At RATP Dev London, we are committed to protecting and respecting your privacy when you use our website and our services in the United Kingdom.

This Privacy Policy explains:
What personal data we collect from you when you use our website, apps, social media pages, when you visit our buses, offices, garages or depots in the UK, when you contact us in the UK or generally use our services in the UK;

  • How we will collect and use that information;
  • How we keep information secure; and
  • How you can contact us if you wish to exercise any of your rights in relation to the information or make a complaint.

For the purposes of the Data Protection Act 2018 and this privacy policy, details of the relevant data controllers are set out in paragraph 13 below. For enquiries or request to our nominated Data Protection Officer, please email : gdpr_ratpdevuk@ratpdev.com.

 
More information about the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all related and subordinate legislation as amended or re-enacted from time to time (“current Data Protection Legislation”) can be found on the Information Commissioners (ICO) website www.ico.org.uk. 

The Information Commissioner (ICO) is our regulator for data protection matters in the United Kingdom.

You have the right to make a complaint at any time to the ICO for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance. 

1. COLLECTION AND USAGE OF PERSONAL DATA

We may collect and process information about you when for example you:

  • use our website, to optimise the best website experience for your visit, or in order to raise your enquiry with the most relevant internal department in facilitating your enquiry;
  • are involved in or witness an accident or incident involving one of our buses;
  • when you lose property on one of our buses.

We collect information such as your contact details and sometimes but rarely your age and details of any injuries such like in the case of accidents and incidents. This information is generally provided by you. Sometimes we obtain details from third parties such as when we change our group structure or business or operation and for other legitimate business reasons.  

We will only use the information you provide as permitted by current Data Protection Legislation. Our reason(s) for using your data will vary depending on: how you contact us, use our services, the consent you have given, our legitimate interests, or legal obligations we may have. Reasons for use of your data include:

  • To enhance your experience of our website, as described in our cookie policy.
  • To provide you with a service and for legitimate interests such as health and safety.
  • To comply with our legal obligations including providing information to our regulators and under our contracts with Transport for London (TfL) or others.
  • For your safety and security.
  • For fraud and crime prevention.
  • To run our services and improve them and their technology to help plan journeys.

We are part of a RATP Dev and share administrative services and support. Your data may therefore be shared with other companies within the group of RATP Dev where appropriate.

The terms of this policy do not automatically apply to all websites of RATP Dev group companies worldwide that you may visit and you will need to satisfy yourself of their own terms for their use and how they will collect your data.

2. SHARING OF DISCLOSURE OF INFORMATION 

We will only share or disclose your information as set out in this Policy or in accordance with current Data Protection Legislation and will obtain your consent where we are required to do so.  We will only use third parties to process information where we are satisfied that they comply with these standards and can keep your data secure. 

We may share or disclose information for the following reasons:

  • We use data processors to provide or assist with some of our services. Where we do so, they must agree to strict contractual terms and to keep your data secure.
  • Where we share data across companies within the group of RATP Dev, this is only in accordance with a written data sharing agreement. More details are available under “Transfer or storage of personal data outside the UK” below.
  • To respond to your complaints or administer requests you have made, either to us or another regulatory body such as Transport for London (TfL).
  • To comply with the police or other law enforcement agencies for the purposes of crime prevention or detection, these are dealt with on a case-by-case basis, under a specific Information Sharing Protocol, to ensure that any disclosure is lawful.
  • To comply with other legal obligations for example, relating to crime and taxation purposes or regulatory activity.
  • To protect our legitimate business interests, as outlined above.

3.COLLECTING DATA THROUGH THE WEBSITE SITE

When you use our website we will collect the some or all the following details:

  • Name; Email address; Phone number; Address; Date of birth; Contact Data.
  • Financial Data which may occur when you contact us directly.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website. 
  • Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
  • Usage Data includes information about how you use our website, products and services. 
  • Marketing and Communications Data: your preferences in receiving marketing from us and our third parties and your communication preferences.

We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform the contract we are about to enter into or have entered into with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal obligation.

We will not pass your personal information to any other organisation for marketing purposes.

Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below. 
 

Purpose/Activity

Type of data

Lawful basis for processing including basis of legitimate interest

To register you as a new suppliers or clients

(a) Identity

(b) Contact

Performance of a contract with you

To carry out our obligations arising from any contracts entered into between you and us including:

(a)  managing payments, paying refunds or compensation, fees and charges;

(b)  collecting and recovering money owed to us;

(c)  running fraud checks if we have reasonable suspicions;

(d)  provide you with necessary information, products and services including, but not limited to, contacting you about your journey;

(a)  Identity

(b)  Contact

(c)  Financial

(d)  Transaction

(e)  Health

(f)  Marketing & Communications

(a)  Performance of a contract with you

(b)  Necessary for our legitimate interests (to recover debts due to us, to pay refunds or compensation owed to you and to prevent us facilitating fraud)

To manage our relationship with you which will include:

(a) Notifying you about changes to our terms or privacy policy

(b) Asking you to leave a review or take a survey

(a) Identity

(b) Contact

(c) Profile

(d) Marketing and Communications

(a) Performance of a contract with you

(b) Necessary to comply with a legal obligation

(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

To respond to your enquiries or to process your requests in relation to your information.

(a)  Identity

(b)  Contact

Performance of a contract with you

To maintain a suppression list should you opt-out of receiving communications

(a)  Identity

Necessary for our legitimate interests (to ensure that we are not at risk of breaching data protection laws by communicating with you where you have asked us not to.)

To manage our relationship with you which will include:

(a)  notifying you about changes to our website, services, terms or privacy policy;

(b)  asking you to leave a review, take a survey or participate in market research; and

(c)  maintaining a record of our interactions with you when you contact us

(a)  Identity

(b)  Contact

(c)  Profile

(d)  Marketing Communications

(a)  Performance of a contract with you

(b)  Necessary to comply with a legal obligation

(c)  Necessary for our legitimate interests (to evidence our customer interactions and improve the services we offer to our customers)

To administer and protect our business and this website (including training our employees, troubleshooting, data analysis, testing, system maintenance, security audits, support, reporting and hosting of data) 

(a) Identity

(b) Contact

(c) Technical

(a)  Necessary for our legitimate interest (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

(b)  Necessary to comply with a legal obligation

(c)  Performance of a contract with you

To help provide a safe environment for our employees, suppliers, clients and customers; to reduce the number of assaults on our employees during revenue enforcement duties; and to improve the quality of evidence available for submission to the authorities.

(a)  Identity

(a)  Necessary for our legitimate interests (to protect employee, supplier, client and customer safety and assist with the verification of claim)

To conduct health and safety assessments and record keeping; and compliance with related legal obligations.

(a)  Identity

(b)  Contact

(c)  Profile

(d)  Health

(a)  Necessary for our legitimate interest (in providing a safe and secure environment at our premises)

(b)  Necessary for compliance with a legal obligation

(c)  Necessary to protect the vital interests of any individual

To establish, exercise and defend our legal rights

(a)  Identity

(b)  Contact

(c)  Financial

(d)  Transactional

(e)  Technical

(f)  Profile

(g)  Usage

(h)  Health

(i)  Marketing Communications

(a)  Necessary for compliance with a legal obligation

(b)  Necessary for our legitimate interest (for the purpose of establishing, exercising or defending our legal rights)

 

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. 

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law

Length of time records are kept

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. 

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Sharing data collected through the website with third parties

We may share your personal data collected through the website www.ratpdevlondon.com with RATP DEVELOPPEMENT SA, our holding company, and other companies within the Group of RATP DEVELOPPEMENT SA outside the UK. The purpose for doing so is mainly to obtain support services regarding a matter.  Our website is based outside the UK so the processing of your personal data collected through the website will involve a transfer of data outside the UK.

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented: 

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data which has been recognised by the UK.
  • Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK. We have provided you with more generic details below.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK. 

Transfer or storage of personal data outside the UK

The information that we collect from you may be transferred to, and stored at, a destination outside the United Kingdom (UK). When we transfer and store your personal data outside of the UK we will ensure that it is adequately protected by using appropriate safeguards as further detailed below.
Staff operating outside the UK who work for us, or one of our suppliers, may process the information. Such staff may be engaged in, among other things, dealing with our communication with our suppliers and clients for administrative purposes or to perform a contractual arrangement with them or to support the delivery of the services or dealing with your enquiries or complaints.

Where your personal data is transferred from the UK to a recipient outside the UK in a country not recognised by the UK as providing an adequate level of protection for personal data, such transfer shall be covered by a framework recognised by the relevant authorities or courts as providing an adequate level of protection for personal data including but not limited to Standard Contractual Clauses (the agreement in the form annexed to the European Commission's decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which can be found here).

Unfortunately, the transmission of your personal data via the internet is not completely secure and although we do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us over the internet and you acknowledge that any transmission is at your own risk.

We may also share your personal data collected through the website to third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy. 

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

3. WHEN THERE IS AN ACCIDENT AND/OR AN INCIDENT

If you are involved in an accident or incident on or with one of our vehicles, or if you are a witness to an accident or incident, we will collect some or all the following details:

  • Name.
  • email address.
  • Phone number.
  • Address.
  • Date of birth.
  • Vehicle details.
  • Details of any injuries.
  • Details of damage to property and/or vehicles.
How we use your personal data

We use this information for investigation of accidents and incidents, handling claims and repairs to vehicles, preventing fraud and dealing with any legal actions arising from the incident or accident.

We will not pass your personal information to any other organisation for marketing purposes.

Why we retain your information

We retain your information to enable us to resolve issues and settle claims, repair vehicles, and comply with our legal obligations to support police and court actions.

Length of time records are kept

In line with our legal obligations, records are kept for 6 years unless we know that a child was involved, in which case we will keep the information for 3 years past their 18th birthday.

Sharing data with third parties

We will not pass your personal information to any other organisation for any purposes other than investigating incidents and accidents, resolving claims, repairing vehicles or participating in any resulting police or legal actions.

4. LOST PROPERTY

Personal details we hold

If you leave something on one of our buses, or if we find something on one of our buses that contains identifying materials like a driving licence, we will record some or all the following details:

  • Name.
  • email address.
  • Phone number.
  • Address.
  • Details of property.
How we use your personal data

We use this information to help us return your lost property. 
We will not pass your personal information to any other organisation for marketing purposes.

Why we retain your information

We retain your information to enable us to return property to its rightful owner.

Length of time records are kept

We will keep your details for 6 months.

Sharing data with third parties

If you have not collected your property from us within 2 days, we will send it to Transport for London (TfL) in line with the agreement we have with TfL. We will also pass on your details to TfL to enable them to deal with your property. We will not pass your personal information to any other organisation.

5.WHEN YOU CONTACT US 

We collect your information and comments when you contact us by letter, email, web form, phone or social media.

Personal details we hold

We may hold your name, address, date of birth, email address, phone number, social media name, our correspondence with you and other supporting information you may provide.

To ensure that we have an accurate record of dealings between us (and for training purposes) we may, in certain circumstances, record or monitor telephone calls, however you will always be told when this happens.

How we use your personal data

This information is used for administration of correspondence as well as for fraud prevention purposes. We also use it to respond to complaints.

Why we retain your information

We retain your information to enable us to investigate and resolve complaints, respond to you in dealing with your complaint or comment and to help us understand where our services may need improvement.

Length of time records are kept

Depending on the type of records, these may be kept for up to six years.

Sharing data with third parties

We may share your correspondence with Transport for London (TfL) and other regulators or public authorities.

6. CHILDREN’S DATA

We do not routinely process children’s data, however in the rare instances that we do we may be required to gain consent from a parent or guardian to process the child’s data.

Where we chose to rely on consent as the legal basis for processing children’s personal data, consent may be required from a person holding ‘parental responsibility’.

The children’s consent must be freely given, specific, informed and unambiguous.

7. VIDEO SURVEILLANCE 

You should consult our CCTV and Audio Privacy Notice available on this website.

8. SUPPLIERS

What information do we collect?

When our suppliers contact us we use their information for the administration of our relationship and any contractual arrangements with them or to support the delivery of the services or products.
The type of personal information we may collect from you are Name, Address, Telephone number(s), Email address, Date of birth, Payment details.

Why do we need this information?

The information requested during this process is required to complete the sale of the products or services that form part of a suppliers’ contract with us. 

How long do we keep this data?

We will retain this personal information about you for as long as you or your company remain a supplier and a further three years thereafter, or until we are advised that you wish for your personal information to be removed (see your rights, below). We will also remove your information if your company requests this (if you have left the business for example).

Who will your data be shared with?

In order to process your application, we may supply personal information to credit reference agencies (CRAs). They will give us information about the persons who manage or control our suppliers, including any financial history. The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at http://www.experian.co.uk/crain/index.html’.

9. STORING OF YOUR PERSONAL INFORMATION 

The information that we collect from you will only be stored in the European Economic Area (“EEA”) or, where it is necessary to disclose it to our processors located outside the EEA, other jurisdictions which are acceptable according to guidance provided by the Information Commissioner and/or where appropriate legal and security safeguards are in place.  

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed in the United Kingdom. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. 

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Please contact our data protection officer if you wish to find out more about the safeguards.

10. INFORMATION SECURITY

We use a range of appropriate technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its integrity and availability.  These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training.  We also consider anonymising or pseudonymising personal data where practical.

11. ASKING FOR A COPY OF YOUR PERSONAL DATA

You are entitled to request a copy of the personal information we hold about you.

For human resources related enquiries, please write to hr.enquiries@ratpdevlondon.com to make a request. 

For all other enquiries, please contact gdpr_ratpdevuk@ratpdev.com to make the request.

We may need to ask for some further information, such as checking who you are.  You can download the form here and send it to us. The form is not compulsory, but it may help deal with your request more efficiently. 
Please let us know in what format you wish to receive your information.
Sometimes we may hold information that we do not have to provide, for example it would prejudice a police investigation or if the disclosure would cause harm to another person whose personal data is inseparable from your data.
In most cases we provide the copy of your data to you for free.  We have set out some information about when it might not be free, or provided below.

For CCTV footage, please read our CCTV and Audio Privacy Notice

12. YOUR RIGHTS 

Under current Data Protection Legislation you have rights related to how we protect and look after your personal information
You have the right to ask us for your personal information that we hold and process about you. This is known as a subject access request. You can download it here and send it to us. It will help us deal with your request more efficiently.

You can also ask:

  1. That any inaccurate information we hold about you is corrected
  2. That we delete information about you in certain situations;
  3. That we stop using your personal information for certain purposes;
  4. That we don’t make decisions about you by completely automated means;
  5. That personal information you have given us be provided to you in a common machine readable format, or sent to a third party where this is technically feasible;

The rights set out above may apply in limited circumstances, and we may not always be able to comply with your request to exercise these rights. We will always try to respond to a request to exercise your rights within 30 days.  If we anticipate that we will not meet with this timeframe we will let you know within 30 days and explain what the problem is, if we are permitted to do so by law.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

Raise a concern

If you have any concern about the way we handle your personal information or we use our surveillance camera systems or audio recordings to process personal data should be addressed in the first instance to the gdpr_ratpdevuk@ratpdev.com
We have a subject access request form which is available here if this can assist with your request for information. If you have a concern regarding our CCTV systems and audio recordings, you may also wish to write using our contact form. Please also read our CCTV and Audio Privacy Notice.

We will try to address your concerns. If you have a complaint about the way we have handled your information, you can contact the Information Commissioner's Office who is the relevant authority in the UK.

13. DATA CONTROLLERS AND WHERE TO WRITE

For the purposes of the Data Protection Act 2018 and this policy, the relevant data controllers in the UK are:

London United Busways Limited

ICO number: Z5663291

London Sovereign Limited

ICO number:  Z8195056

Quality Line Transport Limited (previous name: H R Richmond Ltd)

ICO number: Z7396260

RATP Dev UK Limited

ICO number: ZA881657

Address where to write:
RATP Dev London
Garrick House
Stamford Brook Garage
74 Chiswick High Road
London W4 1SY
Attn: Data Protection Officer.

For email enquiries or requests, please email : communications@ratpdev.com

For human resources related enquiries, please write to hr.enquiries@ratpdevlondon.com to make a request. 

We keep our privacy policy under regular review. Historic versions can be obtained by contacting us.

This Policy was last updated on:  1st April 2021