PRIVACY POLICY

PRIVACY POLICY

This site is owned and controlled by Govia Thameslink Railway Limited (GTR). The purpose of this site is to allow Passenger groups and other stakeholders to decide how funding should be allocated for providing benefits to customers. We will be using SurveyMonkey to do this which is an online survey development cloud-based software as a service company:

Govia Thameslink Railway Limited (GTR) is committed to protecting and respecting your privacy when you use our services. GTR includes four brands; Thameslink, Great Northern, Southern and Gatwick Express. This Privacy Policy explains:

  • What personal data we collect from you when you use this website
  • How we collect and use that information;
  • How we keep information secure; and
  • How you can contact us if you wish to exercise any of your rights in relation to the information or make a complaint

The data controller is:
Govia Thameslink Railway Limited
Monument Place
24, Monument Street
London
EC3R 8AJ
Registered in England company no. 07934306

Our Data Protection Manager is:
Paul Staiano
1st Floor, Monument Place
24, Monument Street
London
EC3R 8AJ

Our nominated Data Protection Officer is:
John Sheehan
The Go-Ahead Group plc
4 Matthew Parker Street
Westminster
London
SW1H 9NP

More information about the Data Protection Act can be found on the Information Commissioners Website.
The Information Commissioner is our regulator for data protection matters.

1. Information we may collect from you

We will collect a contact email from you for the purposes of registration to this site and to enable us to contact you. This information will only be provided by you, we will not obtain your details from any third parties.

2. How we use your information

We will only use the information you provide as permitted by Data Protection Law.

We may use the contact information you provide to us to get in touch with you regarding suggestions for the Passenger Benefit Fund when we have a legitimate interest in doing so.

Where you have consented for us to do so we may also contact you to provide details of our services, information about travelling, customer service and details of promotions and offers which we feel may interest you when you.

3. Sharing or disclosing your information

We will only share or disclose your information as set out in this Policy or in accordance with Data Protection Law and will obtain your consent where we are required to do so.

For the purpose of this project we will share your data with third party ‘SurveyMonkey’ to process information as we are satisfied that they comply with these standards and can keep your data secure.

https://www.surveymonkey.co.uk/mp/legal/privacy-policy/?ut_source=footer

We may also share your data for the following reasons:

  • Where we share data across our Group Companies, this is only in accordance with a written data sharing agreement
  • To respond to your complaints or administer requests you have made, either to us or another regulatory body such as the Department for Transport; Passenger Focus; the Rail Ombudsman, or other train operating companies;
  • To comply with legal obligations for example, relating to crime and taxation purposes or regulatory activity;
  • To protect our legitimate business interests, for example, for fraud prevention or revenue protection;
  • Where required as a result of the sale, merger, or acquisition of business assets. As the Railway Industry is run on a system of franchises, we are required to transfer our customer data to a successor franchise, or the Secretary of State, this is so that they can take over and continue the running of the railway service. In respect of information provided to us for marketing purposes only, to the Department for Transport and/or any successor operator of the rail franchise in order that they may contact you for marketing purposes in the event that we cease to operate this rail franchise;

4. When we collect information

This section shows the information we collect when you use our website. Before providing us with your details, please read the following important information;

We will only use the information that we collect about you lawfully, in accordance with the Data Protection Law.

The details you provide about yourself and any other information which identifies you (‘Personal Information’) is held by us on this website (the “Site”) for operational purposes, for example for customer registration.

We gather general information about users, for example, what services users access the most and which areas of the site are most frequently visited. Such data is used in the aggregate to help us to understand how the site is used.

We gather this information so that we can continue to improve and develop our services to benefit our users. We may make this aggregated information available to users of the site and also to auditors. These statistics are anonymous and contain no personal information and cannot be used to gather such information.

When you register with us we ask for personal information such as your name, and email details. Once you register with us and accept our Terms & Conditions, you are not anonymous to us. We may use information that you provide to alert you to our own products and services. We may contact you regarding site changes or changes to the products or services that you use.

A cookie is a small piece of information that is sent to your browser when you access a website. Cookies contain information about your visits to that website and the purpose of cookies is to enable our websites to remember you, and your browsing habits, when you visit it again in the future.

With most Internet browsers you can configure your browser so that it refuses new cookies, prompts you to accept cookies or disables cookies altogether. Exactly how this is done is dependent on the browser you use. To find out more about the cookies we use please read our cookie policy.

In order to increase security we ask you to input a password when you register as a user of the site. Please keep this password secret.

5. Where we store your Personal Information

The information that we collect from you will only be stored in the European Economic Area.

6. Information Security

We use a range of technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its integrity and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal data where practical.

7. Your rights

Object to direct marketing

To prevent marketing to you, you have the right to ask us not to process your personal information for marketing purposes. We will usually inform you before collecting your information if we intend to use or disclose it for such purposes. If you do not want us to use your information for marketing purposes either:

  • Indicate this by NOT ticking the box to be sent marketing emails (or offers)
  • If you have an account with us, by logging in and changing your contact preferences;
  • Click the unsubscribe link on direct marketing emails or
  • Or contact us

It is possible that you may receive a pre-scheduled communication whilst your request is being processed as this can take several days.

If you have any other objections to how we are using your personal data, please contact our Data Protection Manager.

Ask for a copy of your personal data

You are entitled to request a copy of the personal information we hold about you.

Please contact us at privacy@gtrailway.com

Please let us know if you want to receive the information electronically.

We aim to get the information to you without undue delay and within 30 days. If we have any trouble with this timeframe we will let you know within 30 days and explain what the problem is. Sometimes we may hold information that we don’t have to provide, for example it would prejudice a police investigation or contains someone else’s personal data.

In most cases we provide the copy of your data to you for free. We have set out some information about when it might not be free, or provided below.

Rectification / restriction

If you believe the information we hold about you is inaccurate or incomplete you can contact us and ask us to correct it. You may also request any data processing we are carrying out on your data is halted whilst a request for rectification or objection or a dispute over the lawfulness of processing is being considered.

We will provide a response confirming the action we have taken or disagree with taking within 30 days, or provide a response within 30 days if the matter is complex and a further time is needed.

Deletion – right to be forgotten

You can request deletion or removal of personal information in some circumstances, such as when there is no compelling reason for its continued processing.

We will provide a response to you without undue delay and within 30 days, confirming whether/what personal data we have deleted and/or explaining why we don’t agree that some data does not need to be deleted.

Withdrawal of consent

If we relied on consent as the ground for processing your personal data, you can withdraw this consent at any time. It does not affect the processing carried out beforehand. You can withdraw consent by contacting Customer Relations, our Data Protection Manager or the Group Data Protection Officer. Where you have consented to receive direct marketing communications, you can withdraw your agreement at any time by updating your preference centre or clicking on the appropriate link in the communication or contacting us as above. We will comply with your request without undue delay and within 30 days.

Objection

You also have a right to request that no further processing takes place in relation to some grounds of processing, such as for direct marketing. We will respond to your request without undue delay and within 30 days, confirming the action we will or won’t take.

Portability

Where you have provided us with personal data and the reasons we are processing it are based on consent or our contract with you, and the processing is automated, you have a right to ask for that information be provided to you or another data controller in a structured, commonly used and machine-readable format. The right may be restricted if it is not practical for us to provide the information in this way or it adversely the rights of others.

If we are able to provide your personal data in this way, we will do so in 30 days or we will let you know within 30 days if we require more time or there are any issues with carrying out the request.

If you have registered a key card then you will be able to access your journey information by logging on to your account.

Information about profiling and automated decision making

If you have signed up to receive marketing communications from us, we will use information such as the type of tickets you buy or the stations you use, to send communications which are more relevant to you. We will try and make the communications compatible with the device you are using.

How we deal with rights requests

We will try to deal with your request without undue delay and at least within 30 days. In exceptional circumstances, we may need to extend the time to respond fully, if the request is particularly complex or there are multiple requests. But we will let you know within 30 days.

We will not charge you a fee for dealing with rights requests, unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case, so that you can make a decision about what you wanted to do next.

There are various limitations and exemptions in relation to the exercise of rights in data protection law – for example if it would affect another’s rights and freedoms or if we need to retain the information to make or defend a legal claim. We intend only to rely on limitations and exemptions where it is fair to do so and always bearing in mind that it is your personal data.

Complaints

If you are not happy with the way in which we deal with your data or have dealt with a rights request, then please let us know. Our Data Protection Manager is the first point of contact for dealing with Rights Requests and complaints, and they are assisted by Customer Relations. If you are not satisfied with the way in which they have handled your complaint or rights request then you can contact the Group Data Protection Officer.

If you are not satisfied with their response you can complain to the ICO. Its contact details are:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

https://ico.org.uk/global/contact-us/

You also have the right to seek a judicial remedy, issue legal proceedings against us.

8. How long we keep your personal data for

We have policies and procedures in place to make sure we do not keep your personal data any longer than required to meet our legal and other obligations.

We may also keep your personal data for the purposes of our legitimate interests in running our Group businesses, including anonymising or pseudonymising data for analysis. Identifiable personal data is kept for a maximum of 4 years for marketing.

9. Changes to this Privacy Policy

We may occasionally update this statement – Last updated 22 April 2019