Personal data is defined as any information that either by itself, or put together with other information, can identify a living individual.

Whenever we process your personal information we have to have something called a “legal basis” (a legal reason) for what we do. The different legal bases we rely on are:

• •    Consent: You have told us you are happy for us to process your personal information for a specific purpose (s);
• •    Legitimate interest/recognised legitimate interests: The processing is necessary for us to conduct our services, but not where our interests are overridden by your interests or rights.
• •    Performance of a contract: We must process your personal information in order to be able to provide you, or a third party with one of our products or services;
• •    Vital interests: The processing of your personal information is necessary to protect you or someone else’s life;
• •    Legal obligation: We are required to process your personal information by law.
   

In the limited circumstances that we need to process your special category data (personal data that is considered sensitive and requires extra protections in place), we’re legally required to have at least one additional legal basis in place.  This will most likely be one of the following;

• •    Explicit consent: This is where you have explicitly provided your consent for us to process your data. An example of this is the health information you provide to Passenger Assist.
• •    Legal claims and judicial acts: Where Chiltern Railways need to process your special category data to create, exercise or defend legal claims.
• •    Substantial public interest: This is when Chiltern Railways need to process your special category data for reasons of substantial public interest (e.g. regulatory requirements, preventing or detecting unlawful acts).
  
   

We will share your personal data with the following third parties as part of the purposes set out above:

The Arriva Group

Third parties we partner with – we work with different third parties to ensure we deliver the best possible service to our customer. These third parties include:

• •    Legal, regulatory, and insurance-related third parties
• •    Marketing and advertising partners
• •    IT support, data hosting, and system administrators
• •    Ticketing and payment service providers
• •    Mailing houses sending pre-booked tickets and marketing materials
• •    Website developers and hosting providers managing website content and personalised messaging
• •    Wi-Fi providers supporting onboard internet services
• •    Website analytics and customer research agencies

Other organisations and individuals - we may share your personal information in certain scenarios. For example, we may disclose your personal data to any competent law enforcement body, regulator, government agency or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation; (ii) to exercise, establish or defend or legal rights; or (iii) to protect your vital interests or those of any other person.

We may also transfer your personal data to a buyer or potential buyer (and its agents and advisers) in connection with any reorganisation, restructuring, merger or sale, or other transferring of assets.

We operate the Chiltern Railways franchise under arrangements with the Secretary of State for Transport and the franchise operations may pass to a successor operator. We may disclose your personal data to the relevant franchising authority and/or any successor operator, who will use your personal information only for the purposes disclosed in this Privacy Notice.
 

Some of our third-party partners are based outside of the United Kingdom and we do occasionally transfer your personal data to them.  When we do this we ensure that there are one or more appropriate safeguards in place ensuring your data is kept protected in line with data protection legislation.

You have a number of rights under data protection legislation which, in certain circumstances, you may be able to exercise in relation to the personal information we process about you. These include:

• •    the right to access a copy of the personal information we hold about you;
• •    the right to correction of inaccurate personal information we hold about you;
• •    the right to restrict our use of your personal information;
• •    the right to be forgotten;
• •    the right of data portability; and
• •    the right to object to our use of your personal information.

From the 19th of June 2026 individuals have a new statutory "right to complain".  This allows you to complain directly to us if you’re unhappy about how we have handled your personal data.  

If you are seeking to exercise any of these rights, please contact us using the details in the "Contact Us" section below. Please note that we will need to verify your identity before we can fulfil any of your rights under data protection law. This helps us to protect your personal data against fraudulent requests.
 

We will keep your personal information for the purposes set out in this privacy policy and in accordance with the law and only for as long as is necessary. In most cases, our retention period will come to an end 7 years after the end of your relationship with us.

If you would like to exercise one of your rights as set out in the "Your rights" section above, or you have a question or a complaint about this policy, or the way your personal information is processed, please contact us by one of the following means:

By email: [email protected] 

By post: Data Protection Officer, The Chiltern Railway Company Limited, Great Central House, Marylebone Station, Melcombe Place, London, NW1 6JJ

You also have the right to lodge a complaint with the UK regulator, the Information Commissioner. Please visit ico.org.uk/concerns to find out more.