- About
- Home
- /
- Privacy Policy
- Executive Summary
- Privacy Policy
- 2.1 What personal data do we collect?
- 2.2 Cookies
- 2.3 How do we use your personal data and what is the legal basis for such processing?
- 2.4 Sharing Your Information
- 2.5 Data Retention
- 2.6 Information Security
- 2.7 Updates to this Privacy Notice
- 2.8 Your Data Protection Rights
- Executive Summary
- Privacy Policy
- your name and / or address
- your phone number,
- your financial and credit card information,
- your email address,
- your personal description, gender or medical information.
- CCTV and BWC (Body Warn Cameras) images
- technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform
- where we have your consent to do so;
- where the processing is necessary to perform our contract with you; or
- where the processing is in our legitimate interests or those of a third party and such interests are not overridden by your data protection interests or fundamental rights and freedoms; and
- where we have a legal obligation to process your personal information.
- Transport for London
- Other Arriva businesses
- Office of Road and Rail, Rail Delivery Group and other Rail Industry Partners and Regulators
- Police and Security Services, all parties of the Criminal Justice System
- Solicitors
- Emergency Services
- Pre-employment reference providers
- If you wish to access, correct, update or request deletion of your personal information, you can do so at any time using by contacting customerservices@tfl.gov.uk
- In addition, you can object to the processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting customerservices@tfl.gov.uk
- If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
Privacy Policy
Arriva Rail London Privacy Policy
Last updated 04/03/2024
Arriva Rail London (”We”) are committed to protecting and respecting your privacy.
This policy (together with our Website Terms of Use (Terms) any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
By visiting our website and/or using our services and providing your information in the circumstances described below, you are accepting and consenting to the practices described in this policy.
For the purpose of Data Protection Legislation, Arriva Rail London, 4th Floor Palestra House, 197 Blackfriars Road, Southwark, SE1 8NJ, are the ‘Data Processor’ on behalf of TFL the ‘Data Controller’.
For the purposes of CCTV & BWC (Body Worn Cameras) (with the exception of on-board CCTV) ARL, 4th Floor Palestra House, 197 Blackfriars Road, Southwark, SE1 8NJ, are the ‘Data Controller’.
2.1 What personal data do we collect?
Information provided by you.
You may give us information about you by filling in forms, corresponding with us by phone, speaking with us to populate forms, or communicating with us via information or emergency help points. This includes information you provide when you collect or purchase tickets and oyster related products or railcards, apply for a refund or make changes, commit a crime, provide feedback, enter a competition, claim a gesture of goodwill, or claim lost property.
The information you give us may include:
Information we collect about you
Information we receive from other sources
We are also working closely with third parties (including, for example, business partners, sub-contractors, TFL, the British Transport Police, local and regional police) and may receive information about you from them.
Sensitive personal data
We will not intentionally or systematically seek to collect, store or otherwise use information about you classed as ‘special categories of data’ or ‘sensitive data’ (for example, information relating to any trade union membership, ethnic origin or health).
2.2 Cookies
Our site uses cookies to distinguish you from other users of our site. This helps us to provide you with a good experience when you browse our site and also allows us to improve our sites. For detailed information on the cookies we use and the purposes for which we use them see our Cookie policy.
2.3 How do we use your personal data and what is the legal basis for such processing?
The collection of the personal data described above is usually mandatory and, if such personal data is not provided, we will not be able to provide the information, products and services to you. Where the collection of any personal data is not mandatory, we will inform you of this prior to collection, as well as the consequences of failing to provide the relevant personal data.
Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.
However, we will normally process your personal information only:
Arriva Rail London makes regular contact with community groups and other stakeholders. These contact details are used to discuss on-station projects and to identify opportunities to work closer together. Details may be passed to other colleagues within ARL or TfL where it is appropriate, in order to widen the conversation about particular projects or collaborative opportunities. When new projects are planned, new stakeholders are consulted with.
Information provided by you. We use your personal information as follows:
Purpose of processing
Legal basis for processing
To provide you with products or services you request from us, for example, the provision of tickets.
Necessary for the performance of a contract.
To provide you with refunds or make amendments to tickets purchased as requested by you.
Necessary for the performance of a contract.
To issue penalty fares and irregularity reports for the prevention and reduction of ticketless travel and fare evasion on behalf of TFL; also to include railway byelaws
Legal Obligation and necessary for the performance of a contract.
To report crime
Legal Obligation
To return lost property to you
Performance of a contract
To engage with the community and community projects
Performance of a contract, necessary for the purposes of legitimate interests as outlined above.
To manage and report accidents, incidents, assaults or dangerous occurrences for the purpose of ensuring the health and safety of our customers and employees and reduce the risk of reoccurrence.
Legal Obligation
Provisions of help and assistance
Performance of a contract
To enable visitors to gain entry/access to Arriva Rail London premises.
Performance of a contract
To provide you with help and assistance at your request using the information and emergency help points.
Performance of a contract
For recruitment and assessment for job vacancies, apprenticeships or placements.
Performance of a contract
To investigate complaints
Performance of a contract
Information we collect about you. We use your personal information as follows:
Purpose of processing
Legal basis for processing
Crime and Security for the prevention and detection of crime. Images (CCTV and Body Worn Cameras) are recorded for the purpose of Customer Security, Staff Security, Crime Prevention and Public Safety at stations, on the platform, on the train or at office accommodation.
Legal Obligation and Legitimate Interest
Health and Safety to ensure health and safety and wellbeing of customers and employees
Legal Obligation
Training for health and safety and security
Legitimate Interest
Recruitment and assessment
Performance of a contract
Information we receive from other sources. We use your personal information as follows:
Purpose of processing
Legal basis for processing
For the purposes of recruitment; references from previous employers, reports from external suppliers for pre-employment testing or medical reports.
Performance of a contract
We may combine this information with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “Questions about this Privacy Notice” heading below.
2.4 Sharing Your Information
We may disclose your personal data to the following categories of recipient for the purposes described in this Privacy Notice, for example: the provision of ticketing, processing of refunds, returning lost property, for reasons of health and safety or for the prevention and detection of crime.
We may also disclose your personal data to any competent law enforcement body, regulator, government agency or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation; (ii) to exercise, establish or defend or legal rights; or (iii) to protect your vital interests or those of any other person;
We may also transfer your personal data to a buyer or potential buyer (and its agents and advisers) in connection with any reorganisation, restructuring, merger or sale, or other transferring of assets provided that we inform any receiving party it must use your personal information only for the purposes disclosed in this Privacy Notice.
We operate the London Overground concession agreement under arrangements with Rail For London Ltd and the concession operations may pass to a successor operator. We may disclose your personal data to the relevant authority and/or any successor operator and any successor operator must use your personal information only for the purposes disclosed in this Privacy Notice.
Finally, we may disclose your data to any other person to whom you request us to make disclosure or if you consent to such disclosure.
2.5 Data Retention
We will not retain your personal data for longer than is necessary to fulfil the purposes for which we collected that personal information, unless the law permits or requires that we retain it for longer.
The table below explains in more detail how long Arriva Rail London will store different types of customer information for:
Passenger Information
CCTV
31 Days Maximum
Or as legally required in connection with accidents, incidents or crime, or in fulfilling a subject access request
BWC
Up to 31 days before auto-deletion or 28 days after download in case of system fault.
Or as legally required in connection with accidents, incidents or crime, or in fulfilling a subject access request
Passenger details (e.g., name, address of customer etc) (i) Prospective passengers (ii) Current passengers (iii) Lapsed passengers
3 years
Passenger financial data
6 years
Community stakeholders
6 years, for the life of the concession or if the stakeholder changes
Customer details relating to accidents
4 years or 7 years pending compensation claims
Voice recordings for passenger enquiries or emergencies
31 Days
Job applications and interview records for unsuccessful candidates
6 months after notifying unsuccessful candidates.
2.6 Information Security
We apply appropriate administrative, technical and organisational security measures to protect your personal data that is under our control from unauthorised access, collection, use, disclosure, copying, modification or disposal. All information you provide to us is stored on secure servers. We are part of the Arriva plc Group, which trains its employees regarding our data privacy policies and procedures and permit authorised employees to access personal data on a need to know basis, as required for their role. We also take steps to ensure that any service provider that we engage to process personal data on our behalf takes appropriate technical and organisational measures to safeguard such personal data.
2.7 Updates to this Privacy Notice
We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws.
You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.
2.8 Your Data Protection Rights
You have the following data protection rights:
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.
2.9 Questions about this Privacy Notice
If you have any question, concerns or complaints about this Privacy notice on our handling of your personal data, you can contact us at data.protecion@arrivarl.co.uk or by post to the following address:
HR Department
Arriva Rail London
4th Floor Palestra House
197 Blackfriars Road
Southwark
London
SE1 8NJ
If you are unsatisfied with the response, you can contact Arriva plc’s Data Protection Officer at data.protection@arriva.co.uk.
You have the right to complain to a data protection authority about our collection and use of your personal information. If you are based in the European Economic Area, please contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area, Switzerland and certain non-European countries are available on the EU Commission’s website via the following link): http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm)
Who do I contact if I have any requests, queries or complaints about use of the body worn video cameras or CCTV on London Overground?
For queries, please contact the First Contact Team
They are open 24 hours a day, 7 days a week. Call 0343 222 1234 or Webform > www.tfl.gov.uk
Or send a letter to:
TfL Customer Service
4th Floor
14 Pier Walk
London SE10 0ES
Or scan the QR Code to access the TfL Website:
