More information about the Data Protection Act can be found on the Information Commissioners Website: ico.org.uk.
The Information Commissioner is our regulator for data protection matters.
How and why use personal data;
How long we keep and how we keep personal data secure; and
How you can contact us if you wish to exercise any of your rights in relation to your personal data or make a complaint.
How and why we use Personal Data
The Go-Ahead Group plc (“we”, “us” and “our”) is the parent company to a number of train and bus public transport operations in the UK and overseas (collectively, the “Group” and each member of the Group, an “Operating Company”) and provides shared information technology and administrative services to them (the “support services”).
In order to perform the support services, we handle personal data, which have been collected by a member of the Group, on behalf of the Group. Data Protection law categorises organisations, which deal with personal data, into two types: controllers and processors.
Controllers choose how and why data are collected and used whereas processors are involved in processing such data on behalf of the controller. The Operating Company, which collected the personal data, remains the controller of the personal data. We are generally the data processor.
In limited circumstances, we and the Operating Company may be “joint controllers” of these personal data. Where two or more controllers determine the processes and means of processing of those personal data, they are known as joint controllers and the sections below set out your legal rights and how and why the personal data are used by us when we act as data controller.
We also receive personal data where people contact us directly and when we respond to enquiries or provide information about the Group.
Sharing or disclosure of your information
where we use data processors to provide or assist with some of our support services;
to comply with other legal obligations (for example, relating to crime and taxation purposes or regulatory activity);
to protect our legitimate business interests, and exercise our legal rights, for example, for fraud prevention or revenue protection; and
where required as a result of the sale, merger, or acquisition of business assets.
How long we keep and how we keep your personal data secure
We retain generally personal data for around six months after the legal limitation periods in which claims can be brought or industry recommended periods. We would also retain information if we are under a legal or regulatory requirement to do so.
We may also keep your personal data for the purposes of protecting our legitimate interests in running our businesses, including anonymising or pseudonymising data for analysis.
Identifiable data are kept for a maximum of four years for marketing purposes.
Whilst we hold personal data, we use a range of technical and organisational measures to safeguard access to, and use of, your personal data. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal data where practicable.
Where We Store Your Personal Information
The information we collect from you will be stored in the UK or a country which UK GDPR deems provides an adequate level of protection (“permitted countries”) or, where it is necessary to disclose it to our processors located outside the permitted countries , other jurisdictions where appropriate legal and security safeguards are in place. Please contact the Data Protection Officer if you wish to find out more about the safeguards..
You have the following rights in relation to your personal data:
Object to direct marketing
To prevent marketing to you, you have the right to ask us not to process your personal information for marketing purposes. If you do not want us to use your information for marketing purposes either:
do NOT tick the box asking for you to consent to the sending of marketing emails (or offers);
click the unsubscribe link on direct marketing emails; or
It is possible that, having opted out of marketing, you may, for a short period, receive communication which were scheduled prior to your change of preference whilst your request is being processed. Processing your change can take several days.
If you have any other objections to how we are using your personal data, please contact our Group Data Protection Officer.
Ask for a copy of your personal data
You are entitled to request a copy of the personal data we hold about you and certain information about the processing we are carrying out.
Please contact Group Data Protection Officer.
We may need to ask for some further information, such as checking who you are, to enable us to provide to you the copy of your personal data and the processing we carry out.
Please also let us know if you want to receive the information electronically.
We aim to provide the information to you without undue delay and within 30 days. If we have any trouble with this timeframe, we will let you know within the said 30-day period and explain what the problem is. Sometimes, we may hold personal data which we don’t have to provide. For example, it may be withheld if disclosure would prejudice a police investigation or contains someone else’s personal data.
In most cases, we provide the copy of your personal data to you for free. However, there may be instances where we may charge you a small fee and we have set out some information below under the heading “How we deal with your rights” as to how and why such fees may arise.
Rectification / restriction
If you believe the personal data we hold about you are inaccurate or incomplete, you can contact us and ask us to correct it. You may also request any data processing we are carrying out on your personal data is halted whilst a request for rectification or objection or a dispute over the lawfulness of processing is being considered.
We will provide a response confirming the action we have taken or disagree that action is required (and we will explain why) within 30 days, or provide a response within the said 30-day period if the matter is complex and further time is needed.
This is also known as the “right to be forgotten”. This allows you to request the deletion or the removal of your personal data in certain circumstances such as where there is no compelling reason for its continued processing.
We will provide a response to you within 30 days, confirming whether/what personal data we have deleted and/or explaining why we don’t agree that some data do not need to be deleted.
Withdrawal of consent
If we relied on consent as the ground for processing your personal data, you can withdraw this consent at any time. It does not affect the processing carried out beforehand. You can either withdraw consent by contacting the Group Data Protection Officer or, where you have consented to receive direct marketing communications, by updating your preference centre or clicking on the appropriate link in the communication.
We will comply with your request within 30 days.
You also have a right to request that no further processing of your personal data takes place in relation to some grounds of processing, for example in relation to direct marketing or where we rely on our legitimate interests to process your personal data. We must stop using your personal data for direct marketing if you object to it, whereas we may refuse your objection if we rely on legitimate interests and consider that our legitimate interests outweigh your rights or freedoms.
We will respond to your request within 30 days, confirming the action we will or won’t take.
Where you have provided to us personal data and the reasons we are processing such data are based on consent or our contract with you, and the processing is automated, you have a right to ask for that information be provided to you or another data controller in a structured, commonly used and machine-readable format. The right may be restricted if it is not practical for us to provide the information in this way or it adversely the rights of others.
If we are able to provide your personal data in this way, we will do so in 30 days or we will let you know within the said 30-day period if we require more time or there are any issues with carrying out the request.
Information about profiling and automated decision making
We target some of our marketing and service communications so that they are more relevant to you, based on the type of ticket(s) you bought and your location / travel stations. We will try and make sure the communications are compatible with the device you are using.
How we deal with rights requests
We will try to deal with your request within 30 days. In exceptional circumstances, we may need to extend the time to respond fully, if the request is particularly complex or there are multiple requests. However, we will let you know within the said 30-day period if we do need further time.
We will not charge you a fee for dealing with rights requests unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously.
We would always let you know if we are going to charge you a fee or refuse to deal with your request, so that you can make a decision about what you want to do next (such as making a complaint (see below)).
There are various limitations and exemptions in relation to the exercise of your rights in Data Protection Law. For example, the refusal of your request may arise if it would affect another’s rights and freedoms or if we need to retain the information to make or defend a legal claim. We intend only to rely on limitations and exemptions where it is fair to do so and always bearing in mind that it is your personal data.
If we don’t respond to within 30 days of your request, or you are not happy with our response, you can lodge a complaint with the Information Commissioner Office or issue legal proceedings against us. The contact details for the Information Commissioner Officer are as follows:
Information Commissioner's Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
Fax: 01625 524 510
If you are not happy with the way in which we deal with your data or have dealt with a rights request, then please us know. If you are not satisfied with the way in which they have handled your complaint or rights request then you can contact the Group Data Protection Officer.
You also have the right to seek a judicial remedy through the issuing of legal proceedings against us.
We may occasionally update this statement and updated versions will be published on our website.