INTRODUCTION
Abellio Bus (Abellio London Ltd & Abellio West London Ltd) is committed to protecting and respecting your privacy when you use our services.
This Privacy Policy explains:
CONTENTS
For the purposes of the Data Protection Act 2018, the data controller is:
Abellio Bus, 301 Camberwell New Road, London, SE5 0TF
Our Data Protection Manager (DPM) is:
Mike Tinsley, Abellio Bus, 301 Camberwell New Road, London, SE5 0TF
Our nominated Data Protection Officer (DPO) is:
Edward Walker, Abellio Group, St Andrews House, Second Floor, 18-20 St Andrew Street, London, EC4A 3AG
More information about the General Data Protection Regulation and all related and subordinate legislation as amended or re-enacted from time to time can be found on the Information Commissioners website https://ico.org.uk/
The Information Commissioner is our regulator for data protection matters.
INFORMATION WE MAY COLLECT FROM YOU
We may collect and process information about you when you:
We collect information such as your contact details, ticket purchases, payment and refund details. We may require additional details for some services, such as your age for age restricted tickets and in the case of accidents and incidents, such as details of injuries. This information is generally provided by you.
Sometimes we obtain details from third parties, for example if our Group structure changes or for legitimate business reasons.
If you travel on one of the services we operate on behalf of Transport for London, we will not collect any data about you, except if you contact Customer Care.
HOW WE USE YOUR INFORMATION
We will only use the information you provide as permitted by Data Protection Law (DPL). Our reason(s) for using your data will vary depending on: how you contact us, use our services, the consent you have given, our legitimate interests, or legal obligations we may have. Reasons for use of your data include:
We are part of a Group of Companies and share administrative services and support. Your data may therefore be shared with other Group companies where appropriate.
OUR LEGITIMATE INTERESTS
We aim to run our business and Group businesses in a safe and socially and environmentally responsible manner, efficiently, to provide sustainable and high quality, locally focused passenger transport services. We also aim to improve and expand our services, be a leading employer in the transport sector and invest in and develop our staff. We operate with financial discipline to provide shareholder value, provide and improve customer services.
SHARING OR DISCLOSURE OF YOUR INFORMATION
We will only share or disclose your information as set out in this Policy or in accordance with DPL and will obtain your consent where we are required to do so. We will only use third parties to process information where we are satisfied that they comply with these standards and can keep your data secure.
Due to the nature of the services we provide, we process a large range of data, in a number of ways, across a number of solutions. Accordingly, it was deemed impractical to set out the details of all the third parties that we may share your data with below. You can find out more about the information we collect and how we use, share or disclose it below or by contacting us at privacy@abellio.co.uk
We may share or disclose information for the following reasons:
TYPES OF INFORMATION WE COLLECT
CCTV
Camera systems we operate
Abellio operates its CCTV systems in compliance with the CCTV Code of Practice issued by the ICO. Abellio’s CCTV systems are used to capture, record* and monitor images of what takes place at depots and in and around its buses. CCTV is operated for health and safety of employees, customers and members of the public and prevention and detection of crime and anti-social behaviour.
CCTV footage at depots is held for a maximum of 15 to 30 days from the time of recording. On buses, the CCTV images are recorded over continually and retained for a maximum of 7 days before it is overwritten automatically.
Copies of images can be requested by making a subject access request. Abellio may disclose images in response to valid requests from the police and other statutory law enforcement agencies. Before we authorise any disclosure, the police must demonstrate that the personal data is necessary to assist them in the prevention or detection of a specific crime.
Abellio may also disclose images and personal data to third parties if required to by law or it is necessary for a legitimate purpose such as defending or bringing legal action. Data Protection Law allows Abellio to do this where the request is supported by satisfactory evidence and assurances of the legitimate interest, evidence of the relevant legislation or a court order.
Legitimate interest would include requests such as defending or making a legal claim, such as to insurers following a vehicle collision.
We may pass CCTV footage to third party organisations for the purpose of safety research and analysis.
*Depending on the type of bus some of the cameras can record audio at the driver's cab area only.
Why we operate CCTV cameras
We operate CCTV for the following purposes:
Camera locations
We operate cameras at our depots and on all the buses that we run.
Length of time CCTV footage is kept
CCTV footage at depots and on buses is generally held for a maximum of 31 days from the time of recording, unless the footage is used for investigation of an incident or accident in which case the footage will be retained for 3.5 years or until 3.5 years past the 18th birthday of any children known to be involved in the incident.
How to access your CCTV personal data
You can request copies of images or footage of yourself by making a Subject Access Request.
Disclosing CCTV/personal data to the police
At our discretion, we may disclose CCTV/personal data in response to valid requests from the police and other statutory law enforcement agencies.
Before we authorise any disclosure, the police have to demonstrate that the CCTV/personal data is necessary to assist them in the prevention or detection of a specific crime, or in the apprehension or prosecution of an offender.
Requests from the police are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with the DPL.
Sharing CCTV footage with other third parties
We may share CCTV images with Transport for London to support investigations into major incidents involving our buses.
We may also disclose personal data to third parties, if required to by law or it is necessary for a legitimate purpose such as defending or bringing legal action. DPL allows us to do this where the request is supported by:
Legitimate interest would include requests such as defending or making a legal claim, such as to insurers following a vehicle collision. When we are not required to provide CCTV, we will take into account the circumstances and any potential harm to individuals, we may also charge a fee and seek indemnity for any use beyond which it is requested.
External guidelines and best practice
Abellio Bus operates its CCTV systems in compliance with the CCTV Code of Practice issued by the Information Commissioner’s Office (ICO) in 2017. The Code describes best practice standards which should be followed by organisations operating devices which view or record images of individuals. It also covers other information derived from those images that relates to individuals (for example vehicle registration marks).
WEBSITE VISITS AND PURCHASES
This section shows the information we collect when you use our website. Before providing us with your details, please read the following important information regarding:
Collection of visitor information
We will only use the information that we collect about you lawfully, in accordance with the DPL.
The details you provide about yourself and any other information which identifies you (‘Personal Information’) is held by Abellio UK Bus on this website (the "Site") for operational purposes, for example booking coach parking or processing payments.
Abellio Bus gathers general information about users, for example, what services users access the most and which areas of the Abellio Bus site are most frequently visited. Such data is used in the aggregate to help us to understand how the Abellio Bus site is used. We gather this information so that we can continue to improve and develop our services to the benefit of our users. We may make this aggregated information available to users of the Abellio Bus site and to auditors. These statistics are anonymous and contain no personal information and cannot be used to gather such information.
When you register with Abellio UK Bus for online Surrey bus ticket purchasing, book coach parking or MOT testing, or buy a Surrey bus ticket, we ask for personal information such as your name, contact details, and other details. Once you have done this and accept our Terms & Conditions, you are not anonymous to us. We may contact you regarding site changes or changes to the Abellio UK Bus products or services that you use.
If you buy a ticket online with Abellio UK Bus, we will record your personal details and send you a confirmation email. Your personal data will be used principally to communicate with you with reference to your request.
Hyperlinks
We may provide hyperlinks from the site to third party websites. No liability is accepted for the contents of any site operated by a third party which may be accessed via links from the site. These links are provided for your convenience only and do not imply that Abellio Bus approves or recommends the content of such sites. We encourage our users to be aware when they leave our site to read the privacy statements of each and every website that collects personal data. This Privacy Policy applies solely to information collected by Abellio Bus.
Cookies
Our website uses cookies to help us to provide you with a good experience when you browse our website and also allows us to improve our website.
A "cookie" is a small text file that is placed on your equipment (computer, phone, tablet etc) when you visit a website
There are several types of cookies:
The functional or session cookies are used to provide services or to store your preferred settings. For example, for:
These cookies are used to analyse your visit to our websites. For example, we analyse the number of visitors visiting our websites, the duration of the visits, the order of the pages visited and whether the pages of a website need to be adjusted. With the help of the collected information we can organise our websites to be more user-friendly. Furthermore, these cookies are used to solve possible technical problems on the websites.
In addition to cookies, Abellio Bus also use Javascripts and web beacons. By using Javascript in your browser we can make our sites interactive and develop applications for the web. A web beacon is a small graphic image on our sites. By means of this image, we can, for example, determine how many visitors saw the page at which times. These techniques can also be used for marketing and tracking purposes.
Some of the cookies may be placed with the consent of Abellio Bus by third parties with the aim to bring certain products and services to your attention or to give you direct access to social media: Google Analytics , Google Maps , Crobox , Doubleclick , Visual Web Optimizer, Metrixlab , MediaMind , ClickTale, Usabilla , Turn , Twitter , YouTube , LinkedIn , Google Adwords , Cloudfront , Sizmek ,Cadreon , Criteo and Facebook . For the cookies that these external parties place, the information they collect with them and the purpose for which that information is used, we refer to the privacy statements of these parties on their own websites. These statements can change regularly and Abellio Bus has no control whatsoever.
Would you like to know more about cookies? Then go to http://www.allaboutcookies.org/
An overview of the cookies & similar techniques that we use can be found here
Access to our database containing personal information on registered users of the Surrey bus ticket site is restricted. In order to increase security we ask you to input a password when you register as a user of the site. Please keep this password secret. In addition, we encrypt your financial information using SSL (Secure Sockets Layer) technology so that no one else can access your credit card details as they travel through the Internet. SSL is certified by Verisign and is recognised as a secure way to pay on-line.
As you may be aware, no data transmission over the Internet can be entirely secure. As a result, while we will always use reasonable endeavours to protect the personal information you provide to us, we cannot guarantee the security of your information and the use of our facilities (e.g. e-mail) is at your own risk. If you have any questions about paying for your ticket through the Site, please contact Customer Relations.
BOOKING COACH PARKING
Personal details we hold
When you register to book parking spaces from our website, we keep a record of this on a database. We keep the following details:
How we use your personal data
We use this information to help us fulfil our contractual obligations to you and administration.
We will not pass your personal information to any other organisation for marketing purposes.
Why we retain your information
We retain your information to enable you to purchase further coach parking spaces.
Length of time records are kept
Records are kept until you tell us you no longer wish to be registered for coach parking purchases or you have not purchased any spaces for 2 years.
Sharing data with third parties
We will not pass your personal information to any other organisation for any purposes other than processing your payment.
BOOKING MOT TESTING
Personal details we hold
When you book an MOT test with us, we keep a record of this on a database. We keep some or all of the following details:
How we use your personal data
We use this information to help us fulfil our contractual obligations to you and administration.
We will not pass your personal information to any other organisation for marketing purposes.
Why we retain your information
We retain your information to enable you to book further MOT testing and to support any insurance claims that require evidence of MOT testing as well as complying with our legal obligations for record keeping on MOT testing.
Length of time records are kept
Records are kept for 4 years post testing.
Sharing data with third parties
We will not pass your personal information to any other organisation for any purposes other than processing your payment.
REGISTERING AS A RAIL REPLACEMENT BUS OPERATOR
Personal details we hold
When you register to book parking spaces from our website, we keep a record of this on a database. We keep the following details:
How we use your personal data
We use this information to help us organise rail replacement bus services and administration.
We will not pass your personal information to any other organisation for marketing purposes.
Why we retain your information
We retain your information to enable us to offer you opportunities to provide rail replacement bus services.
Length of time records are kept
Records are kept until you tell us you no longer wish to be registered as a rail replacement operator or you have not provided any services for 2 years.
Sharing data with third parties
We will not pass your personal information to any other organisation for any purposes other than processing your payment.
ACCIDENTS AND INCIDENTS
Personal details we hold
If you are involved in an accident or incident on or with one of our vehicles, or if you are a witness to an accident or incident, we will collect some or all the following details:
How we use your personal data
We use this information for investigation of accidents and incidents, handling claims and repairs to vehicles, preventing fraud and dealing with any legal actions arising from the incident or accident.
We will not pass your personal information to any other organisation for marketing purposes.
Why we retain your information
We retain your information to enable us to resolve issues and settle claims, repair vehicles, and comply with our legal obligations to support police and court actions.
Length of time records are kept
In line with our legal obligations, records are kept for 3.5 years unless we know that a child was involved, in which case we will keep the information for 3.5 years past their 18th birthday.
Sharing data with third parties
We will not pass your personal information to any other organisation for any purposes other than investigating incidents and accidents, resolving claims, repairing vehicles or participating in any resulting police or legal actions.
LOST PROPERTY
Personal details we hold
If you leave something on one of our buses, or if we find something on one of our buses that contains identifying materials like a driving licence, we will record some or all the following details:
How we use your personal data
We use this information to help us return your lost property
We will not pass your personal information to any other organisation for marketing purposes.
Why we retain your information
We retain your information to enable us to return property to its rightful owner.
Length of time records are kept
We will keep your details for 6 months.
Sharing data with third parties
If you have not collected your property from us within 2 days, we will send it to Transport for London in line with the agreement we have with TfL. We will also pass on your details to TfL to enable them to deal with your property. We will not pass your personal information to any other organisation.
CUSTOMER RELATIONS DATABASE
We collect your information and comments when you contact us by letter, email, web form, phone or social media.
Personal details we hold
Length of time records are kept
Records are kept for two years.
Sharing data with third parties
We may share your correspondence with Transport for London.
CHILDREN’S DATA
We do not routinely process children’s data, however in the rare instances that we do we may be required to gain consent from a parent or guardian to process the child’s data.
Where we chose to rely on consent as the legal basis for processing children’s personal data, consent may be required from a person holding ‘parental responsibility’.
The children’s consent must be freely given, specific, informed and unambiguous.
WHERE WE STORE YOUR PERSONAL INFORMATION
The information that we collect from you will only be stored in the European Economic Area (“EEA”) or, where it is necessary to disclose it to our processors located outside the EEA, other jurisdictions which are acceptable according to guidance provided by the Information Commissioner and/or where appropriate legal and security safeguards are in place. Please contact the DPO / DPM if you wish to find out more about the safeguards.We may hold your name, address, date of birth, email address, phone number, social media name, our correspondence with you and other supporting information you may provide.
To ensure that we have an accurate record of dealings between us (and for training purposes) we may, in certain circumstances, record or monitor telephone calls, however you will always be told when this happens.
How we use your personal data
This information is used for administration of correspondence as well as for fraud prevention purposes. We also use it to respond to complaints.
Why we retain your information
We retain your information to enable us to investigate and resolve complaints, respond to you in dealing with your complaint or comment and to help us understand where our services may need improvement.
INFORMATION SECURITY
We use a range of appropriate technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its integrity and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal data where practical.
YOUR RIGHTS
Unless stated otherwise we will aim to satisfy your instruction, or inform you as to why we are unable to, without undue delay and within 30 days. If we anticipate that we will not meet with this timeframe we will let you know within 30 days and explain what the problem is.
ASK FOR A COPY OF YOUR PERSONAL DATA
You are entitled to request a copy of the personal information we hold about you.
Please contact privacy@abellio.co.ukto make the request.
We may need to ask for some further information, such as checking who you are. You can download the form here and send it to us, which will help us deal with your request more efficiently.
Please let us know in what format you wish to receive your information.
Sometimes we may hold information that we don’t have to provide, for example it would prejudice a police investigation or if the disclosure would cause harm to another person whose personal data is inseparable from your data.
In most cases we provide the copy of your data to you for free. We have set out some information about when it might not be free, or provided below.
RECTIFICATION / RESTRICTION
If you believe the information we hold about you is inaccurate or incomplete you can contact us and ask us to correct it. You may also request any data processing we are carrying out on your data is halted whilst a request for rectification, objection or a dispute over the lawfulness of processing is being considered. We will provide a response confirming the action we have taken or disagree with taking.
DELETION
This is also known as the “Right to be forgotten”, you can request deletion or removal of personal information in some circumstances, such as where there is no compelling reason for its continued processing. We will also take reasonable steps to notify third parties of your instruction and request that they act upon it, in a similar manner.
WITHDRAWAL OF CONSENT
If we relied on consent as the ground for processing your personal data, you can withdraw this consent at any time. It does not affect the processing carried out beforehand. You can withdraw consent by contacting us at privacy@abellio.co.uk
We will act upon such an instruction as soon as possible.
PORTABILITY
Where you have provided us with personal data and the reasons we are processing it are based on consent or our contract with you, and the processing is automated, you have a right to ask for that information be provided to you or another data controller in a structured, commonly used and machine-readable format. The right may be restricted if it is not practical for us to provide the information in this way or it adversely affects the rights of others.
HOW WE DEAL WITH RIGHTS REQUESTS
We are not able to charge you a fee for dealing with rights requests, unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case, so that you can make a decision about what you wanted to do next.
There are various limitations and exemptions in relation to the exercise of rights in DPL - for example if it would affect another’s rights and freedoms or if we need to retain the information to make or defend a legal claim. We intend only to rely on limitations and exemptions where it is fair to do so and always bearing in mind that it is your personal data.
COMPLAINTS
The DPO role has been established in a manner to remain independent of business decisions. If you wish to lodge a complaint against:
We also have a complaints policy. If you are not happy with the way in which we deal with your data or have dealt with a rights request, then please us know. Our DPM is the first point of contact for dealing with Rights Requests and complaints and they are assisted by Customer Relations. If you are not satisfied with the way in which they have handled your complaint or rights request then you can contact the Group DPO:
Edward Walker, Abellio Group, St Andrews House, Second Floor, 18-20 St Andrew Street, London, EC4A 3AG
Email: dpoabellio@abellio.com
If you are not satisfied with the response you can complain to the ICO. Their contact details are:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
Fax: 01625 524 510
https://ico.org.uk/global/contact-us/
HOW LONG WE KEEP YOUR PERSONAL DATA FOR?
We’ll store your information for as long as we have to by law or regulatory requirement. If there’s no legal or regulatory requirement, we’ll only store it for as long as we need it. We’ll also keep some personal information for a reasonable period after your last contact with us – just in case you decide to use our services again. We, or one of our partners, may contact you about our services during this time if you haven’t opted out of receiving marketing communications from us.
We may also keep your personal data for the purposes of our legitimate interests in running our Group businesses, including anonymising or pseudonymising data for analysis.
CHANGES TO THIS PRIVACY POLICY
We may revise this Privacy Policy from time to time. The most current version of this policy will govern use of your information and will always be at www.abellio.co.uk/privacy. By continuing to access or use the Service after those changes become effective, you agree to be bound by the revised Privacy Policy.
This Policy was last updated on 26th July 2019.