Chiltern Railways Privacy Notice
Last update: 23 SEPTEMBER 2024
The Chiltern Railway Company Limited, trading as Chiltern Railways ("We") are committed to protecting and respecting your privacy.
This policy (together with our Website Terms of Use and any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
By visiting www.chilternrailways.co.uk or providing your information in the circumstances described below, you are accepting and consenting to the practices described in this policy.
For the purpose of Data Protection Legislation, the data controller is The Chiltern Railway Company Limited of 1 Admiral Way, Doxford International Business Park, Sunderland SR3 3XP. The Chiltern Railway Company Limited is registered as a data controller on the UK Data Protection Register. Our registration number is Z8387561.
1. What personal data do we collect?
Information provided by you
You may give us information about you by completing forms on www.chilternrailways.co.uk (our site) or by corresponding with us by phone, e-mail, web or by post. This includes information you provide when you:
- Register to use our sites
- Download our mobile app
- Subscribe to our services
- Purchase tickets
- Register to receive email updates
- Register with us to use our Wi-Fi service
- Enter a competition, promotion or survey
- Agree to act as a judge for a competition we are running
- When you report a problem with our sites or make a complaint
Information you give us may include the following items:
- Your name and/or your address
- E-mail address
- Mobile and/or landline number
- Financial and credit card information
- Personal description and photograph
- Your travel details
- Geographical location, IP or MAC address or details regarding your use of your mobile device or PC (specifically when you register to use our on-train wi-fi service)
Information we collect about you
With regard to each of your visits to our sites or when you register to use our on-train wi-fi services, we may automatically collect the following information:
- IP (Internet Protocol) address: your IP address indicates your location, unless you are using a VPN service
- MAC (Media Access Control) address: is a unique identifier, or address, assigned by the manufacturer of your device
- Device: what type of device you are using (TV, smartphone, laptop, desktop)
- OS (Operation system): what operating system your device has (IOS, Android, Windows, Linux, MAC OS X)
- Browser & browser version: which web browser you are using (Internet Explorer/Edge, Opera, Chrome, Safari, Firefox)
- Domain: depending on your device and browser settings, we sometimes identify the web address of the domain you came from before landing on our website
- Clickstream data: this is a list of all the web pages that you visited, and the order you viewed them in, on each visit to www.chilternrailways.co.uk. We also record how much time you spend on each web page, and record any actions you make on each page
Information we receive from other sources
We may receive information about you if you use any of the other websites we operate or the other services we provide. We are also working closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.
Sensitive personal data
Chiltern Railways does not routinely collect, store or use any sensitive personal information, that would be classed as a special category of data under the General Data Protection Regulation, in connection with ticket sales, or enquiries regarding ticket sales.
Where we store your personal information
The personal information we collect about you is stored within our secure UK/EU IT infrastructure. No identifiable personal information is stored or shipped to non UK/EU locations without safeguards to ensure your personal data remains protected, including using the UK International Data Transfer Agreement (IDTA) and European Commission's Standard Contractual Clause. Your personal information is stored in databases which are encrypted at rest, providing the highest level of security. All personal information is moved to and from our website www.chilternrailways.co.uk via an HTTPS connection, which means that the transfer of data is also encrypted. Access to your personal data held on databases managed by Chiltern Railways or its' authorised subcontractors, is granted only when there is a need to use the data, and no permanent access exists.
2. Cookies
We use cookies to enhance your browsing experience and personalise our services. Cookies help us understand how you use our website, provide necessary site functionality, and improve our services. For more detailed information on the types of cookies we use, their purposes, please see our full Cookie Policy.
You can manage your cookie preferences or withdraw your consent at any time by using the cookie consent banner that appears when you first visit our website. This banner allows you to accept all cookies, reject non-essential cookies, or customise your cookie settings.
Additionally, you can control or delete cookies through your browser settings. Here are some links to instructions for managing cookies in various browsers:
- Google Chrome: https://support.google.com/chrome/answer/95647?hl=en
- Apple Safari: https://support.apple.com/en-gb/guide/safari/sfri11471/mac
- Microsoft Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09
- Mozilla Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
Please note that disabling cookies may affect the functionality of our website and your browsing experience.
3. How do we use your personal data and what is the legal basis for such processing?
The collection of the personal data described above is usually mandatory and, if such personal data is not provided, we will not be able to provide the information, products and services to you. Where the collection of any personal data is not mandatory, we will inform you of this prior to collection, as well as the consequences of failing to provide the relevant personal data.
Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. However, we will normally process your personal information only:
- where we have your consent to do so;
- where we can rely on the soft opt-in rule under The Privacy and Electronic Communications Regulations (PECR)
- where the processing is necessary to perform our contract with you; or
- where the processing is in our legitimate interests or those of a third party and such interests are not overridden by your data protection interests or fundamental rights and freedoms; and
- where we have a legal obligation to process your personal information.
| Purpose of processing | Legal basis for processing |
|---|---|
| The provision of an electronic giftcard to the customer via contact details provided by the customer. | Performance of a contract and fulfilment of the process for issuing a giftcard to the customer for their use. |
| Authority to Travel - Provision of a permit to use Chiltern Railways services. | Performance of a contract and fulfilment of permit to use Chiltern Railways services. |
| Travel information & service availability notices. | Performance of a contract, Legitimate interest. |
| Provision of your tickets to use our services. | Performance of a contract. |
| Season ticket holder details, to manage and administer season ticket accounts (Including issuance, renewals, and cancellations), provide customer support (Assisting with enquiries, complaints, and ticketing issues), deliver travel updates and service information (Sending notifications about changes, disruptions, or offers). | Performance of a contract, Consent - where required, obtaining consent for specific types of processing, such as marketing communications. |
| Site Optimisation: the device-level information we automatically gather about you allows us to optimise the speed and performance of the website for you. | Legitimate interest. |
| Web analytics: we use cookies and the device-level personal information to build a profile of your use of the site, including any transactions that you make, so that we can personalise our marketing offers to you, and to customise your website visits. | Consent. |
| Wi-Fi account & usage data: we use data gathered from your use of our free Wi-Fi service to identify where you start and end your train journeys. This helps us to optimise our train service. | Performance of a contract. |
| Analysis & modelling: your transaction & location data is also stored on a business insight platform. We use this platform to customise marketing campaigns, for business reporting & for data retention modelling. You can opt out of this use of your data via contact-us form. | Legitimate interest. |
| Surveys: we survey portions of our customer and website/app visitor database periodically to find out more about your travel experience with us, how you use our trains and how we can improve our service delivery to you. We will not confuse this with marketing or promotional messages. | Legitimate interest. |
| Travel rewards & promotions via email: if you are an active customer or have enquired about the purchase of our services by creating an account on Chiltern Railways website, Chiltern Railways may send you discounted travel offers via email unless you have opted out. These offers are based on our knowledge of your travel on our trains and your visits to our website and are aimed at providing you with savings that are relevant. | Legitimate interest, Soft opt-in under PECR. |
| Email Marketing communications where you have opted-in to receive them. You can opt out of this use of your data via optout link within each email. | Consent. |
| Competitions: we offer competition entry via both email and the website, competition entry is sometimes conditional on providing us with additional demographic information about you, which in turns allows us to further customise our communications and travel offers to you. | Legitimate interest, Consent. |
| When you enter a prize draw and/or a competition run by us we are required by The UK Code of Non-broadcast Advertising and Direct & Promotional Marketing (the "CAP Code") to either publish or make available on request the surname and county of major prize winners and, if applicable, their winning entries. This is to help ensure that a valid award takes place. At or before the time of entry, you will have the right to object to your information being published or made available, or to reduce the amount of information published or made available however in such circumstances, we must still provide your information and winning entry to the Advertising Standards Agency if challenged. | Legal obligation to ensure compliance with the CAP Code. |
| If you agree to act as a judge for any competition that we are running the CAP Code requires that the full names of competition judges are made available on request. | Legal obligation to ensure compliance with the CAP Code and Consent. |
| Administration of your tickets and handling queries relating to your tickets, which may contain other Train Operating Companies' products. | Legitimate interest, Performance of a contract. |
| When you report a problem with our sites. | Legitimate interest. |
| Delay Repay Scheme - Personal Data is processed in order to fulfil the compensation requirement for valid claims as determined by Chiltern's 'Delay Repay 15' Scheme. | Performance of a contract. Chiltern also has a legal obligation to process personal information to enable valid customer delay compensation claims to be fulfilled. |
| The use of CCTV, Body Worn Camera (BWC), or other surveillance operation to: Maintain public safety; Maintain the security of our property; Maintain the security of our staff; Assist in the prevention of crime; Reduce the fear of crime and offer reassurance to staff; and Facilitate the apprehension and prosecution of offenders in relation to crime. | Legitimate interest and Legal Obligation. |
| To carry out law enforcement activities and exercise public authority or powers as defined in section 31 of the Data Protection Act 2018. This includes activities such as: Prevention, investigation, detection or prosecution of criminal offenses including fare evasion and fraud offences; Execution of criminal penalties; Safeguarding against and preventing threats to public security; Detecting and preventing fare evasion and fraud in public transportation systems. | Legal obligations and Public Tasks. |
| Storing credit/debit card information on Chiltern website or app. | Consent. |
Information we receive from other sources. We may combine this information with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).
You can change your marketing preferences at any time using the contact-us form. If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the "Questions about this Privacy Notice" heading below.
4. Sharing Your Information
We may disclose your personal data to the following categories of recipient for the purposes described in this Privacy Notice:
- Tracsis Travel Compensation Services Limited, of Waterhouse Business Centre Unit 55, 2 Cromar Way, Chelmsford, Essex, for the purpose of managing Chiltern Railways delay compensation scheme, Goodwill Gesture & Authority to Travel provision and associated electronic communications.
- Euler DataOps & Analytics, of The Gateway, 89 Sankey Street, Warrington, Cheshire, WA1 1SR, for the purpose of building a marketing database and business insight platform using Chiltern Railways customer data
- Syrenis Limited, of Vanguard House, Sci-Tech Daresbury, Warrington, WA4 4FS, for the purpose of managing Chiltern Railways customer communications preferences
- Communicator Corporation Ltd, of 18 Mansell Street, Level 3, London, E1 8AA, for the purpose of the transmission of emails from Chiltern Railways
- Wi-Fi Spark Limited, of 5 Cranmere Court, Lustleigh Close, Matford Business Park, Exeter, EX2 8PW, for the purpose of providing station and in-journey Wi-Fi services
- Icomera UK Limited, of Victory House, Quayside, Chatham Maritime, Chatham, ME4 4QU, for the purpose of providing onboard Wi-Fi services
- The Gate London, of The Gate, 34 Bow Street, London, WC2E 7AU, for the purpose of providing analysis reports, strategic recommendations and campaign implementations
- Nagarro Software Limited, of 1 Parkshot, Richmond, TW9 2RD, for the purpose of delivering a digital retail platform and associated services
- Apptentive, Inc, of 24 Roy St. #440, Seattle, Washington, 98109, for the purpose of managing feedback in respect of Chiltern Railways app.
- Motorola Solutions UK limited, Caledonian Exchange, 19a Canning Street, Edinburgh, EH3 8EY, for the purpose of storing data from body worn camera.
- Rail Delivery Group who provides the back-office technology and infrastructure for Smartcard products
- Other UK Rail Operators in order that they can provide support in respect of your Smartcard products
We may also disclose your personal data to any competent law enforcement body, regulator, government agency or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation; (ii) to exercise, establish or defend or legal rights; or (iii) to protect your vital interests or those of any other person;
We may also transfer your personal data to a buyer or potential buyer (and its agents and advisers) in connection with any reorganisation, restructuring, merger or sale, or other transferring of assets provided that we inform any receiving party it must use your personal information only for the purposes disclosed in this Privacy Notice.
We operate the Chiltern Railways franchise under arrangements with the Secretary of State for Transport and the franchise operations may pass to a successor operator. We may disclose your personal data to the relevant franchising authority and/or any successor operator and any successor operator must use your personal information only for the purposes disclosed in this Privacy Notice.
Finally, we may disclose your data to any other person to whom you request us to make disclosure or if you consent to such disclosure.
5. Data Retention
We will not retain your personal data for longer than is necessary to fulfil the purposes for which we collected that personal information, unless the law permits or requires that we retain it for longer.
The table below explains in more detail how long Chiltern Railways will store different types of information for:
| Passenger Information | Retention Period |
|---|---|
Passenger details (e.g., name, address, email, phone number, journey details of customer etc):
- Prospective passengers (non-transactional). - Current passengers & Lapsed passengers with transactions. | Prospective Passengers: Retain for 24 months from the date of data collection.
Current & Lapsed Passengers: Retain for 36 months following their last transaction. |
| Passenger transaction data. | For the duration of the passenger's registration with the Chiltern Railways and then for a period of 6 years following the end of the year in which the passenger last transacted with Chiltern Railways; we will retain details of those transactions in line with the reporting requirements of the Companies Act. |
| Passenger consents to Customer terms and conditions. | For the duration of the processing of the Personal Data and up to 6 years thereafter. |
| Passenger service enquiries - Gesture of Goodwill (CHARM) application. | Information is retained for 36 months/3 years (since last transaction/ interaction). |
| Statistical reports/marketing data. | 6 years. |
| Register of complaints. | Review after 2 years. |
| Correspondence and papers including emails. | Review after 2 years. |
| The surname and county of any winners of major prize draws and/or competitions and where applicable, winning entries. | For the duration of the processing. |
| Full names of individuals appointed as competition judges. | For the duration of the processing. |
| Personal Data: Title, Full Name, Post Code, Address, Contact Number (Optional), Date of Travel, Time of Travel, Length of Delay, Type of Delay, Departing Station, Arrival Station, Ticket Type, Ticket Format, Ticket Duration, Ticket Class, Cost of Ticket, Ticket Image, Photocard ID, Ticket Number, Ticket Reference, Date Valid From, Date Valid To, Station From, Station To, Collection/UTN Reference, Smartcard/Swift Card Number, Oyster Card Number, How the ticket was paid for, BACS Account Number and Sort Code, Amazon Email Address and IP Address. | Review after 2 years. |
6. Information Security
We implement appropriate administrative, technical, and organisational security measures to protect your personal data from unauthorised access, use, disclosure, alteration, or destruction. All data you provide is stored on secure servers. As part of the Arriva Ltd., we ensure employees are trained in our data privacy policies and only authorised personnel access personal data as required for their role. We also ensure any third-party service providers we engage implement robust technical and organisational measures to safeguard personal data.
7. Transferring Information Internationally
Your personal data may be transferred to and processed in countries outside the UK. These countries may have different data protection laws. We have implemented safeguards to ensure your personal data remains protected, including using the UK International Data Transfer Agreement (IDTA) and European Commission's Standard Contractual Clauses. Further details on these safeguards are available upon request.
| Third party service providers | Data storage location |
|---|---|
| Icomera (providing Onboard WiFi) | Sweden |
| Wi-Fi Spark (providing stations Wi-Fi) | European Union |
| Email Service Provider | Ireland |
| ACE (booking engine) | European Union |
| Apptentive | European Union |
| Nagarro Software Limited, a third-party service provider with development team in India. | European Union. While the data itself is stored within the EU. The transfer of personal data to India is conducted under the protection of the UK International Data Transfer Agreement (IDTA) where applicable, ensuring that your data remains safeguarded in compliance with GDPR requirements. These measures include encryption of data and stringent access controls. |
8. Updates to this Privacy Notice
We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws.
You can see when this Privacy Notice was last updated by checking the "last updated" date displayed at the top of this Privacy Notice.
9. Your Data Protection Rights
You have the following data protection rights:
If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting us at any time using contact-us form, or by writing to us:
- Data Protection Officer, The Chiltern Railway Company Limited, Great Central House, Marylebone Station, Melcombe Place, London, NW1 6JW
In addition, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us at:
- Data Protection Officer, The Chiltern Railway Company Limited, Great Central House, Marylebone Station, Melcombe Place, London, NW1 6JJ
- Email: [email protected]
If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
We respond to all requests from individuals seeking to exercise their data protection rights in accordance with applicable data protection laws. When you submit a request, we consider the privacy rights of relevant individuals and other legal and regulatory requirements. Consequently, there may be limits to the extent to which we can fulfill your request.
We aim to update your consent preferences as promptly as possible. Typically, any changes to your preferences will be processed within 15 days of receiving your request. However, in certain circumstances, such as during an ongoing marketing campaign or other automated processes, it may take up to 30 or more days to fully implement your changes.
10. Questions about this Privacy Notice
If you have any question, concerns or complaints about this Privacy notice or our handling of your personal data, you can contact us by email on [email protected] or by post to the following address:
- Data Protection Officer, The Chiltern Railway Company Limited, Great Central House, Marylebone Station, Melcombe Place, London, NW1 6JJ
You have the right to complain to a data protection authority about our collection and use of your personal information. The Information Commissioner's Office (ICO) contact details are as follows:
- Website: https://ico.org.uk/
- Telephone: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
If you are based in the European Economic Area, please contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area, Switzerland and certain non-European countries are available on the EU Commission's website via the following link): http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm)
The controller of your personal data is The Chiltern Railways Company Limited.