Abellio East Anglia Limited “AEA” is committed to protecting and respecting your privacy when you use our services.
For the purposes of the General Data Protection Regulation Act 2017, the data controller is:
Abellio East Anglia Limited
11th Floor One Stratford Place
Our Data Protection Manager (DPM) is:
Contact details are:
Colchester North Station North
Station Road Colchester
Our nominated Group Data Protection Officer (DPO) is:
Abellio UK HQ
36 Renfield St
5th Floor, The Culzean Building
More information about the General Data Protection Regulation and all related and subordinate legislation as amended or re-enacted from time to time can be found on the Information Commissioners website.
The Information Commissioner is our regulator for data protection matters.
We may collect and process information about you when you:
We collect information such as your contact details, ticket purchases, stations visited (for example for charging the correct fares on smart cards), payment and refund details. We may require additional details for some services, such as your age for age restricted tickets. This information is generally provided by you.
Sometimes we obtain details from third parties, for example if our Group structure changes or for legitimate business reasons.
We will only use the information you provide as permitted by Data Protection Law (DPL). Our reason(s) for using your data will vary depending on: how you contact us, use our services, the consent you have given, our legitimate interests, or legal obligations we may have. Reasons for use of your data include:
We are part of a Group of Companies and share administrative services and support. Your data may therefore be shared with other Group companies where appropriate. We are also required to pass certain customer data to successor franchisees, Secretary of State or Department for Transport.
Running our business and Group businesses, in a safe and socially and environmentally responsible manner, efficiently, to provide sustainable and high quality, locally focused passenger transport services, improve and expand our services, be a leading employer in the transport sector, investing in and developing our staff, operating with financial discipline and reducing crime and fraud to provide shareholder value, provide and improve customer services.
We will only share or disclose your information as set out in this Policy or in accordance with DPL and will obtain your consent where we are required to do so. We will only use third parties to process information where we are satisfied that they comply with these standards and can keep your data secure.
Due to the nature of the services we provide, we process a large range of data, in a manner of ways, across a number of solutions. Accordingly, it was deemed impractical to set out the details of all the third parties that we may share your data with below. You can find out more about the information we collect and how we use, share or disclose it below or by contacting us at GDPR@greateranglia.co.uk We may share or disclose information for the following reasons:
Our CCTV is used to capture, record and monitor images of what takes place at our stations and car parks and on our trains, in real time. In limited circumstances, we use body worn cameras which make audio visual recordings.
Depending on the type of camera, images are recorded on video tape (analogue) or as digital information. Cameras can be fixed or set to scan an area. In some circumstances, they can be operated remotely by controllers.
We operate CCTV for the following purposes:
We operate cameras at the stations and car parks we manage and on some of the trains that we run.
We operate cameras at some of the stations and car parks across our network, for a full list of stations and car parks and operators please visit the Greater Anglia website.
Network Rail and other TOCs operate the cameras at some stations that our services stop at. These are shown below:
We operate CCTV on some of the trains that we run.
CCTV footage at stations and on train is generally held for a maximum of 12 months from the time of recording.
Recordings from body worn cameras are generally held for 28 days, unless required for legitimate business reasons.
You can request copies of images or footage of yourself by making a Subject Access Request to GDPR@greateranglia.co.uk
At our discretion, we may disclose CCTV/personal data in response to valid requests from the police and other statutory law enforcement agencies.
Before we authorise any disclosure, the police have to demonstrate that the CCTV/personal data is necessary to assist them in the prevention or detection of a specific crime, or in the apprehension or prosecution of an offender.
Requests from the police are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with the DPL.
Some of our CCTV infrastructure is shared with the British Transport Police, Local Authorities, Network Rail, and Car Park operators under formal data sharing agreement.
In certain agreed circumstances, they may take control of a limited number of cameras and use them for activities such as the prevention and detection of crime and anti-social behaviour, policing major events and crowd control. AEA is not responsible for the CCTV when it is in the control of a third party.
We may also disclose personal data to third parties, if required to by law or it is necessary for a legitimate purpose such as defending or bringing legal action. DPL allows us to do this where the request is supported by:
Legitimate interest would include requests such as defending or making a legal claim, such as to insurers following a vehicle collision in a carpark. When we are not required to provide CCTV, we will take into account the circumstances and any potential harm to individuals, we may also charge a fee and seek indemnity for any use beyond which it is requested.
AEA operates its CCTV systems in compliance with the CCTV Code of Practice issued by the Information Commissioner’s Office (ICO) in 2017. The Code describes best practice standards which should be followed by organisations operating devices which view or record images of individuals. It also covers other information derived from those images that relates to individuals (for example vehicle registration marks).
This section shows the information we collect when you use our website. Before providing us with your details, please read the following important information regarding:
We will only use the information that we collect about you lawfully, in accordance with the DPL.
The details you provide about yourself and any other information which identifies you (‘Personal Information’) is held by AEA on this website (the "Site") for operational purposes, for example member registration or processing payments. We may also use your Personal Information to personalise your experience on the Site by informing you of new products or services that we may think are of interest to you.
AEA gathers general information about users, for example, what services users access the most and which areas of the AEA site are most frequently visited. Such data is used in the aggregate to help us to understand how the AEA site is used. We gather this information so that we can continue to improve and develop our services to the benefit of our users. We may make this aggregated information available to users of the AEA site and to auditors. These statistics are anonymous and contain no personal information and cannot be used to gather such information.
When you register with AEA, set up a travel alert, enter a competition, or buy a ticket, we ask for personal information such as your name, contact details, and other details. Once you register with AEA and accept our Terms & Conditions, you are not anonymous to us. We may use information that you provide to alert you to our own products and services. We may contact you regarding site changes or changes to the AEA products or services that you use.
If you buy a ticket online with AEA, we will record your personal details and send you a confirmation email. Your personal data will be used principally to communicate with you with reference to your request.
You may opt-in to receive newsletters, exclusive discounts, special offers and other marketing emails from AEA. You may unsubscribe at any time by clicking the unsubscribe button at the bottom of the email. Please note changes to your subscription preferences can take up to 14 days to take effect.
Alternatively write to our Customer Relations Team:
Greater Anglia Contact Centre
Norwich Railway Station
A "cookie" is a small text file that is placed on your equipment when you visit a website (equipment like computer, phone, and tablet).
There are several types of cookies:
The functional or session cookies are used to provide services or to store your preferred settings. For example for:
These cookies are used to analyze your visit to our websites. For example, we analyze the number of visitors visiting our websites, the duration of the visits, the order of the pages visited and whether the pages of a website need to be adjusted. With the help of the collected information we can organize our websites more user-friendly. Furthermore, these cookies are used to solve possible technical problems on the websites.
Only if you have given us permission in advance will we use tracking cookies for commercial purposes. These cookies, often placed by third parties, help us to be able to offer you personalized offers. Third parties can follow your internet behavior with tracking cookies.
Some of the cookies are placed with the consent of AEA by third parties with the aim to bring certain products and services to your attention or to give you direct access to social media. For the cookies that these external parties place, the information they collect with them and the purpose for which that information is used, we refer to the privacy statements of these parties on their own websites. These statements can change regularly and AEA has no control whatsoever.
Would you like to know more about cookies? Go to http://www.allaboutcookies.org/
Access to our database containing personal information on registered users of the site is restricted. In order to increase security we ask you to input a password when you register as a user of the site. Please keep this password secret. In addition, we encrypt your financial information using SSL (Secure Sockets Layer) technology so that no one else can access your credit card details as they travel through the Internet. SSL is certified by Verisign and is recognised as a secure way to pay on-line. As you may be aware, no data transmission over the Internet can be entirely secure. As a result, while we will always use reasonable endeavours to protect the personal information you provide to us, we cannot guarantee the security of your information and the use of our facilities (e.g. e-mail) is at your own risk. If you have any questions about paying for your ticket through the Site, please contact Customer Relations.
Our website is supported by advertising. Advertising cookies, often placed by third parties, are used to track visitors across different websites. This helps us offer relevant and engaging advertisements during your visit to our website. Our advertising technology is provided by Google and you can choose to opt-out of interest based advertising using Google’s Ads Settings (https://www.google.com/settings/u/0/ads/authenticated). You can also control interest based advertising and learn more by visiting Your Online Choices (http://www.youronlinechoices.com/uk/your-ad-choices) and About Ads (http://optout.aboutads.info).
When you buy a season ticket valid for one month or more, we keep a record of this on a database. We keep the following details:
We use this information for Contractual obligations, Customer Relations and administration, customer research, marketing and fraud prevention.
We will only send you information about offers and promotions if you chose to receive it and you can change your marketing preferences at any time. We will not pass your personal information to any other organisation outside of our Group of Companies (and Successor franchise or Secretary of State for Transport) for marketing purposes without your prior consent.
We retain your information to allow us to contact you i.e. season ticket is lost and to aid the renewal process once the season ticket is close to expiring.
Records are kept for kept for the duration of the franchise.
If you have agreed to receive information for survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to.
We may collect a range of personal detail during revenue protection activity. This may include name, address, proof of ID, journey details, payment details, personal descriptions and other information you provide to support an appeal. This data is processed by AEA and held in archive by ITEL (3rd Party).
We only use this information for the administration of the Penalty Fares scheme, collection of unpaid fares, fraud prevention and the prosecution of travel offences.
We retain your information to undertake analysis to identify any patterns in the data and to minimise future fraudulent activities.
Records are kept for a maximum of 12 months.
We may share your correspondence with:
AEA may collect data from customers at station gate lines. The data collected is the ticket number of the ticket presented and will then be matched against the season ticket database.
The data is collected to counter fraudulent behaviour from customers with regard to ticketless travel.
We collect your information and comments when you contact us by letter, email, web form, phone or social media.
We may hold your name, address, date of birth, email address, phone number, social media name, ticket details, photocard image, our correspondence with you, the compensation claims you have made and payment made by us, proof of journey or other supporting information you may provide.
To ensure that we carry have an accurate record of dealings between us (and for training purposes) we may, in certain circumstances, record or monitor telephone calls, however you will always be told when this happens.
This information is used for administration of correspondence or processing claims you have made, such as delay repay as well as for fraud prevention purposes. We also use it to respond to complaints.
We retain your information to ensure that all claims are processed properly, to undertake analysis in order to minimise potential fraud and identify themes and patterns in the data.
Records are kept for the length of the franchise in a restricted access site to allow analysis and identify themes and patterns.
We are required to provide details of your complaint to another TOC if it relates to their services instead of ours. We may share your correspondence with Passenger Focus or London Travel Watch or the Ombudsman, if you have asked them to act on your behalf under a complaint handling procedure.
We may also share information with other TOCs for the purpose of fraud prevention. We will only do this where there is a formal data sharing agreement in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with DPL.
On our stations, we maintain Customer Help and Assistance Points. Depending on the service requested these are linked directly to our Control Centre or to National Rail Enquiries.
Calls for Information or Assistance made to National Rail Enquiries are recorded and monitored, but no advance notice is given as this could result in a delay in the providing assistance.
When using our station or train WiFi service we collect device MAC addresses, timestamps and accounting which is stored for a limited amount of time in order to authenticate devices to the WiFi service. This data will be retained for a period of 14 days after such time it will be deleted.
We do not routinely process children’s data, however in the rare instances that we do we may be required to gain consent from a parent or guardian to process the child’s data.
Where we chose to rely on consent as the legal basis for processing children’s personal data, consent may be required from a person holding ‘parental responsibility’ (note that under the GDPR the UK could chose to implement a lower age boundary than 16 in defining a “child” in law, as long as it is not below 13).
The children’s consent must be freely given, specific, informed and unambiguous.
The AEA business sells scholar tickets (discounted season tickets) to allow children to travel to certain schools. The details taken are the child’s name, school (to ensure that school is within the AEA network) and photocard number. The payment and invoice address details are provided by the parents when the ticket is ordered.
NCP in conjunction with AEA operate car parks at AEA stations. Season ticket passes are available to customers and employees of AEA, in such cases the customer/employee will need to supply their name, address and car registration numbers to ensure that they are not charged for using the car park.
For the purpose of gaining employment your data will be processed by Greater Anglia for but not limited to assessments, interviews, medical and reference checks.
The data is retained on the following basis: Unsuccessful candidates – 6 months
Successful candidates – 6 years after leaving employment
AEA process safety forms and potential claims were a customer or employee has had an accident/or reported accident whilst at a station or travelling on our trains. The data taken is the name, address and data of birth of the customer or employee concerned. For customers this data will be sent to our third party claims handler and is collected in order to manage the claim and will be held for three years and six months after the claim is resolved. For employees the data will be held indefinitely in order to manage any future claims that the employee could raise at a later date.
The information that we collect from you will only be stored in the European Economic Area (“EEA”) or, where it is necessary to disclose it to our processors located outside the EEA, other jurisdictions which are acceptable according to guidance provided by the Information Commissioner and/or where appropriate legal and security safeguards are in place. Please contact the Data Protection Manger (see page 2) if you wish to find out more about the safeguards.
We use a range of appropriate technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its integrity and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal data where practical.
Unless stated otherwise wwe will aim to satisfy your instruction, or inform you as to why we are unable to, without undue delay and within 30 days. If we anticipate that we will not meet with this timeframe we will let you know within 30 days and explain what the problem is.
To prevent marketing to you, you have the right to ask us not to process your personal information for marketing purposes. We will usually inform you before collecting your information if we intend to use or disclose it for such purposes. If you do not want us to use your information for marketing purposes either:
You are entitled to request a copy of the personal information we hold about you.
Please contact the Data Protection Manager, as follows:
Colchester North Station
North Station Road
We may need to ask for some further information, such as checking who you are.
Please refer to website for a copy of the Subject Access Report (SAR).
Please let us know in what format you wish to receive your information.
Sometimes we may hold information that we don’t have to provide, for example it would prejudice a police investigation or if the disclosure would cause harm to another person whose personal data is inseparable from your data.
In most cases we provide the copy of your data to you for free. We have set out some information about when it might not be free, or provided below.
If you believe the information we hold about you is inaccurate or incomplete you can contact us and ask us to correct it. You may also request any data processing we are carrying out on your data is halted whilst a request for rectification, objection or a dispute over the lawfulness of processing is being considered. We will provide a response confirming the action we have taken or disagree with taking.
This is also known as the “Right to be forgotten”; you can request deletion or removal of personal information in some circumstances, such as where there is no compelling reason for its continued processing. We will also take reasonable steps to notify third parties of your instruction and request that they act upon it, in a similar manner.
If we relied on consent as the ground for processing your personal data, you can withdraw this consent at any time. It does not affect the processing carried out beforehand. You can withdraw consent by contacting Customer Relations:
Greater Anglia Contact Centre
Norwich Railway Station
Data Protection Manager:
Colchester North Station
North Station Road
Where you have consented to receive direct marketing communications, you can withdraw your agreement at any time, as above or where available updating your preference centre or clicking on the appropriate link in the communication.
We will act upon such an instruction as soon as possible.
Where you have provided us with personal data and the reasons we are processing it are based on consent or our contract with you, and the processing is automated, you have a right to ask for that information be provided to you or another data controller in a structured, commonly used and machine-readable format. The right may be restricted if it is not practical for us to provide the information in this way or it adversely affects the rights of others.
We target some of our marketing and service communications so that they are more relevant to you, based on the type of ticket(s) you bought and your location/travel stations. We will try and ensure where possible the communications are compatible with the device you are using. We use automated decision making to calculate the validity and value of Delay Repay claims made through our website. You will receive a notification of the outcome of your claim. At this stage you are able to request that your claim is manually reviewed by a member of the Delay Repay team. If you remain dissatisfied you are able to escalate to our Customer Relations team.
We are not able to charge you a fee for dealing with rights requests, unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case, so that you can make a decision about what you wanted to do next.
There are various limitations and exemptions in relation to the exercise of rights in DPL - for example if it would affect another’s rights and freedoms or if we need to retain the information to make or defend a legal claim. We intend only to rely on limitations and exemptions where it is fair to do so and always bearing in mind that it is your personal data.
The Data Protection Manager role has been established in a manner to remain independent of business decisions. If you wish to lodge a complaint against:
If you are not happy with the way in which we deal with your data or have dealt with a rights request, then please let us know. Our Data Protection Manager is the first point of contact for dealing with Rights Requests and complaints and they are assisted by Customer Relations. If you are not satisfied with the way in which they have handled your complaint or rights request then you can contact the Group Data Protection Manager:
Abellio UK HQ
36 Renfield St
5th Floor, The Culzean Building
If you are not satisfied with the response you can complain to the ICO. Their contact details are:
Head office Information Commissioner's Office
We’ll store your information for as long as we have to by law or regulatory requirement. If there’s no legal or regulatory requirement, we’ll only store it for as long as we need it. We’ll also keep some personal information for a reasonable period after your last contact with us – just in case you decide to use our services again. We, or one of our partners, may contact you about our services during this time if you haven’t opted out of receiving marketing communications from us.
We may also keep your personal data for the purposes of our legitimate interests in running our Group businesses, including anonymising or pseudonymising data for analysis.
This Policy was last updated on 4th May 2018