Privacy Policy

INTRODUCTION

Abellio East Anglia Limited “AEA” is committed to protecting and respecting your privacy when you use our services.

This Privacy Policy explains:

• What personal data we collect from you when you use our website, apps, visit our stations, contact us, use our services, or WiFi;
• How we will collect and use that information;
• How we keep information secure; and
• How you can contact us if you wish to exercise any of your rights in relation to the information or make a complaint.

CONTENTS

• Information we may collect from you
• How we use your information
• Sharing or disclosure of your information
• Types of information we collect
• Website visits and purchases
• Ticket office purchases
• Revenue Protection and Penalty Fares
• Customer Relations database
• Station Help and Assistance Information Points
• Station and Train WiFi
• Personal data to aid recruitment for jobs in AEA
• Where we store your personal information
• Information Security
• Your rights

For the purposes of the General Data Protection Regulation Act 2018, the data controller is:

Abellio East Anglia Limited
11th Floor
One Stratford Place
Montfitchet Road
London
E20 1 EJ


Our Data Protection Manager contact details (DPM) are: 

Email: [email protected]

Address: 

The Hub
Finance Department
Colchester North Station
North Station Road
Colchester
CO1 1JS


Our nominated Group Data Protection Officer (DPO) is:

Data Protection Manager
Abellio UK HQ
36 Renfield St
5th Floor, The Culzean Building
Glasgow
G2 1LU
Email: [email protected]

More information about the General Data Protection Regulation and all related and subordinate legislation as amended or re-enacted from time to time can be found on the Information Commissioners website.

The Information Commissioner is our regulator for data protection matters.

INFORMATION WE MAY COLLECT FROM YOU

We may collect and process information about you when you:

• buy tickets;
• travel on our services;
• visit our stations or car parks;
• use our website, apps or Wi-Fi;
• buy a product from us or make a sales enquiry;
• contact customer relations;
• enter a competition; or
• sign up to receive updates or marketing.
• An accident or injury occurs at our stations or on our trains.
• Apply for a job/vacancy at AEA.

We collect information such as your contact details, ticket purchases, stations visited (for example for charging the correct fares on smart cards), payment and refund details. We may require additional details for some services, such as your age for age restricted tickets. This information is generally provided by you.

Sometimes we obtain details from third parties, for example if our Group structure changes or for legitimate business reasons.

HOW WE USE YOUR INFORMATION

We will only use the information you provide as permitted by Data Protection Law (DPL). Our reason(s) for using your data will vary depending on: how you contact us, use our services, the consent you have given, our legitimate interests, or legal obligations we may have. Reasons for use of your data include:

• To provide you with the service - things like carrying out our obligations arising from any contracts - selling tickets, making and taking payments. We mostly rely on the legal ground of contractual performance to process your data, but sometimes the data is also used for our legitimate interests of customer service, health and safety, improving our services and other legal obligations, like providing information to our regulators
• To provide you with details of our services, information about travelling and customer service - this is based on our legitimate interests, to run train and associated services. Sometimes it is part of our contract or our other legal obligations
• To provide you with details of promotions and offers which we feel may interest you; this is based on our legitimate interests to try and sell more train tickets when you have given consent for us to contact you and you have an absolute right to ask us to stop sending marketing emails/SMS
• To run our services and improve them - we believe in investing in our railway services, not just to benefit passengers but also the wider community, environment, and economy. There are lots of activities we do to achieve this, some are administrative and we also do things like monitoring passenger numbers, and popular stations, improving technology to help plan journeys - make money, run our services safely and be a good employer - we call these our legitimate interests. Some of these are also covered in our legal obligations, not just to customers, but under Franchise Contracts, the Department for Transport or Regulators. Some data is also shared to run interoperable services – in the Rail Industry this is overseen by the Rail Delivery Group - this is how you are able to use a ticket on a train and tube for example, or use a rail Discount card.
• For your safety and security.
• For fraud and crime prevention.
• To enhance your experience of our website, as described in our cookie policy.
• To run competitions

We are part of a Group of Companies and share administrative services and support. Your data may therefore be shared with other Group companies where appropriate. We are also required to pass certain customer data to successor franchisees, Secretary of State or Department for Transport.

Our Legitimate Interests

Running our business and Group businesses, in a safe and socially and environmentally responsible manner, efficiently, to provide sustainable and high quality, locally focused passenger transport services, improve and expand our services, be a leading employer in the transport sector, investing in and developing our staff, operating with financial discipline and reducing crime and fraud to provide shareholder value, provide and improve customer services.

SHARING OR DISCLOSURE OF YOUR INFORMATION

We will only share or disclose your information as set out in this Policy or in accordance with DPL and will obtain your consent where we are required to do so. We will only use third parties to process information where we are satisfied that they comply with these standards and can keep your data secure.

Due to the nature of the services we provide, we process a large range of data, in a manner of ways, across a number of solutions. Accordingly, it was deemed impractical to set out the details of all the third parties that we may share your data with below. You can find out more about the information we collect and how we use, share or disclose it below or by contacting us at [email protected] We may share or disclose information for the following reasons:

• We use data processors to provide or assist with some of our services, for example, the processing of bookings. Where we do so, they must agree to strict contractual terms and to keep your data secure;
• Where we share data across our Group Companies, this is only in accordance with a written data sharing agreement;
• To operate interoperable services - this includes use of some shared systems and processors, by the rail industry generally and overseen by the Rail Delivery Group;
• To respond to your complaints or administer requests you have made, either to us or another regulatory body such as the Department for Transport; Passenger Focus, London Travelwatch, the Rail Complaints Ombudsman or other Train Operating Companies (TOCs);
• To process payment card transactions;
• To comply with requests from the British Transport Police under an Information Sharing Protocol, ensuring that any disclosure is lawful;
• To comply with the police or other law enforcement agencies for the purposes of crime prevention or detection, these are dealt with on a case-by-case basis, under a specific Information Sharing Protocol, to ensure that any disclosure is lawful;
• To comply with other legal obligations for example, relating to crime and taxation purposes or regulatory activity;
• To protect our legitimate business interests, as outlined above;
• Where required because of the sale, merger, or acquisition of business assets. As the Railway Industry is run on a system of franchises, we are required to transfer our customer data to a successor franchise, or the Secretary of State, this is so that they can take over and continue the running of the railway service;
• In respect of information provided to us for marketing purposes only (including freely given consent), to the Department for Transport and/or any successor operator of the rail franchise in order that they may contact you for marketing purposes in the event that we cease to operate this rail franchise;
• If you have agreed (via freely given consent) to receive information for competition, promotion, survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to in the terms and conditions of the purpose; and
• Where you have consented, to share with other members of the Abellio Group UK (“Abellio”), of which we are a member, where Abellio has any services, promotions and offers which we feel may interest you. Details of other members of Abellio can be found here.

WEBSITE VISITS AND PURCHASES

This section shows the information we collect when you use our website. Before providing us with your details, please read the following important information regarding:

• Collection of visitor information;
• Hyperlinks;
• Cookies; and
• Session Cookies.
• Other storage technologies

Collection of visitor information

We will only use the information that we collect about you lawfully, in accordance with the DPL.

The details you provide about yourself and any other information which identifies you (‘Personal Information’) is held by AEA on this website (the "Site") for operational purposes, for example member registration or processing payments. We may also use your Personal Information to personalise your experience on the Site by informing you of new products or services that we may think are of interest to you.

AEA gathers general information about users, for example, what services users access the most and which areas of the AEA site are most frequently visited. Such data is used in the aggregate to help us to understand how the AEA site is used. We gather this information so that we can continue to improve and develop our services to the benefit of our users. We may make this aggregated information available to users of the AEA site and to auditors. These statistics are anonymous and contain no personal information and cannot be used to gather such information.

When you register with AEA, set up a travel alert, enter a competition, or buy a ticket, we ask for personal information such as your name, contact details, and other details. Once you register with AEA and accept our Terms & Conditions, you are not anonymous to us. We may use information that you provide to alert you to our own products and services. We may contact you regarding site changes or changes to the AEA products or services that you use.

If you buy a ticket online with AEA, we will record your personal details and send you a confirmation email. Your personal data will be used principally to communicate with you with reference to your request.

You may opt-in to receive newsletters, exclusive discounts, special offers and other marketing emails from AEA. You may unsubscribe at any time by clicking the unsubscribe button at the bottom of the email. Please note changes to your subscription preferences can take up to 14 days to take effect.

Alternatively write to our Customer Relations Team:

Customer Relations:

FREEPOST RSCZ-UXZJ-EHHE 
Greater Anglia Contact Centre
Norwich Railway Station
Station Approach
Norwich
NR1 1EF.

Hyperlinks

We may provide hyperlinks from the site to third party websites. No liability is accepted for the contents of any site operated by a third party which may be accessed via links from the site. These links are provided for your convenience only and do not imply that AEA approves or recommends the content of such sites. We encourage our users to be aware when they leave our site to read the privacy statements of each and every website that collects personal data. This Privacy Policy applies solely to information collected by AEA

Cookies

Our website uses cookies to help us to provide you with a good experience when you browse our website and also allows us to improve our website.

So what is a cookie?

A "cookie" is a small text file that is placed on your equipment when you visit a website (equipment like computer, phone, and tablet).

There are several types of cookies:

Functional cookies

The functional or session cookies are used to provide services or to store your preferred settings. For example for:

• remembering the products you purchase during online shopping;
• memorizing and passing on the information that you enter during the log-in process or that you leave behind on the various web pages during the ordering process, so that you do not have to enter the same data every time;
• saving your preferences;
• detecting abuse of our websites.

Analytical cookies

These cookies are used to analyze your visit to our websites. For example, we analyze the number of visitors visiting our websites, the duration of the visits, the order of the pages visited and whether the pages of a website need to be adjusted. With the help of the collected information we can organize our websites more user-friendly. Furthermore, these cookies are used to solve possible technical problems on the websites.

Marketing and tracking cookies

Only if you have given us permission in advance will we use tracking cookies for commercial purposes. These cookies, often placed by third parties, help us to be able to offer you personalized offers. Third parties can follow your internet behavior with tracking cookies.

Other techniques

In addition to cookies, AEA also uses Javascripts and web beacons. By using Javascript in your browser we can make our sites interactive and develop applications for the web. A web beacon is a small graphic image on our sites. By means of this image, we can, for example, determine how many visitors saw the page at which times. These techniques can also be used for marketing and tracking purposes.

Cookies from external parties

Some of the cookies are placed with the consent of AEA by third parties with the aim to bring certain products and services to your attention or to give you direct access to social media. For the cookies that these external parties place, the information they collect with them and the purpose for which that information is used, we refer to the privacy statements of these parties on their own websites. These statements can change regularly and AEA has no control whatsoever.

Would you like to know more about cookies? Go to https://www.allaboutcookies.org/

Access to our database containing personal information on registered users of the site is restricted. In order to increase security we ask you to input a password when you register as a user of the site. Please keep this password secret. In addition, we encrypt your financial information using SSL (Secure Sockets Layer) technology so that no one else can access your credit card details as they travel through the Internet. SSL is certified by Verisign and is recognised as a secure way to pay on-line. As you may be aware, no data transmission over the Internet can be entirely secure. As a result, while we will always use reasonable endeavours to protect the personal information you provide to us, we cannot guarantee the security of your information and the use of our facilities (e.g. e-mail) is at your own risk. If you have any questions about paying for your ticket through the Site, please contact Customer Relations.

Advertising

Our website is supported by advertising.

Advertising cookies, often placed by third parties, are used to track visitors across different websites. This helps us offer relevant and engaging advertisements during your visit to our website. Our advertising technology is provided by Google and you can choose to opt-out of interest based advertising using Google’s Ads Settings (https://www.google.com/settings/u/0/ads/authenticated). You can also control interest based advertising and learn more by visiting Your Online Choices (https://www.youronlinechoices.com/uk/your-ad-choices) and About Ads (http://optout.aboutads.info). 

Customer data is also collected and shared as hashed data in a privacy-friendly way with third-parties (such as Google). This sharing is to measure the performance of advertisements issued by our company.

 

TICKET OFFICE PURCHASES – SEASON TICKET RECORDS

Personal details we hold

When you buy a season ticket valid for one month or more, we keep a record of this on a database. We keep the following details:

• Name, address and photo card number;
• Phone number, email and date of birth if you provide them;
• The origin, destination and start and end date of season tickets you have purchased, along with any duplicate, replacement or refund of these; and
• The method of payment used, but not any payment card details.

How we use your personal data

We use this information for Contractual obligations, Customer Relations and administration, customer research, marketing and fraud prevention.

We will only send you information about offers and promotions if you chose to receive it and you can change your marketing preferences at any time. We will not pass your personal information to any other organisation outside of our Group of Companies (and Successor franchise or Secretary of State for Transport) for marketing purposes without your prior consent.

Why we retain your information

We retain your information to allow us to contact you i.e. season ticket is lost and to aid the renewal process once the season ticket is close to expiring.

Length of time records are kept

Records are kept for kept for the duration of the franchise.

Sharing data with third parties

If you have agreed to receive information for survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to.

REVENUE PROTECTION AND PENALTY FARES

Personal details we hold

We may collect a range of personal detail during revenue protection activity. This may include name, address, proof of ID, journey details, payment details, personal descriptions and other information you provide to support an appeal. This data is processed by AEA and held in archive by ITEL (3rd Party).

How we use your personal data

We only use this information for the administration of the Penalty Fares scheme, collection of unpaid fares, fraud prevention and the prosecution of travel offences.

Why we retain your information

We retain your information to undertake analysis to identify any patterns in the data and to minimise future fraudulent activities.

Length of time records are kept

Records are kept for a maximum of 12 months.

Sharing data with third parties

We may share your correspondence with:

• British Transport Police under a data sharing agreement to prevent and detect crime.
• The ITEL if you appeal a Penalty Notice issued to you.
• Passenger Focus if you have asked them to act on your behalf under a complaint handling procedure. Requests from ombudsmen are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with DPL.
• We may also share information with other TOCs for fraud prevention. We will only do this where there is a formal data sharing agreement in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with DPL.

Collection of data at station gate lines

AEA may collect data from customers at station gate lines. The data collected is the ticket number of the ticket presented and will then be matched against the season ticket database.

The data is collected to counter fraudulent behaviour from customers with regard to ticketless travel.

CUSTOMER RELATIONS DATABASE

We collect your information and comments when you contact us by letter, email, web form, phone or social media.

Personal details we hold

We may hold your name, address, date of birth, email address, phone number, social media name, ticket details, photocard image, our correspondence with you, the compensation claims you have made and payment made by us, proof of journey or other supporting information you may provide.

To ensure that we carry have an accurate record of dealings between us (and for training purposes) we may, in certain circumstances, record or monitor telephone calls, however you will always be told when this happens.

How we use your personal data

This information is used for administration of correspondence or processing claims you have made, such as delay repay as well as for fraud prevention purposes. We also use it to respond to complaints.

Why we retain your information

We retain your information to ensure that all claims are processed properly, to undertake analysis in order to minimise potential fraud and identify themes and patterns in the data.

Length of time records are kept

Records are kept for the length of the franchise in a restricted access site to allow analysis and identify themes and patterns.

Sharing data with third parties

We are required to provide details of your complaint to another TOC if it relates to their services instead of ours. We may share your correspondence with Passenger Focus or London Travel Watch or the Ombudsman, if you have asked them to act on your behalf under a complaint handling procedure.

We may also share information with other TOCs for the purpose of fraud prevention. We will only do this where there is a formal data sharing agreement in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with DPL.

STATION HELP AND ASSISTANCE INFORMATION POINTS

On our stations, we maintain Customer Help and Assistance Points. Depending on the service requested these are linked directly to our Control Centre or to National Rail Enquiries.

Calls for Information or Assistance made to National Rail Enquiries are recorded and monitored, but no advance notice is given as this could result in a delay in the providing assistance.

STATION & TRAIN WIFI

When using our station or train WiFi service we collect device MAC addresses, timestamps and accounting which is stored for a limited amount of time in order to authenticate devices to the WiFi service. This data will be retained for a period of 14 days after such time it will be deleted.

CHILDREN’S DATA

We do not routinely process children’s data, however in the rare instances that we do we may be required to gain consent from a parent or guardian to process the child’s data.

Where we chose to rely on consent as the legal basis for processing children’s personal data, consent may be required from a person holding ‘parental responsibility’ (note that under the GDPR the UK could chose to implement a lower age boundary than 16 in defining a “child” in law, as long as it is not below 13).

The children’s consent must be freely given, specific, informed and unambiguous.

The AEA business sells scholar tickets (discounted season tickets) to allow children to travel to certain schools. The details taken are the child’s name, school (to ensure that school is within the AEA network) and photocard number. The payment and invoice address details are provided by the parents when the ticket is ordered.

PARKING - National Car Parks “NCP”

NCP in conjunction with AEA operate car parks at AEA stations. Season ticket passes are available to customers and employees of AEA, in such cases the customer/employee will need to supply their name, address and car registration numbers to ensure that they are not charged for using the car park.

RECRUITMENT

For the purpose of gaining employment your data will be processed by Greater Anglia for but not limited to assessments, interviews, medical and reference checks.

The data is retained on the following basis: Unsuccessful candidates – 6 months

Successful candidates – 6 years after leaving employment

SAFETY FORMS & CLAIMS

AEA process safety forms and potential claims were a customer or employee has had an accident/or reported accident whilst at a station or travelling on our trains. The data taken is the name, address and data of birth of the customer or employee concerned. For customers this data will be sent to our third party claims handler and is collected in order to manage the claim and will be held for three years and six months after the claim is resolved. For employees the data will be held indefinitely in order to manage any future claims that the employee could raise at a later date.

WHERE WE STORE YOUR PERSONAL INFORMATION

The information that we collect from you will only be stored in the European Economic Area (“EEA”) or, where it is necessary to disclose it to our processors located outside the EEA, other jurisdictions which are acceptable according to guidance provided by the Information Commissioner and/or where appropriate legal and security safeguards are in place. Please contact the Data Protection Manger (see page 2) if you wish to find out more about the safeguards.

INFORMATION SECURITY

We use a range of appropriate technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its integrity and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal data where practical.

YOUR RIGHTS

Under certain circumstances, you have rights under data protection laws in relation to your personal data. If you wish to exercise any of the rights set out below, please contact us using the details below. A summary of the rights you have is set out below:

• be informed about the processing of your personal data (i.e. for what purposes, what types, to what recipients it is disclosed, storage periods,
• request access to or a copy of any personal data we hold about you;
• request the rectification of your personal data, if you consider that it is inaccurate;
• request the erasure of your personal data, you may have the right in some circumstances to ask for some of your personal data to be deleted, for example when there is no longer a valid reason to process it. This is not an absolute right to have any personal data deleted that you wish.
• object to your personal data being processed for a particular purpose or to request that we stop using your data;
• request not to be subject to a decision based on automated processing and to have safeguards put in place if you are being profiled based on your personal data;
• ask us to transfer a copy of your personal data to you or to another service provider or third party where technically feasible.

If you would like to exercise any of these rights, please contact [email protected]

Object to direct marketing

To prevent marketing to you, you have the right to ask us not to process your personal information for marketing purposes. We will usually inform you before collecting your information if we intend to use or disclose it for such purposes. If you do not want us to use your information for marketing purposes either:

• if you have an account with us, by logging in and changing your contact preferences; 
• click the unsubscribe link on direct marketing emails; or 
• contact us. 

Complaints

If you wish to lodge a complaint about how we process your information, please contact: 

• our Data Protection Officer; or 
• the ICO Head office: 

Information Commissioner's Office 

Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 5AF 

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number 

Fax: 01625 524 510 

HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?

We’ll store your information for as long as we have to by law or regulatory requirement. If there’s no legal or regulatory requirement, we’ll only store it for as long as we need it. We’ll also keep some personal information for a reasonable period after your last contact with us – just in case you decide to use our services again. We, or one of our partners, may contact you about our services during this time if you haven’t opted out of receiving marketing communications from us.

We may also keep your personal data for the purposes of our legitimate interests in running our Group businesses, including anonymising or pseudonymising data for analysis.

CHANGES TO THIS PRIVACY POLICY

We may revise this Privacy Policy from time to time. The most current version of this policy will govern use of your information and will always be on our website. By continuing to access or use the Service after those changes become effective, you agree to be bound by the revised Privacy Policy.

This Policy was last updated on September 2023