Arriva Rail North Ltd (“Northern”) are committed to protecting and respecting your privacy.
This notice (together with our Website Terms and Conditions and Booking Service Terms and Conditions, Customer Promise and any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by Northern or our processing partners. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting www.northernrailway.co.uk or www.buytickets.northernrailway.co.uk or providing your information in the circumstances described below, you are accepting and consenting to the practices described in this policy.
For the purpose of the Data Protection Laws, the data controller is Arriva Rail North Ltd (“Northern”) and the data processor is Trainline.com Ltd (“Trainline”), the-espgroup.com/journeycall/ (“Journeycall”) and smith-ouzman.com (“Smith & Ouzman).
Individuals are advised that when using the “Website” those pages with a web address prefixed by www.northernrailway.co.uk these pages are managed by Northern as the data controller, (a company registered in England and Wales with registration number 04337712 and registered to 1 Admiral Way, Doxford International Business Park, Sunderland SR3 3XP).
Individuals who purchase tickets from Northern are advised that when using the “Booking Service” - transactional pages prefixed by www.buytickets.northernrailway.co.uk - these pages are managed by Trainline.com Limited “Trainline” as Northern’s data processor and issuer of train ticket(s) (a company registered in England and Wales with a registration number of 03846791 and registered to 120 Holborn, London, EC1N 2TD).
References to “Northern”, “Northern Railway” “we” “us” or “our” and they can also refer to our data processor Trainline.com Ltd who process tickets and information on our behalf
Information provided by you
You may give us information about you by filling in forms on www.northernrailway.co.uk or www.buytickets.northernrailway.co.uk, or contacting the Customer Experience Centre (CEC). This includes information you may provide, but is not limited to the following activities;
- Register and consent to receive marketing information
- Register to buy ticket(s) or open a Northern account
- Download our app
- Register to use Wi-Fi
- Purchase ticket(s)
- Enter a competition
- Provide answers to a promotion or survey
- Report a fault or problem with our station(s) or train(s)
- Report a fault or problem with our website
- Make a complaint or enquiry
The information you may give us may include, but it is not limited to the following:
- First name and last name
- Date of birth
- Address details including postcode
- Email address
- Phone number – mobile, home or work
- Disability details (Passenger assistance)
- Bank details for compensation claims
- Transaction meta data (e.g. journey details)
- Relevant rail discount or loyalty cards
- Limited amount of personal data of any other passengers you are booking tickets for
- Personal descriptions and photographs
Information you may provide via our website(s)
- Geographical location – you will be asked if you wish to provide your location
- IP or MAC address or details regarding use of your mobile device or PC
Information we collect about you
With regard to each of your visits to either www.northernrailway.co.uk or www.buytickets.northernrailway.co.uk or if you register to use our Wi-Fi services we may automatically collect the following information;
- Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform.
- Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our sites (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number
Information we receive from other sources
We may receive information about you if you use any of the other websites we operate or the other services we provide. We are also working closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.
Sensitive personal data
We will not intentionally or systematically seek to collect, store or otherwise use information about you classed as ‘special categories of data' or 'sensitive data' (for example, information relating to any trade union membership, ethnic origin or health).
The collection of the personal data described in Section 2, “What personal data do we collect?” is usually mandatory and, if such personal data is not provided, we will not be able to provide the information, products and services to you. Where the collection of any personal data is not mandatory, we will inform you of this prior to collection, as well as the consequences of failing to provide the relevant personal data.
Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.
However, we will normally process your personal information only:
- Where we have your consent to do so
- Where the processing is necessary to perform our contract with you
- Where the processing is in our legitimate interests or those of a third party and such interests are not overridden by your data protection interests or fundamental rights and freedoms
- Where we have a legal obligation to process your personal information.
Information provided by you. We use your personal information as follows:
|Purpose of processing||Legal basis for processing|
|Account registration – Website||Performance of a contract|
|Account registration – Booking Service||Performance of a contract|
|Registration for WiFi and email confirmation||Performance of a contract|
|Email confirmation of Booking Service registration||Performance of a contract|
|Email confirmation about your tickets for train services purchased||Performance of a contract|
|Provision of your tickets to use our services||Performance of a contract|
|Fraud checks – automated||Performance of a contract related to Ticket purchase|
|Completion of survey related to flat fare offers||Performance of a contract (in the T&Cs)|
|Completion of forms for special offers or discounts; such as collecting tokens from partner newspapers for our daily or weekend hop on hop off flat fare offers. Details need to be completed in order to redeem the offer||Performance of a contract|
|Completion of forms for annual season ticket through the Northern corporate season ticket scheme||Performance of a contract|
|Information you provide to Northern by filling in forms on our site or that you email us||Performance of a contract|
|Suggestions, complaints and appeals||Performance of a contract|
|Claims for compensation and refunds||Performance of a contract|
|Franchise change information, For example if the Northern Franchise passes to the Government, another legal entity or operating company||Legal obligation|
|Travel Assistance - Journey Call||Legal obligation|
|CCTV and body worn cameras||Legal obligation for the prevention and detection of crime|
|Email and completion of rail travel surveys||Legitimate interest|
|Annual reminder of upcoming season ticket expiry for corporate season ticket scheme holders||Legitimate interest|
|Recording customer phone calls and retaining the recordings for a period of three months||Legitimate interest|
|Emails about service changes, such as timetable changes, engineering works or strike information||Legitimate interest|
|Corporate season ticket scheme e-newsletter updates and information||Legitimate interest|
|Messages to Northern via social media||Legitimate interest|
|Consent to receive marketing emails||Consent|
|Customer experience feedback and surveys||Consent|
Information we collect about you. We use your personal information as follows:
|Purpose of processing||Legal basis for processing|
|IP address to infer approximate location for our booking service (we will ask for permission to use this)||Legitimate interest to provide relevant journey information based on your current location – you will be asked to confirm via your browser if you wish this information to be known|
|Using your IP address for Fraud checks||Legitimate interest|
Information we receive from other sources.
We may combine this information with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).
Third parties who process your personal data on our instructions:
- We use third party service providers to carry out many of the activities listed in Section 4, “How we use your personal data and the legal basis for such processing”. This includes our Customer Relationship Management (CRM) provider EDIT and Trainline.com. Travel assistance provided by Journey call and cashable vouchers provided by Smith & Ouzman.
- Our service providers act on our instructions, and we ensure that they take measures to keep your personal data safe.
- Fraudulent payment detection. We use a US based payment provider who is PCI DSS Level 1 accredited who may interrogate your payment data. Your payment data is used only for the transaction and your data is not retained any longer than is required for payment processing, fraud detection/prevention and auditing
- We don’t allow our service providers to use your personal data for any purpose other than carrying out the service in question, and we only provide them with those parts of your personal data that they actually need.
- All payments for ticket purchase through Visa and Mastercard are processed by Trainline.com Limited as outlined in Section 1, “Who is responsible for your data?”
Other UK Rail Operators
- We share your personal data with some operators for ticket fulfilment purposes
- We may share your email address or phone number with some operators so that they can contact you with service messages, for example if a train is cancelled.
- We may also need to share some of your personal data with any other transport carriers or other service providers who provide you with any part of the services that you’ve booked through us.
- In the event of delay repay, compensation or refund request incorrectly received by Northern we will pass the full details of your claim onto the correct UK Rail provider.
- In some circumstances we have a legal obligation to share parts of your personal data with police or customs authorities, regulatory authorities, government & law enforcement agencies. This may include, but is not limited to, fraud prevention and detection.
- We may also disclose your personal data to any competent law enforcement body, regulator, government agency such as Rail North, the Department for Transport (DFT) or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation; (ii) to exercise, establish or defend or legal rights; or (iii) to protect your vital interests or those of any other person;
- We may disclose your data to any other person to whom you request us to make disclosure or if you consent to such disclosure.
We will not retain your personal data for longer than is necessary to fulfil the purposes for which we collected that personal information, unless the law permits or requires that we retain it for longer.
The table below explains in more detail how long Northern will store different types of customer information for:
Passenger details (e.g., name, address of customer etc.)
(ii) Current passenger
(ii) Lapsed passengers
For the duration of the passenger's registration with Northern and then for the period specified for lapsed passengers.
For a period of 6 years following the end of the year in which you last purchased Northern's services.
|Passenger data||For the duration of the passenger's registration with the Customer and then for a period of 6 years following the end of the year in which the passenger last purchased the Customer's services.|
|Passenger consents to customer terms and conditions||For the duration of the processing of the Personal Data ad up to 6 years thereafter.|
|Passenger service enquiries||3 years|
|Statistical reports/marketing data||6 years|
|Register of complaints||Review after 10 years|
|Correspondence and papers including emails||Review after 6 years (or 10 years if the documents relate to a complaint or investigation)|
|WiFi registration||Once you have created an account to use WiFi services, then the account information you provide will be retained for aa period of one year. At the end of the one year period you will be asked to re-confirm your details when you log in to use and if necessary update your details to continue receiving WiFi services.|
|Prospective customers||www.northernrailway.buytickets.co.uk then the information regarding customers (below) will apply. We will review account information on an annual basis and we may contact you to ask if you still wish to retain your account.|
|Customers||www.buytickets.northernrailway.co.uk we will keep your account for up to six years following the end of the year in which you last purchased Northern’s services.|
|Marketing permissions and preferences||If you have given Northern permission to send email marketing messages to you then we will retain your marketing preferences until you notify us that you no longer wish to receive marketing emails by updating your marketing preferences by logging into your account and updating your preferences. We will review marketing preferences annually and may contact to you to ask if you wish to still continue receiving marketing emails.|
We apply appropriate administrative, technical and organisational security measures to protect your personal data that is under our control from unauthorised access, collection, use, disclosure, copying, modification or disposal. All information you provide to us is stored on secure servers. Northern are part of the Arriva plc Group, which trains its employees regarding our data privacy policies and procedures and permit authorised employees to access personal data on a need to know basis, as required for their role. We also take steps to ensure that any service provider that we engage to process personal data on our behalf takes appropriate technical and organisational measures to safeguard such personal data.
Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country.
You have the following data protection rights:
- If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting Northern
- Please note: We retain personal information from deactivated accounts to comply with law, prevent fraud, collect any fees owed, resolve disputes, assist with any investigations, enforce our terms and conditions, and take other actions otherwise permitted by law. We may also retain some pseudonymous data for analytics purposes so we can understand, for example, how many visitors we have had to the Website or Booking Service.
- If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent. You can update your consent preferences at any time by logging into your account. Please note it can take up to 48 hours for this information to be updated.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.
Arriva Rail North Ltd
1 Admiral Way
Doxford International Business Park
You have the right to complain to a data protection authority about our collection and use of your personal information. If you are based in the European Economic Area, please contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area, Switzerland and certain non-European countries are available on the EU Commission's website via the following link): http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm)
The controller of your personal data is Northern.