1.Scope

This policy applies to all Metroline Personnel and to all Personal Data Processed by Metroline at any time, by any means and in any format.

 

2.Responsibilities

2.1 The Data Protection Officer (DPO) is responsible for ensuring that this notice is made available to data subjects prior to Metroline collecting/processing their personal data.

2.2 All Employees of Metroline who interact with data subjects are responsible for ensuring that this notice is drawn to the data subject’s attention and their consent to the processing of their data is secured.

 

3.Privacy notice

3.1 Who are we?

Since March 2000, Metroline has been a wholly owned subsidiary of Singapore based ComfortDelGro; one of the world's largest passenger land transport companies. As part of the successful ComfortDelGro Group, our main focus is to become the best London bus company in the Capital providing service to Transport for London and commercial services in Hertfordshire.

Metroline employs over 5000 people; almost 4500 of these are drivers, with a team of over 250 engineers and operates 14 garages across London from: Cricklewood Head Office, Edgware, Willesden, Willesden Junction, Holloway, Harrow Weald, Kings Cross, West Perivale, Brentford, Uxbridge, Alperton, Hayes, Greenford and Potters Bar.  Metroline also operates a purpose-built state of the art engineering facility in West Perivale called the Central Engineering and Logistics Facility (CELF).

Metroline currently operates bus routes, mostly for London Buses, and operates 2 commercial routes (routes 84 and 242) from Potters Bar Garage which serve Hertfordshire.  Metroline carries over 1 million people across London each day.

Our DPO and data protection representatives can be contacted directly here:

([email protected])

More information about Data Protection can be found on the Information Commissioners Website ico.org.uk.

The Information Commissioner is our regulator for data protection matters.

 

3.2 The personal data we collect

The personal data we would like to collect and process on you is:

Personal data type:

Source (where Metroline obtained the personal data from if it has not been collected directly from you, the data subject):

Personal information

This may include your name, address, e-mail address, phone and mobile number, bank account information, and your photograph. Metroline may request your consent before you register or submit any personal information to us when using our services, website or Apps. Please note that in respect of job applicants and employees this may also include sensitive data, such as that relating to an individual’s health. Such data is processed strictly in accordance with our Privacy and Data Protection Policy.

CCTV

CCTV surveillance is essential for many reasons including the safety and security of the public and our employees and the prevention and detection of crime. Metroline regularly review the use of surveillance systems and our CCTV policy. We will always clearly display signage so that you are aware that you are in an area where CCTV is operated and which provides contact details should you require additional information.

Disclosing personal data to the police

At our discretion, we may disclose personal data in response to valid requests from the police and other statutory law enforcement agencies.

Before we authorise any disclosure, the police have to demonstrate that the personal data is necessary to assist them in the prevention or detection of a specific crime, or in the apprehension or prosecution of an offender.

Requests from the police are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with the Data Protection Law.

Website

From time to time, you will be asked to submit personal information about yourself (e.g. contact information; name, address and email address) in order for Metroline to contact you.

By entering your details in the fields requested, you enable us to provide you with information you require. Whenever you provide such personal information, we will treat that information in accordance with this policy.

Metroline website www.metroline.co.uk does not automatically capture or store personal information, other than logging the user's IP address and session information such as the duration of the visit and the type of browser used. This is recognised by the web server and is only used for system administration and to provide statistics.

Links to other web sites do not imply any endorsement, validation or responsibility by Metroline as to the content or privacy policies of such sites. We cannot guarantee that these links will work all of the time and we have no control over the availability of the linked pages.

Use and storage of your personal information on our Website

When you supply any personal information Metroline has legal obligations towards you in the way Metroline uses this data. Metroline must collect the information fairly, that is, Metroline must explain how it will use it and tell you if Metroline want to pass the information on to anyone else.

Metroline will hold your personal information on our systems for as long as you use the service you have requested. Metroline will ensure that all personal information supplied is held securely, in accordance with the Data Protection Legislation.

Metroline will not contact you for promotional purposes such as notifying you of improvements to the service or new services unless you specifically agree to be contacted for such purposes at the time you submit your information on the site, or at a later time if you sign up specifically to receive such promotional services.

Sharing data with third parties

Metroline may share your information within Metroline Group.  We do not share or sell your personal information to any other company for marketing purposes.

Third-party companies will be required to use your personal data in accordance with the Data Protection Legislation currently in force.

Where Metroline uses trusted suppliers to help us deliver our services to you, Metroline allow the supplier concerned limited access to the personal data they need to provide their service. A list of just some of the service suppliers are listed below:

Metroline Group pension suppliers to administer the company group pension to Employees

Medical supplier, which Metroline uses to run medicals

Website hosting companies which Metroline uses to administer our website content

Third parties which Metroline uses to analyse traffic and other pseudonymised data on our website and app and use of our services

Market research and analysis organisations working on our behalf

Organisations that support our marketing and operational activities

Fraud checking and prevention organisations

Information we receive from other sources:

Metroline works with third parties in providing services, for example Metroline engages a website platform provider and website development agency, as well as analytics providers, security and performance maintenance assistance and online survey tools. These third party companies are data processors for Metroline and only process personal information in line with our instructions.

Information you give us

You may give Metroline information about you by filling in forms on our website, subscribing to our benefits and services or by corresponding with us by phone, e-mail, social media or otherwise. This includes information you provide when you register to use our website, driver recruitment service, search for tickets, order tickets on our website, participate in discussion boards or other social media functions on our website, enter a competition, promotion or survey and when you report a problem with our website. The information you give us may include but not limited to your name, date of birth, address, country of residence, email address, photo card ID information, phone and mobile number, travel preference information and credit card information.

If you use Transport for London (TfL) contracted services

Sometimes we obtain details from third parties, for example if we have taken over a contract/bus company, or a complaint is passed to us from Transport for London (TfL) or another operator.

If you use TfL contracted services operated by Metroline the on-bus system will collect personal data from you in connection with your use of Oystercards or contactless payment cards on our buses. This data does not pass through any data management system operated by Metroline and TfL does not permit bus operators access to any personal data collected in this way.

If you want to know more about the information collected from you in connection with your use of TfL buses please contact: Customer Services, Transport for London, 14 Pier Walk, North Greenwich, London, SE10 0ES.

How we use your information:

Metroline will use the information as permitted by the Data Protection Law. Depending on how you use our services, the consent you have given, our legitimate interests, or legal obligations we may have, contact us, this will include:

For your safety and security.

For fraud and crime prevention.

To enhance your experience of our website.

To provide you with the service (Things like carrying out our obligations arising from any contracts- selling tickets, making and taking payments. For Metroline this is restricted to our commercial services.  Metroline relies on the contractual performance to process your data (legal processing), but sometimes the data is also used for our legitimate interests of health and safety, improving our services, customer service and other legal obligations, like providing information to our regulators.

To provide you with details of our services and information about travelling, and customer service (this is based on our legitimate interests, to run bus and associated services. Sometimes it is part of our contract or our other legal obligations). For Metroline this is restricted to our commercial services.

To run our services and improve them, to benefit passengers and, environment, and economy. Metroline aim to be a good employer and run our services safely - we call these our legitimate interests. Some of these things are also covered in our legal obligations, under Local Authority contracts and/or Transport for London.

Metroline has share administrative services and support. Your data may therefore be shared with them.  Metroline may also be required to pass certain customer data to a successor business, local authority or Transport for London.

The personal data we collect will be used for the following purposes:

Employee recruitment

To administer and comply with employment and other relevant UK laws when it comes to Employee Contracts of Employment and staff benefits i.e. group pension

Driver Recruitment

 

3.3 Legal basis for processing

Metroline legal basis for processing the personal data:

Necessary for performance of a contract or to comply with a legal obligation.

Legal obligation: the processing is necessary for Metroline to comply with the law (not including contractual obligations).

Our use of your data is necessary for our legitimate interests in ensuring that the service Metroline provide to you is administered effectively.

Legitimate interests: the processing is necessary for Metroline legitimate interests or the legitimate interests of a third party.

 

3.4 Types of personal information processed

A full description of the different types of personal information Metroline processes, the purpose of the processing and the legal basis for the processing is shown below:

Use of your personal data

Legal basis for processing

To carry out contract with you to provide you with products and services including purchase and issue of tickets, transportation, journey planning and travel advice.

Necessary for the performance of our contract with you or to take steps to enter into that contract.

To notify you of any changes to our service.

Necessary for the performance of our contract with you or to take steps to enter into that contract.

To provide you with marketing information via email, post or other electronic means about goods and services Metroline believes may be of interest to you.

You have given us your consent or Metroline relies on legitimate interest.

To understand the effectiveness of the online advertising we show you and to deliver relevant advertising to you via our website.

Our use of your data is necessary for our legitimate interests in ensuring that the service we provide to you is relevant.

To make recommendations via our website or app regarding goods and services we believe may be of interest to you.

Our use of your data is necessary for our legitimate interests in ensuring that the service we provide to you is administered effectively.

To ensure that the content on our website is presented to you and your computer as effectively as possible.

Our use of your data is necessary for our legitimate interests in ensuring that the service we provide to you is administered effectively.

To monitor our website and third party websites to ensure that they are functioning correctly and that you receive the correct advice.

Our use of your data is necessary for our legitimate interests in ensuring that the service we provide to you is administered effectively.

To verify and protect your personal information when using our website and when dealing with Metroline.

Our use of your data is necessary for our legitimate interests in ensuring that the service we provide to you is administered effectively.

To provide data to public authorities where legally required.

Metroline has a legal obligation to use your personal information where lawfully requested or required to do so by public authorities.

 

3.5 Consent

By consenting to this privacy notice you are giving us permission to process your personal data specifically for the purposes identified.

When Metroline is asking you for sensitive personal data we will always tell you why and how the information will be used.  You may withdraw consent at any time by sending a Withdrawal of consent email to [email protected] .

 

3.6 Disclosure

Metroline may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries.  Metroline may share your information with selected third parties including:

business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you;

analytics and search engine providers that assist us in the improvement and optimisation of our website.

 

3.7 Retention period

Metroline will process and store personal data in line with the Privacy and Data Protection Policy and the relevant Retention Procedure.

 

3.8 Your rights as a data subject

At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:

Right of access – you have the right to request a copy of the information that we hold about you.

Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.

Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.

Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.

Right of portability – you have the right to have the data we hold about you transferred to another organisation.

Right to object – you have the right to object to certain types of processing such as direct marketing.

Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.

Right to judicial review: in the event that Metroline refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in clause 3.6 below.

All of the above requests will be forwarded on should there be a third party involved (as stated in 3.4 above) in the processing of your personal data.

 

3.9 Complaints

In the event that you wish to make a complaint about how your personal data is being processed by Metroline (or third parties as described in 3.4 above), or how your complaint has been handled, you have the right to lodge a complaint directly with Information Commissioner Office (ICO) and Metroline’s Data Protection Officer.

If we don’t respond to within 30 days of your validated request or you are not happy with our response you can lodge a complaint with the ICO.

If you are not happy with the way in which we deal with your data or have dealt with a rights request, then please contact our Data Protection Officer.  If you are not satisfied with the way in which they have handled your complaint or rights request then you can contact the Data Protection Officer by email to [email protected] or writing to Data Protection Officer, Metroline Head Office, ComfortDelGro House, 3rd Floor, 329 Edgware Road, Cricklewood, LONDON, NW2 6JP.

If you are not satisfied with the response you can complain to the ICO at Head office, Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or call 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number. Fax: 01625 524 510 or through their website ico.org.uk

 

Document Owner and Approval

The GDPR Steering Group is the owner of this document and is responsible for ensuring that this policy document is reviewed in line with the review requirements stated above.

 

This policy was approved by the GDPR Steering Group as per issue date and is issued on a version controlled basis.

 

 

Change History Record

 

Issue

Description of Change

Approval

Date of Issue

1

Initial issue

COO

21.05.18