Data Protection FAQs
We’ll only collect your data where it’s needed, access your data on a need-to-know basis and only store it for as long as we really need it.
The protection of your data is important to us and we will never sell your data or share any information that personally identifies you with advertisers.
We will only share your data when you have consented or we have other legitimate reasons such as for safety purposes, support in any queries with bookings, or travel assistance. We have set out who we may share your data with in the Privacy policy so you can be really clear that your data is safe with us.
When you use CrossCountry Services there are generally two different types of information that we collect;
- Information that you create and provide to us. This includes purchasing tickets, registering for our on-board WIFI service, entering competitions or corresponding with us by social media or email, phone or otherwise.
- Information we collect when you use our services. This can include, for example, pages that you visit on our website and searches you perform. Such information is used by us to help us improve the contents of the Website or Booking Service. It also helps us serve relevant advertising that is likely to be of interest to you and does not identify any individual. Your Cookie settings will determine what we do collect and you can update these using our cookie tool.
- Information we collect when you use our train services. This can include CCTV on board our trains. Our staff may be wearing body worn cameras. They will always announce when they are recording, and the device will show a blue light when it is recording. We will, however, only record if there is heightened risk in the train environment as they are only to be used for customer and staff safety. This data is automatically deleted after 30 days, unless it is required in the event of a security incident. We have additional control measures around this data.
For more information, please see our Privacy Policy.
We apply appropriate administrative, technical and organisational security measures to protect your personal data that is under our control from unauthorised access, collection, use, disclosure, copying, modification or disposal. All information you provide to us is stored on secure servers. We are part of the Arriva plc Group, which trains its employees regarding our data privacy policies and procedures and permit authorised employees to access personal data on a need to know basis, as required for their role. We also take steps to ensure that any service provider that we engage to process personal data on our behalf takes appropriate technical and organisational measures to safeguard such personal data.
We want to provide a service that is customer focused and innovative, that you can trust to meet your needs.
We therefore collect the data you provide to be able to fulfill our services to you, but also use anonymised data for example on how the website and app are used, so that we can look to always improving our service to you.
In compliance with the GDPR we only collect information about you when we have a legal basis for doing so or if you have provided consent. Our Privacy Policy explains our legal basis for collecting and using your personal information depending on the personal information concerned and the specific context in which we collect it.
We will not intentionally or systematically seek to collect, store or otherwise use information about you classed as ‘special categories of data' or 'sensitive data'. If you require any extra assistance to help you make your journey, we offer our Passenger Assist service, this may involve you providing us with sensitive personal data. However, it is stored securely, for no more than 2 years, and is only shared with Industry Partners to enable the fulfillment of the Assist service.
We want you to feel in control of your data. You therefore can take action to use any of your rights in line with the GDPR, and we have set out an overview of the rights you have here.
If you wish to access, correct, update or request deletion of your personal information, you can do so by contacting Customer Relations.
In addition, you can object to the processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us here.
We respond to all requests wishing to exercise their data protection rights in accordance with applicable data protection laws.
When we collect your data we do so either because we have a legal basis for doing so (for example when you purchase a ticket) or for some of the data we collect we require your consent (for example marketing preferences).
If you have previously given your consent to collect data you can withdraw your consent at any time. You can update your consent preferences in our Preferences centre, please note that it may take up to 48 hours for this information to be updated.
Please submit your request to close your account or close your account and remove your data via this form.
Further information about these choices is detailed in the Privacy Policy.
If you have any question, concerns or complaints about this Privacy notice or our handling of your personal data, you can contact us by email on [email protected]
You can also contact Arriva plc's Data Protection Officer at [email protected]
These Cameras are being deployed to serve as a deterrent to anti-social behaviour. This is to help both passengers and our staff feel safe.
Our onboard staff do not have access to these images or audio data, but will report any incidents for the purpose of customer safety and crime prevention. Access to images is restricted to particular personnel in our safety team who will only access the images and audio if an incident has been reported.
We have assessed the risks that may be involved regarding privacy of personal data by carrying out a data privacy risk assessment. This has ensured the following has been addressed:
a) Provided training for staff on the proper use of the body cameras.
b) Deployed protocols to manage access and control of the personal data involved.
c) Provided appropriate security measures, to ensure that the personal data is protected against any form of unauthorised access.
d) Ensured that signage is in place, and announcements are made to alert the public to the recording.
e) Limited the time the data is available to 30 days. It will only be kept longer if there is an incident.
If you would like access to this or any other of your data that we may have you can contact us at [email protected]