What personal data we collect from you when you use our websites, smartcards, apps, visit our bus stations, contact us or use our services, or Wi-Fi;
How we will collect and use that information;
How we keep information secure; and
How you can contact us if you wish to exercise any of your rights in relation to the information or make a complaint.
Information we may collect from you
How we use your information
Sharing or disclosure of your information
Types of information we collect:
Website visits and purchases
Travel Centre purchases
Revenue Protection and Penalty Fares
Customer Service database
Where we store your personal information
The data controller is: East Yorkshire whose registered office is 252 Anlaby Road, Hull, HU3 2RS. East Yorkshire Motor Services is registered in England and Wales as company number 216628.
Any queries relating to this document or requests to exercise your rights in respect of personal data should be made in writing to the Area Director at the above address.
You can contact the Group Data Protection Officer as follows:
In writing to, The Go-Ahead Group plc, 4 Matthew Parker Street, London, SW1H 9HQ or by email to firstname.lastname@example.org.
More information about the Data Protection Law can be found on the Information Commissioners Website https://ico.org.uk/ The Information Commissioner is our regulator for data protection matters.
To ensure that our website is useful to all visitors and continues to improve, we may process data about your use of the site. This may include your geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your use. This data, obtained through Google Analytics, is aggregated and anonymised such that it contains no information pertaining to any identifiable individual; as such, it is not personal data per se, but we address it here for completeness’s sake.
We may process information contained in or relating to any communication that you send to us, whether through the site, by email, through social media, or otherwise. This may include the communication content and metadata associated with the communication, as well as any contact details you provide to us, such as your name, email address, phone number, job title, address or social media username. We process correspondence data for the purposes of communicating with you and record-keeping.
We may process information contained in any enquiry you submit to us indicating your interest in our services or business, such as the contents of your enquiry and any contact details you provide to us, such as your name, email address, phone number, job title or address. We process such data for the purposes of addressing your enquiry and providing you with occasional news about our services and operations. If you no longer wish to receive news from us then you can unsubscribe at any time.
We may process information relating to transactions, such as bank account details, contact details, or transaction data in relation to payments made by us to you or by you to us. This may include your contact details, or any bank account or sort code information provided for the purposes of making payment, as well as transaction details (such as POs or invoices). The transaction data may be processed for the purpose of supplying or receiving and administering the relevant services and keeping proper records of those transactions, and for making and receiving payments.
Your personal data may be provided to us by someone other than you—for example, by your employer, by an organisation with whom you and we are both dealing, or by someone who wishes to refer you to us or vice versa. Normally this data will be correspondence data, enquiry data, or project data as described above, and will be processed by us for the purposes described above.
We process personal data on lawful bases only. In particular, we process personal data on the following lawful bases identified in Article 6 of the General Data Protection Regulation:
For the performance of a contract with you, or to take steps at your request prior to entering into a contract with you (Article 6(1)(b) GDPR). This may be our basis for processing correspondence data, enquiry data, matter data and transaction data;
For our legitimate interests (Article 6(1)(f) GDPR). This may be our basis for processing:
correspondence and matter data (as we have an interest in properly administering our business and communications);
enquiry data (as we have an interest in developing our business with interested parties);
transaction data (as we have an interest in making and receiving payments promptly and in recovering debts);
any personal data identified in the other provisions of this Notice where necessary in connection with legal claims (as we have an interest in the protection and assertion of our legal rights, your legal rights and the legal rights of others);
any of the personal data identified in the other provisions of this Notice in connection with backups of any element of our IT systems or databases containing that personal data (as we have an interest in ensuring the resilience of our IT systems and the integrity and recoverability of our data).
In addition to the specific purposes for which we may process your personal data set out above, we may process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject (Article 6(c) GDPR), or in order to protect your vital interests or the vital interests of another individual (Article 6(d) GDPR).
We will only share or disclose your information as set out in this Policy or in accordance with Data Protection Law and will obtain your consent where we are required to do so. We will only use third parties to process information where we are satisfied that they comply with these standards and can keep your data secure. We may share or disclose information for the following reasons:
We use data processors to provide or assist with some of our services. Where we do so, they must agree to strict contractual terms and to keep your data secure.
Where we share data across our Group Companies, this is only in accordance with a written data sharing agreement.
To operate interoperable services - this includes use of some shared systems and processors.
To respond to your complaints or administer requests you have made, either to us or another regulatory body, ADR or appeals service, or local authorities and contract partners;
To process payment card transactions;
To comply with requests from the police or other law enforcement agencies for the purposes of crime prevention or detection. These are dealt with on a case-by-case basis, under an overall Information Sharing Protocol, to ensure that any disclosure is lawful;
To comply with other legal obligations for example, relating to crime and taxation purposes or regulatory activity;
To protect our legitimate business interests, for example, for fraud prevention or revenue protection; and
If you have agreed to receive information for competition, promotion, survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to in the terms and conditions of the purpose.
Where you have consented, to share with other members of the Go-Ahead Group PLC (registered in England, company number 02100855) (“Go Ahead”), of which we are a member, where Go-Ahead has any services, promotions and offers which we feel may interest you. Details of other members of Go-Ahead can be found here.
We have a policy in place for one off sharing of data, such as a request from an insurance company.
You can find out more below about the information we collect and how we use, share or disclose it.
Our CCTV is used to capture, record and monitor sound and images of what takes place at our bus depots, Hull Travel Centre and on the inside and outside of our buses in real time. Depending on the type of camera, images are recorded on video tape (analogue) or as digital information. Cameras can be fixed or set to scan an area. In some circumstances, they can be operated remotely by controllers.
We operate CCTV for the following purposes:
Health and safety of employees, passengers and other members of the public;
Crowd management; and
Prevention and detection of crime and anti-social behaviour.
Improve the customer service we provide
We operate cameras at the depots we manage, the Hull Travel Centre and on most of the buses that we run.
CCTV footage at bus stations and on bus is generally held for a maximum of 31 days from the time of recording. Buses - the CCTV footage on buses is recorded over on a continual basis and therefore footage is retained for an average of 7-21 days before it is overwritten.
You can request copies of images or footage of yourself by making a subject access request. The Subject Access Request section on this site explains the information you will need to provide.
At our discretion, we may disclose personal data in response to valid requests from the police and other statutory law enforcement agencies.
Before we authorise any disclosure, the police have to demonstrate that the personal data is necessary to assist them in the prevention or detection of a specific crime, or in the apprehension or prosecution of an offender.
Requests from the police are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with the Data Protection Law.
We may also disclose personal data to third parties, if required to by law or it is necessary for a legitimate purpose such as defending or bringing legal action. Data Protection Law allows us to do this where the request is supported by:
evidence of the relevant legislation; or
a court order
satisfactory evidence and assurances of the legitimate interest.
Legitimate interest would include requests such as defending or making a legal claim, such as to insurers following a vehicle collision. When we are not required to provide CCTV, we will take into account the circumstances and any potential harm to individuals, we may also charge an administration fee and seek indemnity for any use beyond which it is requested.
East Yorkshire operates its CCTV systems in compliance with the CCTV Code of Practice issued by the Information Commissioner’s Office in 2017. The Code describes best practice standards which should be followed by organisations operating devices which view or record images of individuals. It also covers other information derived from those images that relates to individuals.
This section shows the information we collect when you use our website. Before providing us with your details, please read the following important information regarding:
Collection of visitor information;
We will only use the information that we collect about you lawfully, in accordance with the Data Protection Law. The details you provide about yourself and any other information which identifies you (‘Personal Information’) is held by on this website (the "Site") for operational purposes, for example member registration or processing payments. We may also use your Personal Information to personalise your experience on the Site by informing you of new products or services that we may think are of interest to you.
East Yorkshire gathers general information about users, for example, what services users access the most and which areas of the site are most frequently visited. Such data is used in the aggregate to help us to understand how the East Yorkshire website and app are used. We gather this information so that we can continue to improve and develop our services to the benefit of our users. We may make this aggregated information available to users of the site and also to auditors. These statistics are anonymous.
When you register with set up a travel alert, enter a competition, or buy a ticket, we ask for personal information such as your name, contact details, and other details. Once you register with and accept our Terms & Conditions, you are not anonymous to us. We may use information that you provide to alert you to our own products and services. We may contact you regarding site changes or changes to the products or services that you use.
If you buy a ticket online with, we will record your personal details and send you a confirmation email. Your personal data will be used principally to communicate with you with reference to your request.
You may opt-in to receive newsletters, exclusive discounts, special offers and other marketing emails. You may unsubscribe at any time by clicking on the appropriate link at the bottom of the communication. Please note changes to your subscription preferences can take up to 14 days to take effect.
Alternatively, please get in touch with the Customer Services Team at email@example.com
When you buy annual passes/season ticket valid for one month or more, we keep a record of this on a database. We keep the following details:
Name, address and photo card number (if applicable) and date of birth;
Phone number and email if you provide them;
The product type, zone, start and end date of annual tickets you have purchased, along with any duplicate, replacement or refund of these; and
The method of payment used, but not any payment card details.
We may collect additional details when you register an account with us, download an app or use a smartcard, for example IMEI on your mobile phone, or your location data for billing on a smartcard.
We use this information for Contractual obligations, Customer Service and administration, customer research, marketing and fraud prevention.
We will only send you information about offers and promotions if you chose to receive it and you can change your marketing preferences at any time. We will not pass your personal information to any other organisation outside of our Group of Companies (and Successor business or Secretary of State for Transport) for marketing purposes without your prior consent.
If you have agreed to receive information for survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to.
We may collect a range of personal detail during the course of revenue protection activity. This may include name, address, proof of ID, journey details, payment details, personal descriptions and other information you provide to support an appeal.
We only use this information for the administration of the Penalty Fares scheme, collection of unpaid fares, fraud prevention and the prosecution of travel offences.
We may share your correspondence with:
British Transport Police under a data sharing agreement to prevent and detect crime.
To operate a penalty fares scheme
We collect your information and comments when you contact us by letter, email, web form, phone or social media.
We may hold your name, address, email address, phone number, social media name, ticket details, our correspondence with you, the compensation claims you have made and payment made by us, proof of journey or other supporting information you may provide.
To ensure that we carry have an accurate record of dealings between us (and for training purposes) we may, in certain circumstances, record or monitor telephone calls, however you will always be told when this happens.
This information is used for administration of correspondence or processing claims you have made, such as delay repay as well as for fraud prevention purposes. We also use it to respond to complaints.
We may also share information with other Bus Operating Companies, or under interoperable tickets for the purpose of fraud prevention. We will only do this where there is a formal data sharing agreement is in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with Data Protection Law.
The information that we collect from you will only be stored in the European Economic Area (“EEA”) or, where it is necessary to disclose it to our processors located outside the EEA , other jurisdictions which are acceptable according to guidance provided by the Information Commissioner and/or where appropriate legal and security safeguards are in place. Please contact the Group Data Protection Officer if you wish to find out more about the safeguards.
We use a range of technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its integrity and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal data where practical.
The rights you have under data protection law are summarised below. Some of these are complex, and not all of the details have been included here. Further guidance can be obtained from your data protection authority — e.g. in the UK, the Information Commissioner’s Office (www.ico.org.uk)
Your principal rights under data protection law are the right to:
You are entitled to request a copy of the personal information we hold about you. You can contact the Area Director at East Yorkshire using the contact details above or by contacting the Group Data Protection Officer at firstname.lastname@example.org to request access to information we hold about you.
We may need to ask for some further information, such as checking who you are. Please let us know if you want to receive the information electronically.
We aim to get the information to you without undue delay and within 30 days. If we have any trouble with this timeframe we will let you know within 30 days and explain what the problem is. Sometimes we may hold information that we don’t have to provide, for example it would prejudice a police investigation or contains someone else’s personal data.
In most cases we provide the copy of your data to you for free. We have set out some information about when it might not be free, or provided below..
You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.
In some circumstances you have the right to the erasure of your personal data. These might include if:
the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; or
the processing is for direct marketing purposes.
However, there are certain general exclusions of the right to erasure, for example where processing is necessary for compliance with a legal obligation or in connection with legal claims.
If we relied on consent as the ground for processing your personal data, you can withdraw this consent at any time. It does not affect the processing carried out beforehand. You can withdraw consent by contacting our Customer Services Team, our Area Director or Group Data Protection Officer. Where you have consented to receive direct marketing communications, you can withdraw your agreement at any time, as above or where available updating your preference centre or clicking on the appropriate link in the communication. We will comply with your request without undue delay and within 30 days.
In some circumstances you have the right to restrict the processing of your personal data. Where processing has been restricted on this basis, we may continue to store your personal data and will observe the restrictions on processing except in the case of processing permitted by applicable law (for example, in connection with legal claims or for reasons of public interest).
You have the right to object to our processing of your personal data on the basis of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or unless the processing is for legal claims.
You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your personal data for this purpose.
To the extent that the legal basis for our processing of your personal data is consent, or the performance of a contract with you, and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
We target some of our marketing and service communications, so that they are more relevant to you, based on the type of ticket(s) you bought, your location /travel destinations, we will try and make the communications are compatible with the device you are using.
We will try to deal with your request without undue delay and at least within 30 days. In exceptional circumstances, we may need to extend the time to respond fully, if the request is particularly complex or there are multiple requests. But we will let you know within 30 days.
We are not able to charge you a fee for dealing with rights requests, unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case, so that you can make a decision about what you wanted to do next.
There are various limitations and exemptions in relation to the exercise of rights in data protection law - for example if it would affect another’s rights and freedoms or if we need to retain the information to make or defend a legal claim. We intend only to rely on limitations and exemptions where it is fair to do so and always bearing in mind that it is your personal data.
If we don’t respond to within 30 days of your request or you are not happy with our response you can lodge a complaint with the Information Commissioner Office or issue legal proceedings against us.
We also have a complaints policy. If you are not happy with the way in which we deal with your data or have dealt with a rights request, then please us know. Our Area Director is the first point of contact for dealing with Rights Requests and complaints and they are assisted by our Customer Services Manager.
If you are not satisfied with the way in which they have handled your complaint or rights request then you can contact the Group Data Protection Officer as follows:
In writing to, The Go-Ahead Group plc, 4 Matthew Parker Street, London, SW1H 9HQ or by email to email@example.com.
If you are not satisfied with the response you can complain to the ICO. Their contact details are:
Information Commissioner's Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
Fax: 01625 524 510
We may update this notice from time to time by publishing a new version on the site. We will notify you of material changes to this notice using the contact details you have given us, but also recommend that you check occasionally to ensure you are happy with any changes to this notice.