by law or it is necessary for a legitimate purpose such as defending or bringing legal action. DPL allows us to do this where the request is supported by:

  • Evidence of the relevant legislation
  • A court order
  • Satisfactory evidence and assurances of the legitimate interest

Legitimate interest would include requests such as defending or making a legal claim, such as to insurers following a vehicle collision in a car park. When we are not required to provide CCTV, we will consider the circumstances and any potential harm to individuals, we may also charge a fee and seek indemnity for any use beyond which it is requested.

External guidelines and best practice

East Midlands Railway operates its CCTV systems in compliance with the CCTV Code of Practice issued by the Information Commissioner’s Office (ICO) in 2017. The Code describes best practice standards which should be followed by organisations operating devices which view or record images of individuals. It also covers other information derived from those images that relates to individuals (for example vehicle registration marks).

Using our digital services

This section shows the information we collect when you use our website, Apps and WiFi services. Before providing us with your details, please read the following important information regarding:

  • Collection of visitor information
  • Hyperlinks
  • Cookies; and
  • JavaScript and Pixels

Collection of visitor information

We will only use the information that we collect about you lawfully, in accordance with the DPL.

The details you provide about yourself and any other information which identifies you (‘Personal Information’) is held by East Midlands Railway on this website (the "Site") for operational purposes, for example account registration or processing payments. We may also use your Personal Information to personalise your experience on the Site by informing you of new products or services that we may think are of interest to you.

East Midlands Railway gathers general information about users, for example, what services users access the most and which areas of the East Midlands Railway site are most frequently visited. Such data is used in the aggregate to help us to understand how the East Midlands Railway site is used. We gather this information so that we can continue to improve and develop our services to the benefit of our users. We may make this aggregated information available to users of the East Midlands Railway site and to auditors. These statistics are anonymous and contain no personal information and cannot be used to gather such information.

When you register with East Midlands Railway, set up a travel alert, enter a competition, or buy a ticket, we ask for personal information such as your name, contact details, and other details. Once you register with East Midlands Railway and accept our Terms and Conditions, you are not anonymous to us. We may use information that you provide to alert you to our own products and services. We may contact you regarding site changes or changes to the East Midlands Railway products or services that you use.

If you buy a ticket online with East Midlands Railway, we will record your personal details and send you a confirmation email. Your personal data will be used principally to communicate with you with reference to your purchase.

You may opt-in to receive newsletters, exclusive discounts, special offers and other marketing emails from East Midlands Railway. You may unsubscribe at any time by logging into your account and updating your preferences. Please note changes to your subscription preferences can take up to 14 days to take effect.

Alternatively contact our Customer Services team via email [email protected] or write to us at: Freepost EMR Customer Service Centre.

Hyperlinks

We may provide hyperlinks from the site to third party websites. No liability is accepted for the contents of any site operated by a third party which may be accessed via links from the site. These links are provided for your convenience only and do not imply that East Midlands Railway approves or recommends the content of such sites. We encourage our users to be aware when they leave our site to read the privacy statements of every website that collects personal data. This Privacy Policy applies solely to information collected by East Midlands Railway.

Cookies

A cookie is a small data file which may be downloaded to your computer’s hard drive when you browse a website. Cookies help us to provide you with a good experience when you visit our site by remembering you, your browsing history, likes and dislikes, for when you visit us again in the future. They also allow us to improve the functionality of the website.

There are several types:

Functional Cookies:

These functional or session cookies are used to provide services or to store your preferred settings ie they remember the choices you make, eg memorising and passing on the information that you enter during the login process to the My Account Area so that you do not have to enter the same data every time, saving your preferences, detecting abuse of our website.

Analytical Cookies

These cookies are used to analyse your visit to our website and help us to improve the customer experience through the way we organise our website. To do this we use Google Analytics which helps us to analyse the number of visitors and the duration of the visits. The information gathered allows us to make informed decisions about future functional developments to the website and also helps us when we need to solve possible technical problems on the website so to minimise inconvenience to our users. Please visit policies.google.com/technologies/ads for more information about Google Analytics.

Critical Cookies

These cookies are necessary to enable you to use our website and without these the website would not function, and we could not provide the service you need.

We always aim to show you up-to-date information, but may not be able to reflect these changes in our policy straight away.

Where we work with third parties to provide our service they may also set a cookie on your computer as part of the service provided.

Marketing Cookies

Only if you have given us permission in advance will we use tracking cookies for commercial purposes. These cookies, often placed by third parties, help us to be able to offer you personalised offers. Third parties can follow your internet behaviour with tracking cookies. East Midlands Railway uses a Tag Management System from Google to manage the choice of cookies. This way we can guarantee that no cookies are processed that you have not explicitly given permission for.

JavaScript and Pixels

In addition to cookies, we use JavaScript and Pixels. By using JavaScript in your browser, we can make our sites interactive and develop applications for the web.

A Pixel is a small graphic image on our site. By means of this image, we can, for example, determine how many visitors saw the page at which times. These techniques can also be used for marketing and tracking purposes. We use two types of Pixel; a Facebook Pixel, which analyses visits to our website from Facebook and Exchange Lab Pixel, which analyses visits to our website from our advertising across the internet.

Cookies from external parties

Some of the cookies are placed with the consent of East Midlands Railway by third parties with the aim to bring certain products and services to your attention or to give you direct access to social media: Google Analytics, Google Optimise, Google Maps, Twitter, YouTube, LinkedIn, GoogleAdwords, Instagram, Facebook and HotJar . For the cookies that these external parties place, the information they collect with them and the purpose for which that information is used, we refer to the privacy statements of these parties on their own websites. These statements can change regularly and East Midlands Railway has no control whatsoever. You can learn more here:

Hotjar: We use Hotjar in order to better understand our users’ needs and to optimise this service and experience. Hotjar is a technology service that helps us better understand our users experience (eg how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices (in particular device's IP address (captured and stored only in anonymised form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), preferred language used to display our website). Hotjar stores this information in a pseudonymised user profile. Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user. For further details, please see Hotjar’s privacy policy by clicking on this link.

You can opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Hotjar’s use of tracking cookies on other websites by following this opt-out link.

Visit the All About Cookies website to learn more.

Privacy options

If you would prefer us not to set cookies on our Website, you can disable them by changing your internet browser settings. How to do this will depend on the browser you are using, but the following is a step-by-step guide to the most popular browsers:

Microsoft Internet Explorer:

  1. Click on the "Tools" menu
  2. Select "Internet Options"
  3. Click on the "Privacy" tab
  4. Select the desired setting

Google Chrome:

  1. Click on the Customisation menu at the top right of the page
  2. Select "Settings"
  3. Select "Show Advanced Settings" and then "Content Settings"
  4. Select the desired settings under the "Cookies" heading

Mozilla Firefox:

  1. Click on the "Tools" menu
  2. Click on "Options"
  3. Select "Privacy"
  4. Choose the desired options under the "Cookie" menu

For all other browsers, please follow the instructions provided by the relevant browser, usually located within the "Help", "Tools" or "Edit" facility.

If you only disable third party cookies, you will still be able to use this Website, but some of its content will not be as relevant to you. If you disable all cookies, this will result in our Website not working properly.

If you do choose to disable cookies, this choice will only apply to the device you are using at the time. If you want to stop cookies being set on other devices, you will need to follow the relevant steps on each device. Please note that disabling cookies does not delete cookies from your browser, you will need to do this from within your browser.

Access to our database containing personal information on registered users of the site is restricted. In order to increase security, we ask you to input a password when you register as a user of the site. Please keep this password secret. As you may be aware, no data transmission over the Internet can be entirely secure. As a result, while we will always use reasonable endeavours to protect the personal information you provide to us, we cannot guarantee the security of your information and the use of our facilities (eg email) is at your own risk. If you have any questions about paying for your ticket through the Site, please contact our Customer Service Centre.

Online booking and planning

This section sets out the procedures we have in place in relation to the collection, use and disclosure of information you may provide or we may collect via the Booking Service for the planning and booking of tickets, with a web address prefixed by buytickets.eastmidlandsrailway.co.uk.

Your consent

By using this Booking Service, you agree with the terms of this Privacy Policy and whenever you submit information via the Booking Service, or otherwise use the Booking Service, you consent to the collection, use and disclosure of that information in accordance with this policy.

Collection of visitor information

Some parts of the Booking Service require you to actively submit information in order for you to benefit from specific features or make ticket bookings. Some of this information may be personal (namely, information that can identify you, such as your name, address or phone number). We only collect such information when you choose to supply it to us. You confirm that you will only enter information about yourself and that such information is true.

We may collect and process anonymous information about your use of the Booking Service, such as some of the pages you visit and some of the searches you perform. Such information is used by us to help us improve the contents of the site and to compile, for internal market research purposes, aggregate statistics about individuals using it. This kind of anonymous information can be obtained by our use of "cookies" as well as other means. Please see our Booking Service "Cookies" section below for more information on our use of cookies.

We may also share anonymous information about your use of the Booking Service with third parties for analytical purposes.

Booking Service cookies

Our Booking Service also uses cookies. A "cookie" is a small piece of information that is stored within your browser and allows us to identify that requests to our Booking Service originate from your computer, and sometimes provide additional information such as your recent searches on our Booking Service.

Functional cookies

Systems cookies: These cookies are created each time you visit our Booking Service and are automatically deleted when you leave our Booking Service and close your web browser. They ensure that the Booking Service works correctly. They also make sure that we remember the fact you are logged in once you log in and remember the selections that you make as you use the Booking Service. The Booking Service will not work properly without these cookies.

Identification cookies: These cookies help us remember who you are when you come back and visit our Booking Service and allow you to access your favourite journeys before you log in. These cookies are retained for up to two years after you visit our Booking Service.

Analytical cookies

These cookies allow us to understand general customer behaviour on our Booking Service; such as which bits of our Booking Service customers use, where they exit the Booking Service and, if anything goes wrong, where it happens; helping us to make our Booking Service better. We also track how customers found our Booking Service, for example which search engine was used or which online adverts were clicked on before visiting our Booking Service, helping us understand our marketing effectiveness. Data is anonymised and aggregated so we can monitor trends and count visitors rather than tracking individual customers. They have no impact on what you see on the Booking Service and do not store or track any of your personal data.

These cookies are an important part of providing you with an effective service. By using our Booking Service, you consent to us creating and retrieving these cookies. By using our Booking Service, you agree that you are aware of and understand that these cookies are used on our Booking Service and the purposes for which they are used.

Most web browsers allow you to configure your browser settings to refuse all or some cookies. How you do this will depend on the web browser you use. However, if you use your browser setting to block all or some cookies it will result in our Booking Service not operating correctly.

Use of information collected from our booking service

Your personal information submitted to us is used for operational purposes, for example, producing tickets, processing payments (including fraud screening) or confirming orders, alerting you about your booked journeys, constantly improving and adding to the tools and features that we provide to you on our Website and Mobile Application, and to personalise your shopping experience by using your purchases and browsing activity to make recommendations to you about products and services that we think may be of interest to you.

We and/or our authorised third parties (including the Rail Delivery Group ("RDG")) may also use your personal information: (a) for internal market research and analysis purposes; and (b) to carry out survey related activities with you.

If you contact us, we may be able to see information about your recent activity on our Website - such as your recent searches, recent error messages shown and/or your recent purchases. This enables us to provide you with an efficient service and reduce the need for you to repeat information to us that you have already input into the Website.

Sharing of information

We will share your personal information with third parties for the purpose of (processing payment (including fraud screening) and for undertaking any other permitted use of your personal information on our behalf. These service providers will only have access to the personal information needed to perform the relevant service and may not use your personal information for any other purpose. They will also be required to use your personal information strictly in accordance with data protection laws, including maintaining adequate security measures to protect such personal information.

Visa and Mastercard transactions are processed by Abellio East Midlands Limited but will appear on your credit card statements as East Midlands Railway.

We may also share your personal information (a) with any person who takes over our business to use your personal information on the same basis as we do; (b) with the train operator or any other service provider who provides you with any part of the services booked (Please check the privacy policy of the train operating company you travel with for further details as to how they use your personal information); and (c) with legal or regulatory authorities (including the Department for Transport) where we are lawfully requested or required to do so, or voluntarily to the Police and similar law enforcement agencies (including, but not limited to, fraud prevention and detection), other government agencies or third parties. Season ticket holders may be contacted for survey and research purposes about the journeys you make with your Season ticket.

We may share your personal information with third party service providers (a) for analysis and market research related services; (b) to carry out survey related activities with you; and (c) for the purpose of alerting you about your booked journeys; and (d) to contact you about new features, services, products and special offers ("Marketing Information") in line with any consent that you have provided. If you do not wish to receive Marketing Information, you may choose not to do so by clicking where indicated on the registration page. If you initially wish to receive such material but you change your mind later, you may tell us by using the "update your personal details" page or sending us an email to [email protected]

For some services (where you are already a loyalty scheme participant) you may be able to earn loyalty points by providing your loyalty scheme registered email address or membership number. Where you provide us with your loyalty scheme registered email address or membership number then you authorise us to provide the loyalty scheme operator and/or the loyalty scheme operator's third party service providers with this information as well as details regarding your transaction(s). The loyalty scheme operator's terms relating to the loyalty scheme will apply, however, there may be certain restrictions on the tickets and routes that are eligible for loyalty points. The loyalty scheme operator's terms, conditions and privacy policy will apply to their use of that data.

Use of location data

Information about your location or approximate location may be used by our Booking Service. We obtain and use this information in two main ways:

Internet traffic information, such as your IP address: This information is provided automatically as you use our Booking Service and can allow us to infer your approximate location. We use this information:

  • For analysis purposes to understand the distribution of our customers
  • To tailor messages or advertisements shown on our website - for example if we identify that you are likely to be located in Manchester, we may show you promotions relating to journeys starting in Manchester

Location information provided by your browser or device: Many web browsers, particularly on mobile phones and tablet devices, are able to accurately report your location, for example using GPS technology. The same is true for apps on mobile phones and tablets. These browsers and devices normally ask your permission before sharing your location with a website or app, and you can usually disable the feature altogether in the device settings. We use this information for features that need to know your location - for example if you select "nearest station" or "next train home" and for other search functionality features.

Security

We take the security of your data very seriously. We employ physical, electronic and administrative security measures to protect the information that we collect about you from access by unauthorised persons and against unlawful processing, accidental loss, destruction and damage. You acknowledge and agree that we shall not be responsible for any unauthorised use, distribution, damage or destruction of personal data, except to the extent we are required to accept such responsibility by the data protection laws.

Links to third party Internet sites

The Website and Mobile Application may contain links to other sites and sources of information. By clicking on these, you will leave the Website or Mobile Application (as appropriate) and this Privacy Policy will not apply to your use of any other sites.

Changes to this Privacy Policy

There may be changes in how we use your data. All such changes will be notified to you by updating this Privacy Policy.

Access to personal information

You are entitled to see the personal information we hold about you and may obtain these details by emailing us at: [email protected] We are entitled by law to charge an administrative fee to meet our costs in providing you with such details and we may require proof of your identity before we supply the information to you.

Deactivating your account

Upon request from you (by writing to us at: East Midlands Railway, c/o Trainline.com Limited, PO Box 23972, Edinburgh, EH3 5DA) we will deactivate your account and render your personal information unusable as soon as reasonably possible, in accordance with applicable law. We do retain personal information from closed accounts to comply with law, prevent fraud, collect any fees owed, resolve disputes, troubleshoot problems, assist with any investigations, enforce our terms and conditions, and take other actions otherwise permitted by law.

Contacting us

If you have any questions about this Privacy Policy and would like contact us, please refer to the Contact us section of our Website.

Ticket office purchases – Season ticket records

Personal details we hold

When you buy a Season ticket valid for one month or more, we keep a record of this on a database. We keep the following details:

  • Name, address and photocard number;
  • Phone number, email and date of birth if you provide them;
  • The origin, destination and start and end date of Season tickets you have purchased, along with any duplicate, replacement or refund of these; and
  • The method of payment used, but not any payment card details

How we use your personal data

We use this information for Contractual obligations, Customer Services and administration, customer research, marketing and fraud prevention.

We will only send you information about offers and promotions if you chose to receive it and you can change your marketing preferences at any time. We will not pass your personal information to any other organisation outside of our Group of Companies (and Successor franchise or Secretary of State for Transport) for marketing purposes without your prior consent.

Sharing data with third parties

If you have agreed to receive information for survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to.

Revenue protection and penalty fares

Personal details we hold

We may collect a range of personal detail during revenue protection activity. This may include name, address, proof of ID, journey details, payment details, personal descriptions and other information you provide to support an appeal. This data is processed by Penalty Services Limited.

How we use your personal data

We only use this information for the administration of the Penalty Fares scheme, collection of unpaid fares, fraud prevention and the prosecution of travel offences.

Sharing data with third parties

We may share your correspondence with:

  • British Transport Police under a data sharing agreement to prevent and detect crime
  • The Penalty Services Limited if you appeal a Penalty Notice issued to you
  • Passenger Focus if you have asked them to act on your behalf under a complaint handling procedure. Requests from ombudsmen are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with DPL
  • We may also share information with other TOCs for fraud prevention. We will only do this where there is a formal data sharing agreement in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with DPL

Customer Service database

We collect your information and comments when you contact us by letter, email, web form, phone or social media.

Personal details we hold

We may hold your name, address, date of birth, email address, phone number, social media name, ticket details, photocard image, our correspondence with you, the compensation claims you have made and payment made by us, proof of journey or other supporting information you may provide.

To ensure that we carry have an accurate record of dealings between us (and for training purposes) we may, in certain circumstances, record or monitor telephone calls, however you will always be told when this happens.

How we use your personal data

This information is used for administration of correspondence or processing claims you have made, such as Delay Repay, as well as for fraud prevention purposes. We also use it to respond to complaints.

Sharing data with third parties

We are required to provide details of your complaint to another TOC if it relates to their services instead of ours. We may share your correspondence with Passenger Focus or London Travel Watch or the Ombudsman, if you have asked them to act on your behalf under a complaint handling procedure.

We may also share information with other TOCs for fraud prevention. We will only do this where there is a formal data sharing agreement in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with DPL.

Station help and assistance information points

We collect your information and comments when you contact us by letter, email, web form, phone or social media.

Personal details we hold

We may hold your name, address, date of birth, email address, phone number, social media name, ticket details, photocard image, our correspondence with you, the compensation claims you have made and payment made by us, proof of journey or other supporting information you may provide.

To ensure that we carry have an accurate record of dealings between us (and for training purposes) we may, in certain circumstances, record or monitor telephone calls, however you will always be told when this happens.

How we use your personal data

This information is used for administration of correspondence or processing claims you have made, such as Delay Repay, as well as for fraud prevention purposes. We also use it to respond to complaints.

Sharing data with third parties

We are required to provide details of your complaint to another TOC if it relates to their services instead of ours. We may share your correspondence with Passenger Focus or London Travel Watch or the Ombudsman, if you have asked them to act on your behalf under a complaint handling procedure.

We may also share information with other TOCs for fraud prevention. We will only do this where there is a formal data sharing agreement in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with DPL.

Where we store your personal information

The information that we collect from you will only be stored in the European Economic Area (“EEA”) or, where it is necessary to disclose it to our processors located outside the EEA, other jurisdictions which are acceptable according to guidance provided by the Information Commissioner and/or where appropriate legal and security safeguards are in place. Please contact the DPM if you wish to find out more about the safeguards.

Information security

We use a range of technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its integrity and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal data where practical.

Your rights

Object to Direct Marketing

To prevent marketing to you, you have the right to ask us not to process your personal information for marketing purposes. We will usually inform you before collecting your information if we intend to use or disclose it for such purposes. If you do not want us to use your information for marketing purposes either:

  • Indicate this by NOT ticking the box to be sent marketing emails (or offers)
  • If you have an account with us, by logging in and changing your contact preferences
  • Click the unsubscribe link on direct marketing emails; or
  • Contact us

Ask for a copy of your personal data

You are entitled to request a copy of the personal information we hold about you.

Please contact [email protected]

We may need to ask for some further information, such as checking who you are, which will help us deal with your request more efficiently.

Please let us know in what format you wish to receive your information.

Sometimes we may hold information that we don’t have to provide, for example if it would prejudice a police investigation or if the disclosure would cause harm to another person whose personal data is inseparable from your data.

In most cases we provide the copy of your data to you for free. We have set out some information about when it might not be free or provided below.

Rectification/restrictions

If you believe the information we hold about you is inaccurate or incomplete you can contact us and ask us to correct it. You may also request any data processing we are carrying out on your data is halted whilst a request for rectification, objection or a dispute over the lawfulness of processing is being considered. We will provide a response confirming the action we have taken or disagree with taking.

Deletion

This is also known as the “Right to be forgotten”, you can request deletion or removal of personal information in some circumstances, such as where there is no compelling reason for its continued processing. We will also take reasonable steps to notify third parties of your instruction and request that they act upon it, in a similar manner.

Withdrawal of consent

If we relied on consent as the ground for processing your personal data, you can withdraw this consent at any time. It does not affect the processing carried out beforehand. You can withdraw consent by emailing: [email protected]

Where you have consented to receive direct marketing communications, you can withdraw your agreement at any time by opting out through “My account,” or whilst booking online or unsubscribing via an email sent to you.

As above or where available updating your preference centre or clicking on the appropriate link in the communication.

We will act upon such an instruction as soon as possible.

Portability

Where you have provided us with personal data and the reasons we are processing it are based on consent or our contract with you, and the processing is automated, you have a right to ask for that information be provided to you or another data controller in a structured, commonly used and machine-readable format. The right may be restricted if it is not practical for us to provide the information in this way or it adversely affects the rights of others.

Information about profiling and automated decision making

We target some of our marketing and service communications, so that they are more relevant to you, based on the type of ticket(s) you bought, your location/travel stations. We will try and ensure where possible the communications are compatible with the device you are using.

We use automated decision making to calculate the validity and value of Delay Repay claims made through our website. You will receive a notification of the outcome of your claim. At this stage you are able to request that your claim is manually reviewed by a member of the Delay Repay team. If you remain dissatisfied you can escalate to our Customer Services team.

How we deal with right requests

We are not able to charge you a fee for dealing with rights requests, unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case, so that you can decide about what you wanted to do next.

There are various limitations and exemptions in relation to the exercise of rights in DPL - for example if it would affect another’s rights and freedoms or if we need to retain the information to make or defend a legal claim. We intend only to rely on limitations and exemptions where it is fair to do so and always bearing in mind that it is your personal data.

Complaints

The DPM role has been established in a manner to remain independent of business decisions. If you wish to lodge a complaint against: the business, please contact our DPM; or the DPM or DPO, please contact the ICO.

We also have a complaints policy. If you are not happy with the way in which we deal with your data or have dealt with a rights request, then please us know. Our DPM are the first point of contact for dealing with Rights Requests and complaints and they are assisted by the Customer Services Team. If you are not satisfied with the way in which they have handled your complaint or rights request then you can contact the DPO.

If you are not satisfied with the response you can complain to the ICO. Their contact details are:

Head office
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF​

  • Tel: 03031 231 113 (local rate) or 01625 545 745 if you prefer to use a national rate number
  • Fax: 01625 524 510
  • Website: ico.org.uk/global/contact-us

How long we keep your data for

We’ll store your information for as long as we have to by law or regulatory requirement. If there’s no legal or regulatory requirement, we’ll only store it for as long as we need it. We’ll also keep some personal information for a reasonable period after your last contact with us – just in case you decide to use our services again. We, or one of our partners, may contact you about our services during this time if you haven’t opted out of receiving marketing communications from us.

We may also keep your personal data for the purposes of our legitimate interests in running our Group businesses, including anonymising or pseudonymising data for analysis.

Changes to this privacy policy

We may revise this Privacy Policy from time to time. The most current version of this policy will govern use of your information and will always be on this website. By continuing to access or use the Service after those changes become effective, you agree to be bound by the revised Privacy Policy.

This Policy was last updated on 18/08/19.

EU General Data Protection Regulation

For the purposes of the EU General Data Protection Regulation (GDPR), the data controller is:

East Midlands Railway, Prospect House, Derby, DE24 8HG.

Our Data Protection Manager (DPM) is:

Audit & Compliance Manager, East Midlands Railway, Prospect House, DE24 8HG

Our nominated Data Protection Officer (DPO) is:

Head of Audit & Governance, Abellio Group, The Culzean Building, 36 Renfield St, Glasgow, G2 1LU.

More information about the EU GDPR and all related and subordinate legislation as amended or re-enacted from time to time can be found on the Information Commissioners website.

The Information Commissioner is our regulator for data protection matters.