Privacy Policy
1. Executive Summary
CrossCountry (”We”) are committed to protecting and respecting your privacy.
This policy (together with our Website Terms of Use (www.crosscountrytrains.co.uk) and any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting our website (either www.crosscountrytrains.co.uk or www.buytickets.crosscountrytrains.co.uk ) or providing your information in the circumstances described below, you are accepting and consenting to the practices described in this policy.
This policy was last updated 06/08/2024
For the purpose of Data Protection Legislation, the data controller is XC Trains Limited (known as CrossCountry), Admiral Way, Doxford International Business Park, Sunderland, SR3 3XP
2. Privacy Policy
Information provided by you.
You may give us information about you by filling in forms on our site www.crosscountrytrains.co.uk or www.buytickets.crosscountrytrains.co.uk or that you email to us by corresponding with us by phone, e-mail or otherwise. This includes when you subscribe and/or register for any service that we may provide via our site or when you complete transactions or respond to surveys. This also includes information you provide when you register to use our sites, download our app, subscribe to our services, purchase tickets, register to receive email updates, register with us to use our on-train WiFi service, enter a competition, promotion or survey, when you contact us via our social media channels and when you report a problem with our sites or make a complaint.
The information you give us may include:
- your name
- address
- e-mail address
- phone number
- financial and credit card information
- personal description
- geographical location
- IP or MAC address
- details regarding your mobile phone or PC (especially when you register to use our on-train WiFi service)
- Personal comment or quotation
- Image and audio in film recording
For Arriva Business Retail customers, in addition to the above the information you give us may include:
- Your reason for travel
- Work phone number
- Work email address
Passive collection of information
We may collect and process anonymous information about your use of the Website or Booking Service, such as some of the pages you visit and some of the searches you perform. Such information is used by us to help us improve the contents of the Website or Booking Service and to compile, for internal market research purposes, aggregate statistics about individuals using it. This kind of anonymous information can be obtained by our use of "cookies" as well as other means. Please see Section 2.2, 'Cookies' for more information on our use of cookies. We may also share anonymous information about your use of the Booking Service with third parties for analytical purposes.
Information we collect about you.
With regard to each of your visits to our sites or when you register to use our on-train WiFi services we may automatically collect the following information:
- Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our sites (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
- Details of your visits to our site including, but not limited to, traffic data, location data, weblogs and other communication data and the resources that you access (this is used to help track the performance of our website).
- We may also collect information about your computer, including where available your IP address, operating system and browser type for system administration, to improve the structure and content of our site and to report aggregated information to our advertisers and marketing agencies. This is statistical data about your browsing actions and patterns which in turn enables us to track the performance of our site and advertising efforts. It also allows us to serve relevant advertising that is likely to be of interest to you and does not identify any individual. For this reason, we may collect this information even if you do not register with us on our website
Information we receive from other sources.
We may receive information from other sources if you have provided permission for this to happen or if there is a legal reason for it to occur.
We may receive information about you if you use our website, or any Arriva Business Retail Website. We are also working closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.
Special Category (aka sensitive) personal data
We will not intentionally or systematically seek to collect, store or otherwise use information about you classed as ‘special categories of data' or 'sensitive data'.
If you require any extra assistance to help you make your journey, we offer our JourneyCare service, this may involve you providing us with sensitive personal data relating to your health.
Our site uses cookies to distinguish you from other users of our site. This helps us to provide you with a good experience when you browse our site and also allows us to improve our sites. For detailed information on the cookies we use and the purposes for which we use them see our Cookie policy at https://www.crosscountrytrains.co.uk/cookie-policy.
We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.
The collection of the personal data described above is usually mandatory and, if such personal data is not provided, we will not be able to provide the information, products and services to you. Where the collection of any personal data is not mandatory, we will inform you of this prior to collection, as well as the consequences of failing to provide the relevant personal data.
Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.
However, we will normally process your personal information only:
- where we have your consent to do so;
- where the processing is necessary to perform our contract with you; or
- where the processing is in our legitimate interests or those of a third party and such interests are not overridden by your data protection interests or fundamental rights and freedoms; and
- where we have a legal obligation to process your personal information.
2.3.1. Information provided by you. We use your personal information as follows:
Information provided by you for Safety purposes
Area | Purpose of processing | Legal basis for processing |
Accidents, Incidents, Assaults, or Dangerous Occurrences
|
To meet our statutory obligations for the reporting of accidents, incidents, assaults or dangerous occurrences. For the reporting and investigation of safety related events for the purpose of preventing, or reducing the risk of their recurrence. Sharing with other organisations with a direct responsibility for maintaining, or improving railway safety.
To share within Emergency Services, as required during emergency situations on board our services |
The processing of the personal information is necessary for compliance with a legal obligation set by Office of Rail and Road Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR)
Vital interest and duty of care |
Claims | To handle your claim in accordance with Claim Allocation and Handling Agreement (CAHA) for losses, property damage or personal injury |
Necessary for the performance of the contract. Licence obligations of the Office Rail and Road – Claim Allocation and Handling Agreement (CAHA) |
Information provided by you as a Customer or Stakeholder
Area |
Purpose of processing |
Legal basis for processing |
Transactional data |
Provided by you as part of a financial transaction, such as payment for tickets, refunds or compensation |
Performance of a contract and Legal obligations |
Sending marketing information to customers |
Collecting, updating and using contact details such as email address, SMS and postal address to inform you about promotions, news, ticket offers and destination ideas that may be of interest to you |
Consent provided by you |
Pre and post travel information |
Issuing pre and post travel information, including destination ideas and booking information |
Consent provided by you |
Tracking and improving the performance of website |
Details of your visits to our site or any Arriva Business Retail Park including, but not limited to, traffic data, location data, weblogs and other communication data and the resources that you access (this is used to help track and improve the performance of our website) |
Legitimate interest |
Performance tracking for targeted advertising |
Information about your computer, including IP address, operating system and browser type for website performance and improvement. This allows us to track performance and serve relevant advertising likely to be of interest to you and does not identify you as an individual. |
Legitimate interest |
Information provided by customers to us |
Information you provide to us by filling in forms on our site or that you email us. This includes when you subscribe or register for any service that we may provide via our site or when you complete transactions |
Performance of contract |
Research and surveys |
As part of customer research and surveys |
Legitimate interest |
Common law or statutory obligations |
Complying with any common law or statutory obligations, such as in the prevention of fraud |
Legal obligations |
Service updates |
Providing customers with updates to train services and / or strike information |
Performance of contract |
Social media |
Handling customer social media enquiries |
Legitimate interest |
Marketing communications |
Personal information such as your name and contact details when you register for an account or sign-up for marketing communications |
Consent provided by you |
Data analysis |
Profiling and selection customers in order to send relevant, targeted communications and information and improve services |
Consent provided by you |
Interactions with our website and our app |
Website visits and online behaviour, including app usage |
Legitimate interest |
On board WiFi data connection |
To provide you with a WiFi service on board our services |
Performance of a contract |
Trainline Customer contact centre |
To support in any queries with bookings, travel assistance or other issues. |
Performance of a contract |
Email analysis |
Email engagement statistics |
Consent provided by you |
Smart ticketing
|
Administration of your tickets and handling queries relating to your tickets. |
Performance of a contract |
Customer research panel |
Joining our customer Research Panel |
Consent provided by you |
Social media |
Your messages to us via social media channels |
Legitimate interest |
Prize draw/giveaways/competition forms. |
In order to process entry information and where applicable provide, publish or make available certain information to the ASA per the requirements of the CAP code. |
Legal obligation of compliance with the UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing (CAP Code). Legal obligation of compliance with the UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing (CAP Code). |
Catering purchases on board |
To receive electronic receipts for Catering purchase made on board the train |
Consent provided by you |
Stakeholders - keeping you informed |
To provide you with information about our goods and services that may interest you or them |
Consent provided by you |
Stakeholders - supporting Rail Partnerships |
To support Community Rail Partnerships |
Consent provided by you |
Stakeholders - supporting community causes |
To support causes within the community |
Consent provided by you |
Additional information provided by you as a Business Retail Customer
Area |
Purpose of processing |
Legal basis for processing |
Reasons provided for travelling |
To inform your employer of the reason for travelling as part of the Business Retail provision of services |
Legitimate interest |
Chiltern Customer Contact centre |
To support in any queries with bookings, travel assistance or other issues |
Performance of a contract |
Information provided by you in relation to the provision of Customer Services
Area |
Purpose of processing |
Legal basis for processing |
Travel Assistance - Passenger Assist |
To arrange and carry out extra assistance for your journey |
Equality Act 2010, working with other Rail Industry partners to ensure compliance where complimentary services are supplied under contract. Please see our Accessible Travel Policy. |
Compliments, Suggestions, Complaints, reporting accidents and Appeals |
To respond, investigate and make the necessary enquiries regarding your initial correspondence. To respond, investigate and make the necessary enquiries regarding the appeal. To record and pass on details of accidents or injuries that have happened on our services to our Safety Team. |
Performance of a contract. Processing is necessary for Legitimate interests Legal Obligation |
Claims for Compensation and Refunds |
To provide compensation in line with our Delay Repay Scheme To handle the claims for compensation and refunds. |
Performance of a contract; to provide compensation in line with our Passenger Charter and National Rail Conditions of Travel |
Revenue Protection & Prosecutions Policy |
Preventing and reducing fare evasion and offenses of violence against its workforce, which may involve prosecution of perpetrators. |
Processing necessary as legal obligation: For fare evasion - National Conditions of Travel and National Railway Byelaws (2005) Regulations of Railways Act 1889, For serious and systematic fare evasion or revenue fraud - Fraud Act 2006 For Assault against our employees is an offence - Criminal Justice Act 1988, Offences against the Person Act 1861 , Public Order Act 1986. Please see our Prosecutions Policy |
Information provided by you to our Human Resources Department
Area |
Purpose of processing |
Legal basis for processing |
Recruitment |
For pre-appointment assessment for either job vacancies, apprenticeships, placements or our graduate training program. To receive relevant notifications in regards to job vacancies with CrossCountry or other vacancies within the DB and Arriva organisations |
Necessary for the performance of a contract with you or to take steps to enter into a contract.
Consent provided by you
|
Information provided by you in relation to Subject Access Requests
Area |
Purpose of processing |
Legal basis for processing |
Subject Access Request |
To process and investigate any complaint, subject access request and other general requests under the General Data Protection Regulation. |
Consent provided by you. Legal obligation to process your personal information – Data Protection Act 2018 |
Information provided by you in relation to you visiting a CrossCountry location
Area |
Purpose of processing |
Legal basis for processing |
Visitors |
To enable visitors to gain entry/access into CrossCountry location |
Legitimate interest |
2.3.2. Information we collect about you.
2.3.2.1We use your personal information as follows:
Information we collect about you for Safety purposes
Area |
Purpose of processing |
Legal basis for processing |
CCTV Cameras and Body Worn Cameras |
Video and audio are recorded for the purpose of Customer, Security, Staff Security, Crime Prevention and Public safety on train, at stations, on platforms or at office accommodation. |
Necessary for the Legitimate interest, public interest task and/or legal obligation (prevention and detection of crime). |
Information we collect about you as Customer or Stakeholder
Area |
Purpose of processing |
Legal basis for processing |
Purchase of tickets |
Transactional information (such as your payment details when you buy tickets, the purchase and usage of WiFi) |
Performance of contract, legal requirement in relation to |
Marketing communications |
Personal information such as your name and contact details when you register for an account or sign-up for marketing communications |
Consent provided by you. |
Targeted communications |
Profiling and selection customers in order to send relevant, targeted communications and information and improve services. |
Consent provided by you |
Trainline Customer contact centre |
To assist customers with any queries in regards to their bookings, passenger assist requests and other issues. |
Performance of a contract |
Smart ticketing |
Administration of your tickets and handling queries relating to your tickets. |
Performance of a contract and Legitimate interests. |
Behaviour |
Website visits and online behaviour, including app usage |
Legitimate interest |
Engagement |
Email engagement statistics |
Consent provided by you |
Customer research panel |
Feedback via our Customer Research Panel (All submissions are made anonymous for analysis and reporting) |
Legitimate interest |
Prize draw/giveaways/competition forms. |
In order to process entry information and where applicable provide, publish or make available certain information to the ASA per the requirements of the CAP Code. |
Legal obligation to ensure compliance with the UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing (CAP Code). |
Social media |
Your messages to us via social media channels |
Legitimate interest |
Competitions |
Competition entry winners |
Consent provided by you |
Customer experience |
To gauge the experience and use feedback for service improvements such as Surveys |
Consent provided by you |
Customer Relations Call recording
|
To record calls for monitoring and training purposes. Potentially used as evidence in fraudulent cases (Note this does not include payment details) |
Performance of a contract and legitimate interest |
Information we collect about you as a potential employee:
Area | Purpose of processing | Legal basis for processing |
Recruitment | To send you relevant job vacancy updates | Consent provided by you |
2.3.3 Information we receive from other sources.
We may combine this information with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “Questions about this Privacy Notice” heading below.
Information we receive from other sources for Safety purposes
Area |
Purpose of processing |
Legal basis for processing |
Accidents, Incidents, Assaults, or Dangerous Occurrences
|
To meet our statutory obligations for the reporting of accidents, incidents, assaults or dangerous occurrences |
The processing of the personal information is necessary for compliance with a legal obligation set by Office of Rail and Road Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR) |
CCTV Camera and Body Worn Cameras |
Images are required for evidential purposes in legal or disciplinary proceedings |
Necessary for the Legitimate interest, public interest task and/or legal obligation (prevention and detection of crime). |
Safety Claims |
To handle your claim in accordance with Claim Allocation and Handling Agreement (CAHA) for losses, property damage or personal injury |
Necessary for the performance of the contract. Licence obligations of the Office Rail and Road – Claim Allocation and Handling Agreement (CAHA) |
Information we receive from other sources as a Customer
Area |
Purpose of processing |
Legal basis for processing |
Smart ticketing
|
Administration of your tickets and handling queries relating to your tickets, which may contain other Train Operating Companies’ products |
Performance of a contract |
Guest Checkout |
You can use our booking service without registering as a new user on our mobile site, website or through our app. Transactions as a guest would however not be displayed in your account if you are a registered user, but subsequently choose to checkout as a Guest. All personal data collected when booking as a Guest will be processed in accordance with this Privacy Policy. |
Performance of a contract |
Information we receive from other sources as a Business Retail Customer
Area |
Purpose of processing |
Legal basis for processing |
Business Retail |
For the administration of business revenue accounts we may receive information from Arriva UK Trains or Chiltern Railways |
Performance of a contract |
Information we receive from other sources for the provision of Customer Services
Area |
Purpose of processing |
Legal basis for processing |
Travel Assistance |
To carry out assistance for your journey |
Peformance of a contract |
Compliments, Suggestions, Complaints and Appeals |
To respond, investigate and make the necessary enquiries regarding your initial correspondence. To respond, investigate and make the necessary enquiries regarding the appeal. |
Performance of a contract Processing is necessary for legitimate interests |
Claims for compensation and refunds |
To assist with the Customer Delay repay claim by receiving information from the appropriate Other Train Operators. |
To provide compensation in line with our Passenger Charter and National Rail Conditions of Travel |
Revenue Protection & Prosecutions |
To support revenue protection related investigations that may lead to prosecutions. |
National Conditions of Travel and National Railway Byelaws |
Information we receive from other sources in our Human Resources Department
Area |
Purpose of processing |
Legal basis for processing |
Recruitment |
We may receive references from previous employers. We may also receive reports from external suppliers for pre-employment testing or medicals reports |
Necessary for the performance of a contract with you or to take steps to enter into a contract. |
Information we receive from other sources in relation to Subject Access Request
Area |
Purpose of processing |
Legal basis for processing |
Subject Access Request |
Processing and investigating of Data Protection complaints received from the Information Commissioner’s Office |
Consent provided by you. Legal obligation to process your personal information – General Data Protection Regulation (GDPR) |
We may disclose your personal data to the following categories of recipient for the purposes described in this Privacy Notice:
Sharing your information for Safety Purposes
- With Rail Safety and Standard Board, Rail Accident Investigation Branch, Office of Rail and Road, Government appointed enquires, legal representors and other Rail Industry Partners to meet our statutory obligations for the reporting of accidents, incidents, assaults or dangerous occurrences.
- With British Transport police, legal, other Rail Industry Partners, CCTV images required for evidential purposes in legal or disciplinary proceedings.
- With Solicitors, Transcare Law, Office of Road and Rail, consumer watchdogs, and other Rail Industry Partners in accordance with Claim Allocation and Handling Agreement (CAHA) for losses property damage or personal injury.
- With Emergency Services as required during emergency situations on board our services, to provide you with medical assistance if required.
Sharing your information as Customer or Stakeholder
Service providers:
- We use third party service providers to carry out many of the activities listed in the sections above, “How we use your personal data and the legal basis for such processing”. This includes our Customer Relationship Management (CRM) provider Acteol and Trainline.com, as well as digital agencies and services such as Google to provide digital advertising, activities and analytics.
- We use third party service providers to provide Business Retailers services as listed in the sections above "How we use your personal data and the legal basis of such processing". This includes Assertis and TrustPayments. We may also share your data with Arriva UK Trains and Chiltern Railways for the provision of Business Retail customer services.
- Our service providers act on our instructions, and we ensure that they take measures to keep your personal data safe.
- We don’t allow our service providers to use your personal data for any purpose other than carrying out the service in question, and we only provide them with those parts of your personal data that they actually need.
- We share your information with Rail Delivery Group who provide the back office technology and infrastructure for Smartcard products.
- Other UK Rail Operators in order that they can provide support in respect of your Smartcard products, from any given location regardless of the retailer.
- All payments for ticket purchase through Visa and MasterCard are processed by Trainline.com Limited.
Other UK Rail Operators:
- We share your personal data with some operators for ticket fulfilment purposes
- We may share your email address or phone number with some operators so that they can contact you with service messages, for example if a train is cancelled in cases for booked Travel Assistance.
- We may also need to share some of your personal data with any other transport carriers or other service providers who provide you with any part of the services that you’ve booked through us.
The Authorities:
- In some circumstances we have a legal obligation to share parts of your personal data with police or customs authorities, regulatory authorities, government & law enforcement agencies. This may include, but is not limited to, fraud prevention and detection.
- We may also disclose your personal data to any competent law enforcement body, regulator, government agency such as Rail North, the Department for Transport (DfT) or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation; (ii) to exercise, establish or defend or legal rights; or (iii) to protect your vital interests or those of any other person;
Sharing your information for the provision of Customer Services
- To carry out assistance for your journey we work closely with Office of Road and Rail, Rail Delivery Group, Rail Industry partners, and Taxi companies in order to continually improve the levels of service we offer customers who require such assistance when making a journey.
- To allow complaints and appeals to be processed by the appropriate company in accordance with the Railways Passenger Charter.
- To provide compensation for delays in line with our Passenger Charter and National Rail Conditions of Travel.
- Preventing and reducing the fare evasion and offences of violence against its workforce, which may involve prosecution of perpetrators in accordance with National Conditions of Travel and National Railway Byelaws.
- To allow complaints and appeals to be processed for Business Revenue Customers
Sharing your information – Human Resources Department
- For external suppliers to support us in our pre-appointment assessment for either job vacancies, apprenticeships, placements or our graduate training program.
- Sharing your information in relation to Individual Rights Requests
- Information Commissioner Office - for the purposes of reporting, processing and investigating of Data Protection complaints or incidents received from the Information Commissioner's Office
Sharing your information in relation to Individual Rights Requests
- Information Commissioner Office – for the purposes of reporting, processing and investigating of Data Protection complaints or incidents received from the Information Commissioner's Office.
Other
- Companies within the Arriva Group for the performance of any contract we enter into with them or you.
- We may also transfer your personal data to a buyer or potential buyer (and its agents and advisers) in connection with any reorganisation, restructuring, merger or sale, or other transferring of assets provided that we inform any receiving party it must use your personal information only for the purposes disclosed in this Privacy Notice.
- We operate CrossCountry franchise under arrangements with the Department for Transport and the franchise operations may pass to a successor operator. We may disclose your personal data to the relevant franchising authority and/or any successor operator and any successor operator must only use this personal data for the purposes disclosed in this Privacy Notice.
Finally, we may disclose your data to any other person to whom you request us to make disclosure or if you consent to such disclosure.
We will not retain your personal data for longer than is necessary to fulfil the purposes for which we collected that personal information, unless the law permits or requires that we retain it for longer.
The table below explains in more detail how long CrossCountry will store different types of information for:
Data Retention - Safety purposes
Customer information |
Retention Period |
Reporting of accidents, incidents, assaults or dangerous occurrences |
As per the Statutory provisions (see Social Security (claims and payments) Regulations 1971; Regulation 25. Social Security Act 1992; OR Section 8. Limitation Act 1980. |
Records relating to accident/injury |
From the date of the incident plus 12 years. In the case of serious accidents, a further retention period may need to be considered. |
CCTV Cameras and Body Worn Cameras |
Maximum 30 days dependant of system capabilities from record creation, unless there is a specific request relating to the CCTV/camera footage. Where there is a specific request which includes crime. Terrorism and HM Coroner relating to the CCTV/camera footage, the footage will be kept for the duration of the claim matter, plus an additional six years after the claim is closed. |
Safety claims |
For the duration of the claim, plus an additional 6 years after the claim is closed. |
CCTV footage relating to a claim
|
For the duration of the claim matter, plus additional 6 years after the claim is closed. |
Claimant bank details |
Until payment is made to the claimant |
Data Retention relating to the provision of Customer or Stakeholder
Customer information |
Retention Period |
For customers who have made an online transaction in the last 6 years |
Transaction history |
Anonymised website data |
We will keep anonymised website data (including but not limited to traffic data, location data, operating systems and browsing information) for 38 months. This data helps us with the ongoing improvement and development of our website and does not identify users individually (for example through a MAC address, IP address or cookie data). |
Stakeholder – General |
For no longer than the necessary for the purposes for which the personal data was collected. |
Stakeholder – Community Rail |
For no longer than the necessary for the purposes for which the personal data was collected. |
Stakeholder – Supporting causes in the community |
For a period of 6 years after the support is provided. |
Trainline contact centre call recording |
3 months |
Call recording (Customer Relations) |
2 years from point recording was made. Please note payment details are not recorded. |
Business Retail Account |
For two years since last transaction for data not required for transactional purposes |
On-board filming |
For the period of time required for training and no longer than 1 year. |
Data Retention relating to the provision of Customer Services
Customer information |
Retention Period |
Travel Assistance bookings |
For a period of 2 years (as advised by Rail Delivery Group) |
Compliments, Suggestions, Complaints and Appeals |
For no longer than the necessary purposes for which the personal data was collected (maximum period of 6 years) |
Compensation & Refunds |
6 years from the date of transaction or payment made |
Revenue Protection & Prosecutions Policy |
For a period of 6 years following the end case completion |
Data Retention – Human Resources Department
Customer information |
Retention Period |
Job applications and interview records for unsuccessful candidates |
6 months after notifying unsuccessful candidates. The applicant should be informed of Arriva’s retention period when they complete the application |
Data Retention - Individual Rights Access
Customer information |
Retention Period |
Individual Rights Requests |
We hold the data for 2 years |
We apply appropriate administrative, technical and organisational security measures to protect your personal data that is under our control from unauthorised access, collection, use, disclosure, copying, modification or disposal. All information you provide to us is stored on secure servers. We are part of the Arriva plc Group, which trains its employees regarding our data privacy policies and procedures and permit authorised employees to access personal data on a need to know basis, as required for their role. We also take steps to ensure that any service provider that we engage to process personal data on our behalf takes appropriate technical and organisational measures to safeguard such personal data.
We process your information in the UK, and in some cases within the European Union (EU). When we use organisations who access or process your information, we do so in line with the requirements of both UK and EU data protection legislations.
We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws.
You can see when this Privacy Notice was last updated by checking the date displayed at the top of this Privacy Notice.
You have the following data protection rights:
- If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting us at any time at [email protected].
- In addition, you can object to the processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us at [email protected].
If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent. You can update your consent preferences in our Preferences centre, please note that it may take up to 48 hours for this information to be updated.
If you wish to withdraw consent from marketing communications, or close your online account with CrossCountry, please contact us at any time at [email protected] Please note this may take up to 5 working days.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.
If you have any question, concerns or complaints about this Privacy notice or our handling of your personal data, you can contact us by email on [email protected] or by post to the following address:
CrossCountry Data Protection Champion, CrossCountry, 5th Floor, Cannon House,18 The Priory Queensway, Birmingham, B4 6BS
If you are unsatisfied with the response, you can contact Arriva plc's Data Protection Officer at [email protected].
You have the right to complain to a data protection authority about our collection and use of your personal information. If you are based in the European Economic Area, please contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area, Switzerland and certain non-European countries are available on the EU Commission's website via the following link): https://ec.europa.eu/info/departments/justice-and-consumers_en#contact).