Privacy & Cookie Policy

Introduction

Abellio Scotrail Ltd ("ScotRail", "we", "us", or "our") is committed to protecting and respecting your privacy when you use our services.

This Privacy Policy explains:

  • What personal data we collect from you when you use our website, apps, visit our stations, contact us, use our services, or Wi-Fi
  • How we will collect and use that information
  • How we keep information secure; and
  • How you can contact us if you wish to exercise any of your rights in relation to the information or make a complaint

Contents

  • Information we may collect from you
  • How we use your information
  • Sharing or disclosure of your information
  • Types of information we collect:
    • CCTV
    • Website visits and purchases
    • Ticket office purchases
    • Revenue protection and penalty fares
    • Customer Relations database
    • Station help and assistance information points
    • Station and train Wi-Fi
    • Personal data to aid recruitment for jobs in ScotRail
    • Safety forms and claims
    • Children's data
  • Where we store your personal information
  • Information security
  • Your rights

For the purposes of the General Data Protection Regulation Act 2018, the data controller is:

Abellio ScotRail Limited
36 Renfield St
5th Floor, The Culzean Building
Glasgow
G2 1LU

Our Data Protection Manager contact details (DPM) are:

Email: [email protected]

Address:

Abellio ScotRail Limited
Atrium Court, 50 Waterloo St
Glasgow
G2 6HQ

Our nominated Group Data Protection Officer (DPO) is:

Data Protection Manager
Abellio UK HQ
36 Renfield St
5th Floor, The Culzean Building
Glasgow
G2 1LU

More information about the General Data Protection Regulation and all related and subordinate legislation as amended or re-enacted from time to time can be found on the Information Commissioners website https://ico.org.uk

The Information Commissioner is our regulator for data protection matters.

Information we may collect from you

We may collect and process information about you when you:

  • Buy tickets;
  • Travel on our services;
  • Visit our stations or car parks;
  • Use our website, apps or Wi-Fi;
  • Buy a product from us or make a sales enquiry;
  • Contact Customer Relations;
  • Enter a competition;
  • Sign up to receive updates or marketing;
  • Are involved in an accident or incident at one of our stations; or
  • Apply for a job/vacancy at ScotRail

We collect information such as your contact details, ticket purchases, stations visited (for example for charging the correct fares on smart cards), payment and refund details. We may require additional details for some services, such as your age for age restricted tickets. This information is generally provided by you.

Sometimes we obtain details from third parties, for example if our Group structure changes or for legitimate business reasons.

This may include:

  • Credit reference agencies
  • Fraud prevention agencies
  • Public information sources such as Companies House
  • Government and law enforcement agencies

How we use your information

We will only use the information you provide as permitted by data protection law. Our reason(s) for using your data will vary depending on: how you contact us, how you use our services, the consent you have given, our legitimate interests, or legal obligations we may have. Reasons for use of your data include:

  • To provide you with the service – things like carrying out our obligations arising from any contracts – selling tickets, making and taking payments. We mostly rely on the legal ground of contractual performance to process your data, but sometimes the data is also used for our legitimate interests of customer service, health and safety, improving our services and other legal obligations, like providing information to our regulators
  • To provide you with details of our services, information about travelling and customer service – this is based on our legitimate interests, to run train and associated services. Sometimes it is part of our contract or our other legal obligations
  • To provide you with details of promotions and offers which we feel may interest you; this is based on our legitimate interests to try and sell more train tickets when you have given consent for us to contact you. This may include serving relevant advertisements via email, SMS, post, telephone, Social Media and 3rd party websites. You have an absolute right to ask us to stop sending and serving marketing messages to you
  • To run our services and improve them – we believe in investing in our railway services, not just to benefit passengers but also the wider community, environment, and economy. There are lots of activities we do to achieve this, some are administrative and we also do things like monitoring passenger numbers, and popular stations, improving technology to help plan journeys – make money, run our services safely and be a good employer - we call these our legitimate interests. Some of these are also covered in our legal obligations, not just to customers, but under Franchise Contracts/Local Authority Contracts, the Department for Transport or Regulators. Some data is also shared to run interoperable services – in the Rail Industry this is overseen by the Rail Delivery Group – this is how you are able to use a ticket on a train and tube for example, or use a rail Discount card
  • For your safety and security – we have legal obligations to manage public safety for us, our employees and our customers, including through the use of CCTV and through the use of body worn cameras and equipment. We provide more details later on in the section on CCTV – see Types of Information We Collect
  • For fraud and crime prevention – in addition to our legal obligations, we have a legitimate interest in preventing fraud and preventing, detecting and reporting crime on trains and at railway stations, premises and car parks
  • To handle complaints etc – we will use your information to handle and respond to any complaints, requests or enquiries you make of us. We have a legitimate interest in responding to complaints, requests or enquiries and handling them efficiently and fairly
  • To enhance your experience of our website, as described in our cookie policy and in the section on Website Visits and Purchases – see Types of Information We Collect. We also rely on our legitimate interests more generally to ensure that our technology operates efficiently and without error and to assess which of our services might be of interest to you and to tell you about them
  • To run competitions and conduct surveys and research – we run competitions to promote our services and sell tickets. If you enter a competition we will use your information to facilitate your participation in accordance with the competition rules. We may also conduct surveys and research to learn more customer attitudes and feedback and to improve the railways and our services
  • To manage incidents and accidents – we have legal obligations to record and report certain accidents and incidents and will arrange appropriate medical treatment for anyone who falls ill or is injured in order to protect their vital interests

We are part of a Group of Companies and share administrative services and support. Your data may therefore be shared with other Group companies where appropriate. We are also required to pass certain customer data to successor franchisees, the Secretary of State or Department for Transport.

Our legitimate interests

In addition to legitimate interests identified elsewhere, we have a general legitimate interest in running our business and Group businesses, in a safe and socially and environmentally responsible manner, efficiently, to provide sustainable and high quality, locally focused passenger transport services, improve and expand our services, be a leading employer in the transport sector, investing in and developing our staff, operating with financial discipline and reducing crime and fraud, to provide shareholder value, provide and improve customer services.

Sharing or disclosure of your information

We will only share or disclose your information as set out in this Policy or in accordance with data protection law and will obtain your consent where we are required to do so. We will only use third parties to process information where we are satisfied that they comply with these standards and can keep your data secure. Due to the nature of the services we provide, we process a large range of data, in a manner of ways, across a number of solutions. Accordingly, it is impractical to set out the details of all the third parties that we may share your data with below. You can find out more about the information we collect and how we use, share or disclose below or by contacting us at [email protected].

We may share or disclose information for the following reasons:

  • We use data processors to provide or assist with some of our services, for example, the processing of bookings. Where we do so, they must agree to strict contractual terms and to keep your data secure;
  • Where we share data across our Group Companies, this is only in accordance with a written data sharing agreement;
  • To operate interoperable services - this includes use of some shared systems and processors, by the rail industry generally and overseen by the Rail Delivery Group;
  • To respond to your complaints or administer requests you have made, either to us or another regulatory body such as Transport Scotland; Passenger Focus, The Office of Rail and Road, Rail Delivery Group, Journeycall or other train operating companies (TOCs);
  • To process payment card transactions by sharing transactional information with payment service providers;
  • To comply with requests from the British Transport Police under an Information Sharing Protocol, ensuring that any disclosure is lawful;
  • To comply with requests from the police or other law enforcement agencies for the purposes of crime prevention or detection, these are dealt with on a case-by-case basis, under a specific Information Sharing Protocol, to ensure that any disclosure is lawful;
  • To comply with other legal obligations for example, relating to crime and taxation purposes or regulatory activity;
  • To protect our legitimate business interests, as outlined above;
  • Where required because of the sale, merger, or acquisition of business assets. As the Railway Industry is run on a system of franchises, we are required to transfer our customer data to a successor franchise, or the Secretary of State, this is so that they can take over and continue the running of the railway service;
  • In respect of information provided to us for marketing purposes only (including freely given consent), to the Department for Transport and/or any successor operator of the rail franchise in order that they may contact you for marketing purposes in the event that we cease to operate this rail franchise;
  • If you have agreed (via freely given consent) to receive information for competition, promotion, survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to in the terms and
    conditions of the purpose; and
  • Where you have consented, to share with other members of the Abellio Group UK (“Abellio group”), of which we are a member, where Abellio has any services, promotions and offers which we feel may interest you
    Details of other members of Abellio group can be found here

Types of information we collect

CCTV

Camera systems we operate

Our CCTV is used to capture, record and monitor images of what takes place at our stations and car parks and on our trains, in real time. In limited circumstances, we use body worn cameras which make audio visual recordings.

Depending on the type of camera, images are recorded on video tape (analogue) or as digital information. Cameras can be fixed or set to scan an area. In some circumstances, they can be operated remotely by controllers.

Why we operate CCTV cameras

We operate CCTV for the following purposes:

  • Health and safety of employees, passengers and other members of the public;
  • Crowd management; and
  • Prevention and detection of crime and anti-social behaviour

Camera locations

We operate cameras at some of the stations and car parks across our network and on some of the trains that we run. For a full list of stations and car parks and operators please click https://www.scotrail.co.uk/plan-your-journey/stations-and-facilities.

Network Rail operates the cameras at the following stations that our services stop at:

  • Glasgow Central (High Level)
  • Edinburgh Waverley

We operate CCTV on some of the trains that we run.

Length of time CCTV footage is kept

CCTV footage at stations and on train is generally held for a maximum of 31 days from the time of recording, with the following exceptions:

  • If relating to an accident, we will retain media for 3 years
  • If relating to an operational incident, we will retain media for 5 years

Recordings from body worn cameras is generally held for 24 hours, unless required for legitimate business reasons.

How to access your CCTV personal data

You can request copies of images or footage of yourself by making a Subject Access Request. Our Subject Access Request form can be found at: https://www.scotrail.co.uk/subject-access-requests.

Disclosing CCTV/personal data to the police

At our discretion, we may disclose CCTV/personal data in response to valid requests from the police and other statutory law enforcement agencies.

Before we authorise any disclosure, the police have to demonstrate that the CCTV/personal data is necessary to assist them in the prevention or detection of a specific crime, or in the apprehension or prosecution of an offender.

Requests from the police are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with the data protection law.

Sharing CCTV footage with other third parties

Some of our CCTV infrastructure is shared with the British Transport Police, Local Authorities, Network Rail, and Car Park operators under formal data sharing agreement.

In certain agreed circumstances, they may take control of a limited number of cameras and use them for activities such as the prevention and detection of crime and anti-social behaviour, policing major events and crowd control. ScotRail is not responsible for the CCTV when it is in the control of a third party.

We may also disclose personal data to third parties, if required to by law, for defending or bringing legal action or where it is necessary for another legitimate purpose. Data protection law allows us to do this where the request is supported by:

  • Evidence of the relevant legislation
  • A court order
  • Satisfactory evidence and assurances of the legitimate interest

A legitimate interest would include for example, disclosing footage to insurers following a vehicle collision in a carpark. When we are not required to provide CCTV, we will take into account the circumstances and any potential harm to individuals, we may also charge a fee and seek indemnity for any use beyond which it is requested.

External guidelines and best practice

ScotRail operates its CCTV systems in compliance with the CCTV Code of Practice issued by the Information Commissioner’s Office (ICO) in 2017. The Code describes best practice standards which should be followed by organisations operating devices which view or record images of individuals. It also covers other information derived from those images that relates to individuals (for example vehicle registration marks).

Website visits and purchases

This section shows the information we collect when you use our website. Before providing us with your details, please read the following important information regarding:

  • Collection of visitor information
  • Hyperlinks
  • Cookies
  • Other techniques

Collection of visitor information

We will only use the information that we collect about you lawfully, in accordance with data protection law.

The details you provide about yourself and any other information which identifies you (‘Personal Information’) is held by ScotRail on this website https://www.scotrail.co.uk (the "Site") for operational purposes, for example member registration or processing payments. We may also use your Personal Information to personalise your experience on the Site by informing you of new products or services that we may think are of interest to you.

ScotRail gathers general information about users, for example, what services users access the most and which areas of the ScotRail site are most frequently visited. Such data is used in the aggregate to help us to understand how the ScotRail site is used. We gather this information so that we can continue to improve and develop our services to the benefit of our users. We may make this aggregated information available to users of the Site and to auditors. These statistics are anonymous and contain no personal information and cannot be used to gather such information.

When you register with ScotRail, set up a travel alert, enter a competition, or buy a ticket, we ask for personal information such as your name, contact details, and other details. Once you register with ScotRail and accept our Terms & Conditions, you are not anonymous to us. We may contact you regarding Site changes or changes to the ScotRail products or services that you use. We may use information that you provide to alert you to our own products and services.

If you buy a ticket online with ScotRail, we will record your personal details and send you a confirmation email. Your personal information will be used principally to communicate with you with reference to your request.

You may opt-in to receive newsletters, exclusive discounts, special offers and other marketing communications from ScotRail – including emails, SMS, mail and telephone. You may unsubscribe at any time by logging in to your account and updating your preferences. Please note changes to your subscription preferences can take up to 14 days to take effect.

Alternatively write to our Customer Relations team:

ScotRail Customer Relations, PO Box 27129, Glasgow, G2 9LH

Hyperlinks

We may provide hyperlinks from the site to third party websites. No liability is accepted for the contents of any site operated by a third party which may be accessed via links from the site. These links are provided for your convenience only and do not imply that ScotRail approves or recommends the content of such sites. We encourage our users to be aware when they leave our site to read the privacy statements of each and every website that collects personal data. This Privacy Policy applies solely to information collected by ScotRail.

Cookies

Our website uses cookies to help us to provide you with a good experience when you browse our website and also allows us to improve our website.

So what is a cookie?

A "cookie" is a small text file that is placed on your equipment when you visit a website (equipment like computer, phone, and tablet).

There are several types of cookies:

Functional cookies / Session cookies

The functional or session cookies are used to provide services or to store your preferred settings. For example for:

  • Remembering the products you purchase during online shopping
  • Memorising and passing on the information that you enter during the log-in process or that you leave behind on the various web pages during the ordering process, so that you do not have to enter the same data every time
  • Saving your preferences
  • Detecting abuse of our websites

Analytical cookies

These cookies are used to analyse your visit to our websites. For example, we analyse the number of visitors visiting our websites, the duration of the visits, the order of the pages visited and whether the pages of a website need to be adjusted.

With the help of the information we collect using analytical cookies we can make our websites more user-friendly as well as identify and solve possible technical problems on the websites. One such tool we use to gather analytical information is Google Analytics. On the web, you can choose to opt-out of Google Analytics by installing Google’s opt-out browser add-on

Marketing and tracking cookies

Only if you have given us permission in advance will we use tracking cookies for commercial purposes. These cookies, often placed by third parties, help us to be able to offer you personalised offers. Third parties can follow your internet behaviour with tracking cookies. ScotRail uses a Tag Management System from Google Tag Manager to manage the choice of cookies. This way we can guarantee that no cookies are processed that you have not explicitly given permission for.

JavaScript and Pixels

In addition to cookies, we use JavaScript and Pixels.

By using JavaScript in your browser, we can make our sites interactive and develop applications for the web.

A Pixel is a small graphic image on our site. By means of this image, we can, for example, determine how many visitors saw the page at which times. These techniques can also be used for marketing and tracking purposes. We use two types of Pixel; a Facebook Pixel, which analyses visits to our website from Facebook and DoubleClick Pixel, which analyses visits to our website from our advertising across the internet.

Cookies from external parties

Some of the cookies are used by third parties with our consent with the aim to bring certain products and services to your attention or to give you direct access to social media. These third parties include:

For the cookies that these external parties place, the information they collect with them and the purpose for which that information is used, please refer to the privacy statements of these parties on their respective websites. These statements can change regularly and we have no control whatsoever.

Would you like to know more about cookies? Go to http://www.allaboutcookies.org

Privacy options

If you would prefer us not to set cookies on our Website, you can disable them by changing your internet browser settings. How to do this will depend on the browser you are using, but the following is a step-by-step guide to the most popular browsers:

Microsoft Internet Explorer:

  1. Click on the "Tools" menu
  2. Select "Internet Options"
  3. Click on the "Privacy" tab
  4. Select the desired setting

Google Chrome:

  1. Click on the Customisation menu at the top right of the page
  2. Select "Settings"
  3. Select "Show Advanced Settings" and then "Content Settings"
  4. Select the desired settings under the "Cookies" heading

Mozilla Firefox:

  1. Click on the "Tools" menu
  2. Click on "Options"
  3. Select "Privacy"
  4. Choose the desired options under the "Cookie" menu

For all other browsers, please follow the instructions provided by the relevant browser, usually located within the "Help", "Tools" or "Edit" facility.

If you only disable third party cookies, you will still be able to use this Website, but some of its content will not be as relevant to you. If you disable all cookies, this will result in our Website not working properly.

If you do choose to disable cookies, this choice will only apply to the device you are using at the time. If you want to stop cookies being set on other devices, you will need to follow the relevant steps on each device. Please note that disabling cookies does not delete cookies from your browser, you will need to do this from within your browser.

Access to our database containing personal information on registered users of the Site is restricted. In order to increase security we ask you to input a password when you register as a user of the Site. Please keep this password secret. In addition, we encrypt your financial information using SSL (Secure Sockets Layer) technology so that no one else can access your credit card details as they travel through the Internet. SSL is certified by Verisign and is recognised as a secure way to pay on-line. As you may be aware, no data transmission over the Internet can be entirely secure. As a result, while we will always use reasonable endeavours to protect the personal information you provide to us, we cannot guarantee the security of your information and the use of our facilities (e.g. email) is at your own risk. If you have any questions about paying for your ticket through the Site, please contact Customer Relations.

Ticket office purchases – Season Ticket records

Personal details we hold

When you buy a season ticket valid for one month or more, we keep a record of this on a database. We keep the following details:

  • Name, address and photo card number;
  • Phone number, email and date of birth if you provide them;
  • The origin, destination and start and end date of season tickets you have purchased, along with any duplicate, replacement or refund of these; and
  • The method of payment used, but not any payment card details

How we use your personal data

We use this information to meet our contractual obligations, maintaining our customer relations with you, and administration, customer research, marketing and fraud prevention.

We will only send you information about offers and promotions if you chose to receive it and you can change your marketing preferences at any time. We will not pass your personal information to any other organisation outside of the Abellio group (and Successor franchise or Secretary of State for Transport) for marketing purposes without your prior consent.

Why we retain your information

We retain your information to allow us to contact you i.e. if your season ticket is lost and to aid the renewal process once the season ticket is close to expiring.

Length of time records are kept

Records are kept for the duration of the franchise.

Sharing data with third parties

If you have agreed to receive information for survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to.

Revenue protection and penalty fares

Personal details we hold

We may collect a range of personal detail during revenue protection activity. This may include name, address, proof of ID, journey details, personal descriptions and other information you provide to support an appeal. This data is processed and held in archive by ScotRail.

How we use your personal data

We only use this information for the administration of the Penalty Fares scheme, collection of unpaid fares, fraud prevention and the prosecution of travel offences.

Why we retain your information

We retain your information to undertake analysis to identify any patterns in the data and to minimise future fraudulent activities.

Length of time records are kept

A digital record of historical penalty fares issued is retained indefinitely. Paper copies of penalty fare forms issued are kept for up to two years.

Sharing data with third parties

We may share your information with:

  • British Transport Police under a data sharing agreement to prevent and detect crime
  • Passenger Focus if you have asked them to act on your behalf under a complaint handling procedure. Requests from ombudsmen are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with data protection law
  • We may also share information with other train operating companies for fraud prevention. We will only do this where there is a formal data sharing agreement in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with data protection law
  • Our assigned debt collection agency

Customer Relations database

We collect your information and comments when you contact us by letter, email, web form, phone or social media.

Personal details we hold

We may hold your name, address, date of birth, email address, phone number, social media name, ticket details, photocard image, our correspondence with you, the compensation claims you have made and payment made by us, proof of journey or other supporting information you may provide.

To ensure that we have an accurate record of dealings between us (and for training purposes) we may, in certain circumstances, record or monitor telephone calls, however you will always be told when this happens.

How we use your personal data

This information is used for administration of correspondence or processing claims you have made, such as Delay Repay as well as for fraud prevention purposes. We also use it to respond to complaints.

Why we retain your information

We retain your information to ensure that all claims are processed properly, to undertake analysis in order to minimise potential fraud and identify themes and patterns in the data.

Length of time records are kept

Records are kept for the length of the franchise in a restricted access site.

Sharing data with third parties

We are required to provide details of any complaint you make to another train operating company if it relates to their services instead of ours. We may share your correspondence with Passenger Focus or Transport Scotland or the Office of Rail and Road or Rail Delivery Group, or Journeycall, if you have asked them to act on your behalf under a complaint handling procedure.

We may also share information with other train operating companies for the purpose of fraud prevention. We will only do this where there is a formal data sharing agreement in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with data protection law.

Station help and assistance information points

On our stations, we maintain Customer Help and Assistance Points. Depending on the service requested these are linked directly to our Control Centre or to National Rail Enquiries.

Calls for Information or Assistance made to National Rail Enquiries are recorded and monitored, but no advance notice is given as this could result in a delay in the provision of assistance.

Station and train Wi-Fi

When using our station or train Wi-Fi service we collect your device MAC addresses (device identification), train GPS position, IP address, timestamp and session ID. This data will be stored in our systems for a maximum period of 12 months and will only be used to maintain the service quality and for support issues, if necessary. After such time, it will be deleted.

Recruitment

Where you apply for a job with ScotRail, the personal information you provide to us as part of the job application process will be processed by ScotRail for but not limited to assessments, interviews, medical and background checks.

The data is retained on the following basis:

  • Unsuccessful candidates – 6 months
  • Successful candidates – 6 years after leaving employment

Car parking

Some of the services we provide at, or relating to, our car parks require you to supply your name, address, email address, phone number and car registration number. These services are:

  • Union Square (Aberdeen) Car Park - this car park is not operated by ScotRail so you may be required to provide information to obtain a parking pass
  • ChargePlace Scotland - national network of electric vehicle charge points- RingGo - third party car park booking and payment tool

Safety forms and claims

ScotRail processes safety forms and potential claims where a customer or employee has had an accident or reported an accident whilst at a station or travelling on our trains. The data collected is the name, address and date of birth of the customer or employee concerned. For customers, this data will be sent to our third party claims handler and is collected in order to manage the claim and will be held for three years and six months after the claim is resolved. For employees the data will be held indefinitely in order to manage any future claims that the employee could raise at a later date.

Children's data

We do not routinely process children’s data, however in the rare instances that we do we may be required to gain consent from a parent or guardian to process a child’s data.

Where we choose to rely on consent as the legal basis for processing children’s personal data, consent may be required from a person holding ‘parental responsibility’.

The children’s consent must be freely given, specific, informed and unambiguous.

Where we store your personal information

The information that we collect from you will only be stored in the European Economic Area (“EEA”) or, where it is necessary to disclose it to our processors located outside the EEA, other jurisdictions which are acceptable according to guidance provided by the Information Commissioner and/or where appropriate legal and security safeguards are in place. Please contact the Data Protection Manager if you wish to find out more about the safeguards.

Information security

We use a range of appropriate technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its integrity and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal data where practical.

Your rights

Unless stated otherwise we will aim to satisfy your instruction, or inform you as to why we are unable to, without undue delay and within 30 days. If we anticipate that we will not meet with this timeframe we will let you know within 30 days and explain what the problem is.

Object to direct marketing

To prevent marketing to you, you have the right to ask us not to process your personal information for marketing purposes. We will inform you before collecting your information if we intend to use or disclose it for such purposes. If you do not want us to use your information for marketing purposes either:

  • Indicate this by NOT ticking the box to be sent marketing emails (or offers);
  • If you have an account with us, by logging in and changing your contact preferences;
  • Click the unsubscribe link on direct marketing emails; or
  • Contact us – see Withdrawal of Consent below.

Ask for a copy of your personal information

You are entitled to request a copy of the personal information we hold about you.

Please contact the Data Protection Officer at [email protected]

We may need to ask for some further information, such as checking who you are. Please refer to the ScotRail website for a copy of the Subject Access Request (SAR).

Please let us know in what format you wish to receive your information.

Sometimes we may hold information that we don’t have to provide, for example it would prejudice a police investigation or if the disclosure would cause harm to another person whose personal data is inseparable from your data.

In most cases we provide the copy of your data to you for free. We have set out some information about when it might not be free, or provided below – see How We Deal With Rights Requests.

Rectification / restriction

If you believe the information we hold about you is inaccurate or incomplete you can contact us and ask us to correct it. You may also request any data processing we are carrying out on your data is halted whilst a request for rectification, objection or a dispute over the lawfulness of processing is being considered. We will provide a response confirming the action we have taken or disagree with taking.

Deletion

This is also known as the “Right to be forgotten”. You can request deletion or removal of personal information in some circumstances, such as where there is no compelling reason for its continued processing. We will also take reasonable steps to notify third parties of your instruction and request that they act upon it, in a similar manner.

Withdrawal of consent

If we relied on consent as the grounds for processing your personal data, you can withdraw this consent at any time. Withdrawing your consent does not affect the processing carried out beforehand. You can withdraw consent by contacting Customer Relations at:

ScotRail Customer Relations, PO Box 27129, Glasgow, G2 9LH

Or our Data Protection Officer (DPO):

James Downey

Email: [email protected]

Address:
Abellio ScotRail
Atrium Court
50 Waterloo Street
Glasgow
G2 6HQ

Where you have consented to receive direct marketing communications, you can withdraw your agreement at any time, as above or where available updating your preference centre or clicking on the appropriate link in the communication.

We will act upon such an instruction as soon as possible.

Portability

Where you have provided us with personal information and the reasons we are processing it are based on consent or our contract with you, and the processing is automated, you have a right to ask for that information be provided to you or another controller in a structured, commonly used and machine-readable format. The right may be restricted if it is not practical for us to provide the information in this way or it adversely affects the rights of others.

Information about profiling and automated decision making

We target some of our marketing and service communications so that they are more relevant to you, based on the type of ticket(s) you bought and your location/travel stations. We will try and ensure where possible the communications are compatible with the device you are using.

We use automated processing to profile customer information in order to help target our products, services and marketing communications more accurately.

We use automated decision making to calculate the validity and value of Delay Repay claims made through our website. You will receive a notification of the outcome of your claim. At this stage you are able to request that your claim is manually reviewed by a member of the Delay Repay team. If you remain dissatisfied you are able to escalate to our Customer Relations team.

How we deal with rights requests

We are not able to charge you a fee for dealing with rights requests, unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case, so that you can make a decision about what you wanted to do next.

There are various limitations and exemptions in relation to the exercise of rights in data protection law - for example if it would affect another’s rights and freedoms or if we need to retain the information to make or defend a legal claim. We intend only to rely on limitations and exemptions where it is fair to do so and always bearing in mind that it is your personal data.

Complaints

The Data Protection Officer role has been established in a manner to remain independent of business decisions. If you wish to lodge a complaint against:

  • The business, please contact our Data Protection Officer, or
  • The Data Protection Officer, please contact the ICO

If you are not happy with the way in which we deal with your data or have dealt with a rights request, then please us know. Our Data Protection Officer is the first point of contact for dealing with Rights Requests and complaints and they are assisted by Customer Relations. If you are not satisfied with the way in which they have handled your complaint or rights request then you can contact the Group Data Protection Officer:

Gabe Barrett
20 St Andrew Street
Second Floor
London
EC4A 3AG
United Kingdom

If you are not satisfied with the response you can complain to the ICO. Their contact details are:

Head office
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

How long we keep your personal data for

We’ll store your information for as long as we have to by law or regulatory requirement. If there’s no legal or regulatory requirement, we’ll only store it for as long as we need it. We’ll also keep some personal information for a reasonable period after your last contact with us.

We may also keep your personal data for the purposes of our legitimate interests in running our Group businesses, including anonymising or pseudonymising data for analysis.

Changes to this Privacy Policy

We may revise this Privacy Policy from time to time. The most current version of this policy will govern use of your information and will always be at https://www.scotrail.co.uk. By continuing to access or use the Service after those changes become effective, you agree to
be bound by the revised Privacy Policy.

This Policy was last updated on 21/05/2018.