Serco Privacy policy

Serco Caledonian Sleepers Limited – Privacy Notice – August 2020

Introduction
We are Serco Caledonian Sleepers Limited, or more simply, Caledonian Sleepers and we’re committed to protecting your privacy and personal data. 

Personal data is information (including opinions) about you and from which you could be identified, (whether directly or in combination with other information that we may have).

We have prepared this Privacy Notice so that those who use our services and otherwise interact with Caledonian Sleeper, are informed and confident about their privacy and the security of their personal information. 

This Privacy Notice may change from time to time and, if it does, the up-to-date version will always be available on our Website. We’ll also tell you about any important changes to our privacy policy.

Please read this Privacy Notice carefully. It explains:

  • who we are;
  • what types of personal data we will collect from you;
  • why and how we will collect that personal data;
  • why and how we will handle (process) your personal data;
  • our promise to look after your personal data; and
  • your privacy rights and how the law protects you.

 

Who we are

We are Serco Caledonian Sleepers Limited, and we operate the Caledonian Sleeper franchise, an overnight rail sleeper service running between London and Scotland. We are registered as a company in Scotland with Company Registration Number SC477821 and our registered offices are at Basement and Ground Floor Premises, 1-5 Union Street, Inverness, IV1 1PP. We are also registered as a data controller with the Information Commissioner’s Office and our ICO registration number is ZA230827. 

You can find out more about us at www.sleeper.scot

What types of personal data we will collect from you 

In the course of us providing services to you, we may collect personal data including within the following categories:

  • Your Personal and Contact Details: and those of any persons travelling with you, including and details of other Guests (including children and/or dependents) travelling with you
  • Public Identification Details: railcards, “Flexipass” documents, registered weapon certificates, CCTV video recordings (identifying physical characteristics) and call recordings if you contact our Guest Services Centre by Telephone 
  • Profile Data: your username and password, purchases or orders made by you, any interests communicated to us to enable the personalisation of services, travel preferences, feedback and survey responses
  • Payment information: your purchase transaction history including card payment details*, for ticket purchases or ticket upgrades. *We comply with the Payment Card Industry Data Security Standards (PCI DSS), and we have in place robust controls surrounding the storage, transmission and processing of cardholder data that we handle.
  • Booking Details: references, reservation numbers, details of your travel itinerary and on-board accommodation.
  • Correspondence: feedback, correspondence with our Guest Services Centre about your travel with us including personal information in connection with any aspect of your travel referred to the Rail Ombudsman.
  • Special Category Information: the legal definition of which includes racial or ethnic origin, religion, sexual orientation, philosophical beliefs, political opinions but in the context of our services, is most likely to be relevant to health and medical information, such as if you disclose to us accessibility or travel assistance requirements.
  • Website Access Details: your computer or mobile device’s unique identifier (e.g. IP Address), the date and time you accessed the website, passwords to access alerts preferences, browser information and information about technology on the devices you use to access this website.
  • Promotions Correspondences and Details: reference numbers and discount codes about promotions, vouchers, prize letters, competitions, and survey responses. Where possible this personal data may be anonymised.
  • Social Media Information: including social media postings made by you (posts, comments, responses or “reactions” (likes dislikes etc)) or your responses to our social media posts and campaigns. 
  • Marketing Preferences: including whether you wish to subscribe to our mailing list and including marketing preferences such as your interests and hobbies.
  • CCTV recordings: CCTV recordings on boards out trains and in Guest Lounges operated by us at [list stations where we have a CS Guest Lounge)
  • Cookies: small text files that are downloaded onto your computer or mobile device when you our website. We record minimal cookie data to help us understand your use our website, and to improve your website experience. The cookies data we collect helps us to ‘remember’ the session of your visit to our website (a ‘session cookie’) and if you make repeat visits to our website (a ‘persistent cookie’). Please refer to our cookies policy for further information about our use of cookies.
  • Aggregated Data: which would include statistical or demographic data for any purpose, for example to calculate the percentage of users accessing a specific Website feature. Aggregated Data is not considered personal data in law, because it does not directly or indirectly reveal your identity. But if the Aggregated Data is combined with other personal data to directly or indirectly identify you, we will treat this combined data as personal data and in accordance with this Privacy Notice.

You do not have to provide to us any personal data but, if you do not do so, you may not be able to purchase or make use of our products and services, or the functionality of our services may be reduced.

Why and how we will collect that personal data

This Privacy Notice applies to the personal data we collect about you, whether  that happens by phone, post, on our website (www.sleeper.scot), in person (for example in stations and on board), through our apps, through social media and when you otherwise communicate with us or which is otherwise publicly available.

The circumstances in which we may collect personal data about you includes:

 

  • in the normal course of our relationship with you (for instance when you book online, by phone or if you communicate with us to make a ‘Delay Repay’ claim, or correspond with us about your booking or travel experiences)

 

  • when you provide the data to us (for instance when you sign up to our new newsletter and/or marketing);
  • when your personal data has been made public by you (for instance if you contact us via social media) or if we obtain it from a public source (such as Companies House);
  • we receive your personal data from third parties (such as third-party booking websites, competition partners where you consent to us receiving this information, or our suppliers used to deliver our services to you);
  • when our IT systems collect data, such as:
    • automated monitoring of our websites, on station Wi-Fi services and our computer networks;
    • CCTV on our trains and in our Inverness Guest Lounge;
    • email and instant messaging systems; and
    • the call recording system for calls received into our Guest Service Centre.

Why and how we will process your personal data

Data Protection law requires that we can process personal data if we must have a proper reason to do so (known as a lawful basis for processing). This can include:

  • To fulfil a contract we have with you  – for instance to do so to enable us to provide you with the services that you have requested from us, including contacting you about your journey;
    • When it’s our legal duty to process your data (to comply with a law);
    • When it’s in our legitimate interest or those of a third party; and
    • When you consent to it.

A legitimate interest is when we have a legitimate business or commercial reason to use your information. Where we process your personal data on the basis of our legitimate interests, these are our (or our third party’s) interests in providing our services to you in an efficient and secure manner.  But even if we have a legitimate interest, the way that we use your data mustn’t unfairly go against what is right and best for you. If we are relying on our legitimate interests to process your personal data, we will tell you what that is (including within this Privacy Notice).

We have set out below a list of all the ways we may use your personal data and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate.

Serving our Guests:

  • Managing your account, fulfilling your bookings and purchases
  • Managing third party products and services sold through our website or app, including the opportunity to upgrade your travel options, in conjunction with our third-party partners, including Seatfrog.
  • Keeping you safe, communicating with you and collecting and transmitting to you information about your journeys
  • Dealing with any service disruptions, and managing claims and feedback about your travel

Improving our services:

  • Analysing customer survey responses from the post trip satisfactions surveys that are sent to you by Transport Focus and Caledonian Sleepers.
  • Analysing customer responses and feedback from your communications with us, including on social media or other platforms

Running our business:

  • Detecting, monitoring, and preventing fraud, and other illegal activity
  • Responding to your requests to exercise your data protection rights
  • Financial, audit and tax reporting responsibilities
  • Responding to requests for disclosure of information (e.g. from the police)
  • Responding to media enquiries or issuing press releases

See table below if you would like to see a more detailed list, including what data we process for each purpose, the legal basis for our processing, and the period for which we keep your data. 

Sometimes there may be more than one legal basis for us processing your personal data. Please contact us if you have any queries about the specific legal basis that we rely on for processing your personal data.

When we process your personal data, we must do so:

  • lawfully, fairly and in a transparent (clear) way;
  • for lawful reasons that we’ve explained clearly to you (including within this Privacy Notice);
  • only for the purposes we’ve told you about; and
  • shared with others only as we’ve explained to you, or when you ask us to or when we are legally required to share.

And the data that we collect must be kept:

  • accurate and up to date;
  • securely and protected; and 
  • only for as long as necessary for the purposes we’ve explained to you.

In relation to your Special Category Data, we only seek to process this in circumstances where:

  • you have given us your prior and explicit consent (this could include where you consent to us processing your health information to provide travel assistance services);
  • the processing is necessary for our compliance with a legal obligation; 
  • the processing is necessary for the detection or prevention of crime (including fraud prevention)
  • you have clearly made public your Special Category Data;
  • the processing is necessary for the establishment, exercise or defence of legal rights; or
  • the processing is necessary for reasons of substantial public interest. 

 

Our websites may provide links to third party websites. Caledonian Sleeper is not responsible for the conduct of third-party companies linked to the websites and you should refer to the privacy notices of these third parties as to how they may handle your personal information.

 

Processing purposes Our reasons
Provision of services: to provide the requested services to you including communicating with you in relation to those services including contacting you if an issue arises when providing those services.
  • The use is necessary in connection with the performance of our contract with you or to take steps at your request prior to entering into a contract with us; or
  • For our legitimate interests or those of a third party providing the requested products and
  • services to you.
Fraud detection: to prevent and detect fraud against you or Caledonian Sleeper such as providing proof of identity if you request a copy of your data.
  • For our legitimate interests or those of a third party to minimise fraud that could be damaging for us and for you; or
  • To comply with our legal and regulatory obligations.
Safety: ensuring safe working practices and working environment and for staff administration.
  • To comply with our legal and regulatory obligations; or
  • For our legitimate interests or those of a third party by making sure we are following our own internal procedures and working efficiently and safely so we can deliver the best service to you.
Security: for security purposes, such as preventing unauthorised access and modifications to systems and protecting our staff, premises and vehicles with the use of CCTV recordings and call recordings.
  • For our legitimate interests or those of a third party to prevent and detect criminal activity that could be damaging for us and for you, to protect the well-being of our staff and ensuring the physical and electronic security of our business, premises and assets; or
  • To comply with our legal and regulatory obligations
IT and website operations: for the operation and management of our websites and IT systems, providing content to you and communicating and interacting with you on our website.
  • For the performance of our contract with you or to take steps at your request before entering into a contract; or
  • For our legitimate interests or those of a third party to operate our websites and IT systems including reporting faults.
Marketing: to promote our services via by email, telephone, social media, post or in person or otherwise but ensuring that such communications are provided to you in compliance with applicable law.
  • For our legitimate interests or those of a third party for the purpose of promotion; or
  • We have obtained your prior consent.
Claims and complaints handling: investigating whether there is an incident, including taking witness statements.
  • For our legitimate interests or those of a third party to investigate accidents, incidents and complaints;
  • To comply with our legal and regulatory obligations; or
  • We have obtained your prior consent.
Internal compliance: ensuring business policies are adhered to, such as policies covering security and internet use.
  • For our legitimate interests or those of a third party for the purposes of making sure we are following our own internal procedures so we can deliver the best service to you.
Investigations: detecting, investigating and preventing breaches of policy and criminal offences.
  • For our legitimate interests or those of a third party to detect and protect against breaches of our policies, applicable laws and for the establishment, exercise or defence of legal claims; or
  • To comply with our legal and regulatory obligations.

 

Legal compliance: gathering and providing information required by or in relation to audits, enquiries or investigations by regulatory bodies.
  • To comply with our legal and regulatory obligations
Quality assurance: operational reasons, such as improving efficiency, training and quality control including by reviewing call recordings for training purposes.
  • For our legitimate interests or those of a third party to provide an efficient and high-quality service to you.
Record maintenance: Updating and enhancing customer records
  • For the performance of our contract with you or to take steps at your request before entering into a contract.
  • To comply with our legal and regulatory obligations
  • For our legitimate interests or those of a third party to ensure that we can keep in touch with our customers about existing orders and new products
Research: Conducting market or customer satisfaction research, statistical analysis to help us manage our business such as analysing travel usage, engaging with you to obtain your views on our products and services, this can include interview at our stations or being contacted
  • For our legitimate interests or those of a third party to provide an efficient and high-quality service to you and meet our contractual obligations to Transport Scotland.
  • We have obtained your prior consent.
Risk management: audit, compliance, controls and other risk management.
  • For our legitimate interests or those of a third party to manage risks to which our business in exposed.

 

 How and Why We Use Your Personal Information

Data protection and privacy laws requires companies to have a “legal basis” or “lawful ground” to collect and handle your personal information. We will only collect, use and share your personal information where we are satisfied that we have an appropriate legal justification to do this, for example:

This includes if we share that personal data outside of Caledonian Sleepers.

  • it is necessary in connection with the performance of our contract with you or to take steps at your request prior to entering into a contract with us;
  • to comply with our legal and regulatory obligations;
  • for our legitimate interests or those of a third party; or
  • where you have given your prior consent.

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

 

 Children’s Data

Our services are intended for users aged 18 or older and we do not knowingly collect personal information relating to individuals under the age of 18 unless provided by the parent or guardian. We do not knowingly collect or solicit personal information from anyone under the age of 18 or knowingly allow such persons to provide us with their personal information without parent or guardian consent.

If you are under the age of 18, please do not send any information about yourself to us, including your name, address, telephone numbers, or email address, unless you have your parent’s or guardian’s permission.

In the event we learn that we have collected personal information from anyone under the age of 18, and do not have a parent or guardian’s consent, we will delete that information as quickly as possible.

If you have any concerns, please contact us at GSC@sleeper.scot or call us on 0330 060 0500 (UK) or +44 141 555 0888 (Overseas).

In the event that we do hold personal data about children, we will handle that data in accordance with the terms of this Privacy Policy.

 

 Cookies

We use cookies on our websites. Cookies are small text files that are downloaded onto your device when you visit a website. The cookies on our websites record minimal personal data for the purposes of analysis, to help us understand of how people use our website, to improve your experience, by enabling the websites to ‘remember’ you, both for the duration of your visit (using a ‘session cookie’) and for repeat visits (using a ‘persistent cookie’). Please refer to our cookies policy for further information about our use of cookies.

 

When Is Special Category Information Collected?

Special category personal information is particularly sensitive personal information as defined by the GDPR including information which reveals racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or data concerning health or sexual orientation.

Caledonian Sleeper does not collect special category personal data as a matter of course, however we may on occasion handle such data where, for example, the passenger may: (i) require assistance for a disability; (ii) wish to declare specific medical conditions or dietary requirements; or (iii) share sensitive details in their communications with us.

Where special category personal information is involved, we will handle that information in accordance with applicable law, including where:

  • we have your explicit consent – including where you voluntarily provide us with that information;
  • the law permits us to do so, to comply with our legal obligations or to exercise specific legal rights;
  • you have clearly made the information public;
  • processing is necessary for the establishment, exercise or defence of legal claims; or
  • processing is necessary for reasons of substantial public interest.

 

 Direct Marketing

We may use your personal information to send you updates (by email, text message, telephone or post) about our services including exclusive offers, promotions or products that we believe will be of interest to you.

We have a legitimate interest in processing your personal information for promotional purposes (see above ‘How and Why We Use Your Personal Information’). This means we do not always need your consent to send you promotional communications. However, where consent is needed, we will ask for this consent separately and clearly.

You can subscribe to our marketing list by selecting the option to receive marketing communications when booking on our website . You may also choose to receive promotional information from us when entering third party competitions and explicitly consent to being contacted by us.

We will always treat your personal information with the utmost respect and never sell your information, or share with other organisations without your prior permission for marketing purposes. We will take steps to limit direct marketing to a reasonable and proportionate level and only send you communications which we believe may be of interest or relevance to you.

Where applicable, you may opt out of receiving marketing communications by:

  • using the unsubscribe option included on all Caledonian Sleeper marketing correspondence;
  • writing to us at Marketing Department, Caledonian Sleeper Limited, 1 Union Street, Inverness, IV1 1PP; or
  • sending us an email to communications@sleeper.scot. Please ensure your correspondence is marked ‘Unsubscribe: Marketing Contact List’ and include your full name, email and telephone number to ensure your details are fully deleted from our direct marketing system.

 

 Call Recording

We may record telephone conversations of calls which come into the Guest Service Centre telephone system on either (0330 060 0500 (UK) or +44 141 555 0888 (Overseas). The system does not currently record the content of any telephone conversations outside of this system.

We advise all incoming callers to the Guest Service Centre by recorded message that they are being recorded.

We record calls based on the following legitimate purposes:

  • to provide you with the services you want to reserve;
  • to establish the facts in the event of a complaint, claim or query from a caller and to monitor compliance with our customer service standards;
  • to assist in ensuring compliance with regulatory procedures and to provide evidence for any regulatory investigation;
  • to help protect Guest Service Centre staff from abusive or nuisance calls;
  • to assist in identifying any training requirements or coaching needs for Guest Service Centre staff;
  • to assist in internal Caledonian Sleeper disciplinary actions; and
  • to detect and prevent crime.

 

    • Call recordings will be stored for 434 Days from the date of their recording unless there is a relevant incident, complaint, investigation, legal proceedings or legal obligation which requires us to retain the recording for longer. The recordings shall be stored securely, with access to the recordings controlled and managed by the Guest Experience Director and Guest Service Centre Manager. Access to the recordings is only permitted to satisfy a clearly defined business need and reasons for requesting access must be formally authorised by the Guest Service Centre Manager. Browsing of recordings without valid reason is not permitted. Please note that calls received by the Guest Service Centre via the Caledonian Sleeper digital information totems available at some stations will not be recorded.

 

 CCTV

We currently have closed circuit television (CCTV) operating in our lounge in Inverness for the primary legitimate purposes of: (i) public and staff safety, (ii) crime prevention, detection and deterrence; and (iii) to assist and improve customer service. For these reasons, the information processed may include visual images, personal appearance and behaviours of staff, guests and general members of the public who were in the immediate vicinity of the area under surveillance.

There may be CCTV operating at other lounges, at the stations we use and at other sites where we might operate, however we are not the data controllers for those systems and you will need to contact those operators for details about their CCTV privacy policies.

The new fleet of Caledonian Sleeper MK5 coaches have CCTV installed, and are operated subject to the conditions of this Privacy Policy.

We display signs in the lounge to inform guests and other individuals that they are under surveillance and may be video recorded. This information is kept in secure environments and access is restricted to Caledonian Sleeper designated security trained staff and any use shall follow the Caledonian Sleeper security and privacy policies.

We retain CCTV recordings centrally for up to 30 days, and for a longer period if they are relevant to an incident, complaint, investigation, legal proceedings for as long as legally required by regulatory bodies and law enforcement agencies.

 

Sharing Your Personal Information with Others

We will only disclose personal information to a third party in very limited circumstances, or where we are permitted to do so by law. The third parties we may share your personal data with include:

  • other organisations within the Serco group of companies, where such disclosure is necessary to provide you with our services or to manage our business;
  • the Scottish Ministers, which may include for the purposes of contract management review guest satisfaction information and details about complaints received;
  • third parties we use to help deliver our products and services to you, e.g. banks and payment providers,
  • other third parties we use to help us run our business (e.g. marketing agencies, IT support service providers, station operators, analysis experts, communication platform providers);
  • third parties approved by you (e.g. when you request your details to be transferred);
  • our professional advisers (e.g. law firms, insurers and brokers); and/or
  • Government, regulatory and law enforcement bodies where we are required in order:
    1. a) to comply with our legal obligations;
    2. b) to exercise our legal rights (e.g. pursue or defend a claim); and
    3. c) for the prevention, detection and investigation of crime. 

How we share non-personal information to operate auctions 

  • To operate the auctions, Seatfrog must access and cancel your original booking, and reserve the upgraded rooms. 
  • Before each auction and to make the auction available to as many eligible* Guests, we share with Seatfrog some non-personal anonymised information, even if you choose not to participate in an auction.
  • *Eligibility* depends on things like the type of ticket you’ve purchased and how busy the train is.
  • We’ve taken care to ensure the only information we’ll share is the booking reference numbers for eligible travel reservations. Real-time travel upgrade auctions  

From 2020, we’ll be working in partnership with Seatfrog Ops Limited to operate online auctions, so that you can bid for or purchase upgrades to your travel accommodation on our trains (auctions). 

Here’s what you need to know:

  • We share this non-personal information based on our legitimate interests to:
    • offer our Guests the opportunity to buy and experience upgraded travel; and
    • maximise the capacity and economic and environmental efficiency of our train services. 
  • This means that we don’t rely upon consent to process and share your booking references with Seatfrog. 

How we tell you about our auctions

  • We respect your legal rights in relation to ‘Direct Marketing’ and so we’ll never contact you with the purpose of marketing Seatfrog’s services or our auctions. 
  • When you book travel with us directly, you’ll receive a “pre-trip email” with information about:
    • your travel itinerary, boarding and departure times
    • features of your booked accommodation
    • food and refreshments available on the train 
    • information about our station lounges
    • a link to our website featuring information about how to participate in auctions
  • If you decide to participate in an auction, you’ll need to sign up to Seatfrog’s app and terms and conditions.
  • Then, once you’ve upgraded your travel, Seatfrog confirm the details to us, so that our hosts can board you into your upgraded room. 
  • Seatfrog are our data Processor for the anonymised non-personal information that we send them. 
  • Seatfrog are a data controller in respect of personal information the collect directly from you from their mobile app, including payment card details that you use to purchase your travel upgrade. 
  • You can find out more by visiting Seatfrog’s website.

We may transfer your personal information to third parties in connection with a reorganisation, restructuring, merger, acquisition, sale or transfer of assets, or in the event there is a change of franchisee or a hand back to the franchisor (the Scottish Ministers), provided that the receiving party agrees to treat your personal information in a manner consistent with this Privacy Policy.

Less commonly, we may process and share your personal data with third parties where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent.

We also impose data protection obligations on contracted third parties to ensure they can only use your data to provide services to Caledonian Sleeper for the purposes listed above. The third parties cannot pass your details onto any other parties unless instructed to by Caledonian Sleeper.

We may transfer your personal information to third parties in connection with a reorganisation, restructuring, merger, acquisition, sale or transfer of assets, or in the event there is a change of franchisee or a hand back to the franchisor (the Scottish Ministers), provided that the receiving party agrees to treat your personal information in a manner consistent with this Privacy Policy.

Less commonly, we may process and share your personal data with third parties where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent.

We also impose data protection obligations on contracted third parties to ensure they can only use your data to provide services to Caledonian Sleeper for the purposes listed above. The third parties cannot pass your details onto any other parties unless instructed to by Caledonian Sleeper.

 

Transferring Your Personal Information Globally

The personal information that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”) (for example, in the USA). It may also be processed by staff operating outside the EEA who work for us or for one of our service providers.

We will take appropriate steps to ensure that transfers of personal data are in accordance with applicable law and carefully managed to protect your privacy rights and interests. Transfers are limited to countries which are recognised as providing an adequate level of legal protection or where we are satisfied that alternative arrangements are in place to protect your privacy rights. To achieve this:

  • we ensure transfers within Serco Group are covered by an intra-group data sharing agreement entered into by all entities within Serco Group, which contractually obliges each member to ensure that personal information receives an adequate and consistent level of protection.
  • we will, when transferring personal data to third parties outside the EEA:
    1. put in place binding corporate agreements,
    2. which will include the standard contractual clauses approved by the European Commission for transferring personal information outside the EEA, to ensure that your information is safeguarded; or
    3. ensure that the country in which your personal information will be handled has been deemed “adequate” by the European Commission or is registered and compliant with a Privacy Shield regime.
  • we carefully validate any requests for information from law enforcement or regulators before disclosing the information.

We will always co-operate with any regulators as required by law to ensure that we remain transparent about the way we handle your personal information.

In any case, our transfer, storage and handling of your personal information will continue to be governed by this Privacy Policy. If you would like further information about the global handling of your personal information, please contact us at GSC@sleeper.scot.

 

 Security of Your Personal Information

Caledonian Sleeper takes precautions including administrative, technical and physical measures to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, modification, disclosure, alteration and destruction. We protect personal data using a variety of security measures including:

  • password access;
  • data back-up;
  • encryption;
  • firewalls;
  • destroying personal information if it is no longer needed for the purposes it was collected;
  • placing confidentiality requirements on employees and service providers and providing training to ensure that your personal data in handled correctly; and
  • secure physical storage units for hard copy files with appropriate security restrictions, preventing damage, and unauthorised access to your personal information.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our websites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

 

 How Long Do We Keep Your Personal Information?

We will store your personal information for as long as is reasonably necessary for the purposes for which it was collected, as explained in this Privacy Policy. Data Retention periods will vary depending on criteria for collection: 

  • Retention for the fulfilment of the contract. We will retain your booking details (Name, Email, Address & Telephone number) for 6 years from the date of travel in order to comply with our obligations as a Data Controller to prevent fraud and other crimes.

 

  • We may store your personal information for a longer period of time, for instance where we are required to do so defend any claim brought against us, and for any legal, regulatory, tax and/or accounting requirements.

 

Where your information is no longer needed, we will ensure that it is disposed of in a secure manner. 

 

 Your Legal Rights in Respect of Your Personal Information

You have legal rights in connection with personal information. Under certain circumstances, by law you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Portability of the personal information you provided us, in certain situations.
  • firewalls;
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
  • Object to processing of your personal information by us or on our behalf for direct marketing (including profiling) and in certain other situations (such as processing carried out for legitimate interests).
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.
  • Withdraw Consent to processing where the legal basis for processing is solely justified on the grounds of consent (please refer to section 10 for details about withdrawing consent to marketing).

If you would like to exercise any of these rights, please submit your requests to the Data Protection Champion at the following details:

Data Protection Champion Legal Department, Caledonian Sleeper, 1 Union Street,
Inverness, IV1 1PP

Email: GSC@sleeper.scot Telephone: 0330 060 0500 (UK) or +44 141 555 0888 (Overseas)

Please note, to ensure security of personal information, we may ask you to verify your identity before proceeding with any such request.

 

 Requests About Your Child’s Information

We hold very little data about children under the age of 18 and do not actively market to them. Children have the same rights over their own personal information as adults. However, as young children may not understand these rights or are not capable of exercising these rights, in some cases their parents may do so on their behalf.

Caledonian Sleeper takes the protection of children’s personal information very seriously and needs to be very careful about disclosure. If we are in any doubt as to whether the parent or guardian is entitled to make a request on their child or ward’s behalf, then we may refuse to comply with their request.

 

Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee compliance with this Privacy Policy. If you have any questions about this Privacy Policy or how we handle your personal information, please address to:

Data Protection Officer
Serco Ltd
Enterprise House

18 Bartley Wood Business Park
Bartley Way

RG27 9XB

Alternatively, please email dpo@serco.com or call +44 (0)1256 745900.

 

 Complaints

You also have the right to contact the Information Commissioner’s Office and file a complaint (https://ico.org.uk/concerns/ or telephone: 0303 123 1113). The Information Commissioner’s Office will then investigate your complaint accordingly.

We ask that you please attempt to resolve any issues with us first, although you have a right to contact the Information Commissioner’s Office at any time.

 

 Changes to This Privacy Policy

We may amend this Privacy Policy from time to time to keep it up to date with legal requirements and the way we operate our business. This Privacy Policy was last reviewed and updated in August 2020.

Please regularly check this page for the latest version of this Privacy Policy. If we change this Privacy Policy, we will post the new policy on this website.

 

Overview

  • Our Parent Company, Serco Limited has appointed a Data Protection Officer, responsible for the Serco Group’s approach to data protection and protecting your privacy. You can contact them at DPO@serco.com. Within Caledonian Sleepers we have appointed a Data Protection Champion, who can be contacted at GSC@sleeper.scot
  • Data Protection Laws require us to process (i.e. handle) your personal data only where we have a legal basis for doing so. We will only ever process your personal data in compliance with applicable law. 

 

  • We process your personal data in the course of providing services to you,
  • We may share your personal data with our third-party suppliers, including payment processors and data analysts, to enable the efficient and secure provision of services to you. Except as explained in this privacy policy, we will not share your data with third parties without your consent unless required to do so by law.

 

  • We will keep your personal data for as long as we need it. How long we need your personal data depends on what we are using it for, whether that is to provide services to you, for our own legitimate interests (described below) or so that we can comply with the law. We will actively review the information we hold and when there is no longer a customer, legal or business need for us to hold it, we will either delete it securely or in some cases anonymise it.

 

  • We may transfer your personal data to a recipient located outside of the European Economic Area (EEA). If we do this, we will ensure that the transfer mechanism provides an adequate level of protection, which has been recognised by the European Commission.

 

  • You have important rights under laws aimed at protecting your personal data. This policy sets out your rights and how you can exercise them. [For more information, read section 12.] 

 

  • You also have the right to make a complaint to the Information Commissioner’s Office if you are unhappy with how we have handled your personal data.