Skip to main content
Chiltern Railways - logo

Privacy

Chiltern Railway Company Limited Privacy Policy

Last updated September 2017

The Chiltern Railway Company Limited (”We”) are committed to protecting and respecting your privacy.

This policy (together with our Website Terms of Use (https://www.chilternrailways.co.uk/terms-and-conditions) and any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting https://www.chilternrailways.co.uk/, or providing your information in the circumstances described below, you are accepting and consenting to the practices described in this policy.

For the purpose of the Data Protection Act 1998 (the “Act”), the data controller is Chiltern Railway Company Limited of 1 Admiral Way, Doxford International Business Park, Sunderland SR3 3XP.

1. What personal data do we collect?

  • Information provided by you. You may give us information about you by filling in forms on our site https://www.chilternrailways.co.uk/ (our site) or by corresponding with us by phone, e-mail or otherwise. This includes information you provide when you register to use our sites (either directly or via your social media account), download our app, subscribe to our services, purchase tickets, register to receive email updates, register with us to use our on-train wi-fi service, enter a competition, promotion or survey and when you report a problem with our sites or make a complaint. The information you give us may include your name, address, e-mail address and phone number, financial and credit card information, personal description and photograph, geographical location, IP or MAC address or details regarding your use of your mobile device or PC (specifically when you register to use our on-train wi-fi service).
     
  • Information we collect about you. With regard to each of your visits to our sites or register to use our on-train wi-fi services we may automatically collect the following information:
     
    • technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
       
    • information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our sites (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
       
  • Information we receive from other sources. We may receive information about you if you use any of the other websites we operate or the other services we provide. We are also working closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.
     
  • Sensitive personal data. We will not intentionally or systematically seek to collect, store or otherwise use information about you classed as ‘special categories of data' or 'sensitive data' (for example, information relating to any trade union membership, ethnic origin or health).

2. Cookies

Our site uses cookies to distinguish you from other users of our site. This helps us to provide you with a good experience when you browse our site and also allows us to improve our sites. For detailed information on the cookies we use and the purposes for which we use them see our Cookie policy at : https://www.chilternrailways.co.uk/cookie-policy.

3. How do we use your personal data and what is the legal basis for such processing?

The collection of the personal data described above is usually mandatory and, if such personal data is not provided, we will not be able to provide the information, products and services to you. Where the collection of any personal data is not mandatory, we will inform you of this prior to collection, as well as the consequences of failing to provide the relevant personal data.
 
Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.
 
However, we will normally process your personal information only:
  • where we have your consent to do so;
     
  • where the processing is necessary to perform our contract with you; or
     
  • where the processing is in our legitimate interests or those of a third party and such interests are not overridden by your data protection interests or fundamental rights and freedoms. Such legitimate interests relate to our interests in ensuring that the services we provide to you are administered effectively and that you are informed about material aspects of the administration of the services, including in circumstances where we are not mandated by law to provide you with such information; and
     
  • where we have a legal obligation to process your personal information.
Information provided by you. We use your personal information as follows:
 
Purpose of processing Legal basis for processing
To carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us. Necessary for the performance of a contract with you or to take steps to enter into a contract.
To provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about. Consent provided by you.
To provide you with information about goods or services we feel may interest you. If you are an existing customer, we will only contact you by electronic means (e-mail or SMS) with information about goods and services similar to those which were the subject of a previous sale or negotiations of a sale to you. If you are a new customer, we will contact you by electronic means only if you have consented to this. Consent provided by you.
To notify you about changes to our service. Necessary for the performance of a contract with you or to take steps to enter into a contract.
To ensure that content from our sites is presented in the most effective manner for you and for your computer. Processing necessary for the purposes of the legitimate interests outlined above.
   
 
 
Information we collect about you. We use your personal information as follows:
 
Purpose of processing Legal basis for processing
To administer our sites and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes
To monitor our sites to make sure they are functioning correctly and improve the customer experience to help you purchase the best value tickets for your journey
 
Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
To improve our sites to ensure that content is presented in the most effective manner for you and for your computer.
To allow our customers to purchase train tickets and find the correct tickets for your journey
 
Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
To allow you to participate in interactive features of our service, when you choose to do so.
To improve your customer experience when purchasing train tickets and using our train services to keep you informed
 
Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
As part of our efforts to keep our sites safe and secure.
To protect your personal data when purchasing train tickets.
 
Processing is necessary to protect the vital interests of a data subject or another person
To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you. Consent provided by you.
To make suggestions and recommendations to you and other users of our sites about goods or services that may interest you or them. Consent provided by you.
 
 
Information we receive from other sources. We may combine this information with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).
 
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “Questions about this Privacy Notice” heading below.

4. Sharing Your Information

We may disclose your personal data to the following categories of recipient for the purposes described in this Privacy Notice:
  • Business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you. including rail ticket retail sales, rail disruption information services, rail timetable services, email marketing services, bus ticket retail sales, and European rail ticket sales.
     
  • Companies within the Arriva group for the performance of any contract we enter into with them or you. including Arriva UK bus, Deutsche Bahn trains.
     
  • Analytics and search engine providers that assist us in the improvement and optimisation of our sites. third party service providers who will process personal data on our behalf (such as IT service providers, communications service providers and analytics providers).
We may also disclose your personal data to any competent law enforcement body, regulator, government agency or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation; (ii) to exercise, establish or defend or legal rights; or (iii) to protect your vital interests or those of any other person;
 
We may also transfer your personal data to a buyer or potential buyer (and its agents and advisers) in connection with any reorganisation, restructuring, merger or sale, or other transferring of assets provided that we inform any receiving party it must use your personal information only for the purposes disclosed in this Privacy Notice.
 
We operate the Chiltern Railways franchise under arrangements with the Secretary of State for Transport and the franchise operations may pass to a successor operator. We may disclose your personal data to the relevant franchising authority and/or any successor operator and any successor operator must use your personal information only for the purposes disclosed in this Privacy Notice.
 
Finally, we may disclose your data to any other person to whom you request us to make disclosure or if you consent to such disclosure.

5. Data Retention

We will not retain your personal data for longer than is necessary to fulfil the purposes for which we collected that personal information, unless the law permits or requires that we retain it for longer.
 
The table below explains in more detail how long Chiltern Railways will store different types of customer information for:
 
Passenger Information Duration
Passenger details (e.g., name, address of customer etc)
(i) Prospective passengers - never transacted customers
 
(ii) Current passengers - customers who have transacted in the last 13 months
 
(iii) Lapsed passengers - customers who have not transacted in the last 13 months but have transacted at least 14 months ago
6-12 months
 
For the duration of the passenger's registration with the Customer and then for the period specified for lapsed passengers. 
For a period of 6 years following the end of the year in which the passenger last purchased the Customer's services
Passenger data For the duration of the passenger's registration with the Customer and then for a period of 6 years following the end of the year in which the passenger last purchased the Customer's services
Passenger consents to Customer terms and conditions For the duration of the processing of the Personal Data and up to 6 years thereafter
Passenger service enquiries 3 years
Statistical reports/marketing data Six (6) years
Register of complaints Review after 10 years
Correspondence and papers including emails
Review after 6 years (or 10 years if the documents relate to a complaint or investigation)

 

6. Information Security

We apply appropriate administrative, technical and organisational security measures to protect your personal data that is under our control from unauthorised access, collection, use, disclosure, copying, modification or disposal. All information you provide to us is stored on secure servers.
 
We are part of the Arriva plc Group, which trains its employees regarding our data privacy policies and procedures and permit authorised employees to access personal data on a need to know basis, as required for their role. We also take steps to ensure that any service provider that we engage to process personal data on our behalf takes appropriate technical and organisational measures to safeguard such personal data.

7. Transferring Information Internationally

Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country [(and in some cases, may not be as protective)].
 
Specifically, we may use third party service providers located in the United States of America, Canada, . This means that, when we collect your personal information, it may be processed in these countries. However, we have taken appropriate safeguards to require that your personal data will remain protected in accordance with this Privacy Notice. [These safeguards include implementing the European Commission’s Standard Contractual Clauses for transfers of personal information to our third party service providers and further details can be provided upon request].

8. Updates to this Privacy Notice

We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws.
 
You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.

9. Your Data Protection Rights

You have the following data protection rights:
  • If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting us at any time at https://www.chilternrailways.co.uk/contact-us.
     
  • In addition, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us at https://www.chilternrailways.co.uk/contact-us.
     
  • If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

10. Questions about this Privacy Notice

If you have any question, concerns or complaints about this Privacy notice or our handling of your personal data, you can contact us at https://www.chilternrailways.co.uk/contact-us or by post to the following address:

Customer Services
Banbury ICC
Merton Street
Banbury
Oxfordshire
OX16 4RN
 
If you are unsatisfied with the response, you can contact Arriva plc's Data Protection Officer at : data.protection@arriva.co.uk.
 
You have the right to complain to a data protection authority about our collection and use of your personal information. If you are based in the European Economic Area, please contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area, Switzerland and certain non-European countries are available on the EU Commission's website via the following link): http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm)
 
The controller of your personal data is Chiltern Railway Company Limited