Privacy notice

Introduction

We take your privacy very seriously.

This Privacy Notice (this “Notice”) sets out how we use and protect your personal data. It is intended to comply with both the United Kingdom General Data Protection Regulation (UK GDPR) and, where applicable, the European Union General Data Protection Regulation (EU GDPR).

Please read this Notice, and any other privacy notice or fair processing notice we may provide on specific occasions, carefully as it is intended to help you understand what information we collect, why we collect it, and how you can update, manage, export and delete your information. This Notice supplements such other privacy notices and privacy notices and is not intended to override them.

WHO WE ARE

We are ATOC Limited, a company registered in England and Wales (Company No. 03069033) and having its registered office located at First Floor North, 1 Puddle Dock, London, EC4V 3DS. We operate and trade as the Rail Delivery Group a membership organisation which brings together the companies that run Britain’s railway into a single team with one goal - to deliver a better railway for you and your community.

ATOC Limited trading as the Rail Delivery Group (“RDG”) is the party responsible for operating and providing the following websites to which this Notice applies:

collectively the “Websites”.

Accordingly, RDG is the controller and is responsible for your personal data when using the Websites. This means RDG determines what data is collected, how this data is used and how it will be protected in accordance with applicable data protection laws, including (but not limited to) the UK GDPR and/or applicable ePrivacy laws, as may be amended and / or replaced from time to time, including by the Data (Use and Access) Act 2025. For the avoidance of doubt, references to “RDG”, “we”, “us” and / or “our” throughout and within this Notice are references to ATOC Limited trading as the Rail Delivery Group.

CONTACT US

Please use the following details to contact us:

By email: This email address is being protected from spambots. You need JavaScript enabled to view it.

By mail: First Floor North, 1 Puddle Dock, London, EC4V 3DS

DATA PROTECTION OFFICER

We have appointed GRCI Law Limited as our Data Protection Officer (or DPO). Our DPO is responsible for overseeing questions in relation to this Notice.

If you have any questions or queries about this Notice, our privacy practices or how we handle your personal data, please contact our DPO at This email address is being protected from spambots. You need JavaScript enabled to view it.

WHAT IS MEANT BY PERSONAL DATA / PERSONAL INFORMATION?

Personal data (sometimes also referred to as “personal information”) is information which identifies you as an individual. Examples of personal data include anything which may identify you, such as your name, address, bank account details, internet protocol (IP) address, username or another identifier.

Some personal data is unique to you and therefore requires greater protection. This data is referred to as sensitive or special category data which includes information regarding your health, genetic or biometric information, religious or philosophical beliefs, race, or ethnicity to provide a few examples.

Further information about sensitive or special category data is given in the section of this Notice entitled “SENSITIVE OR SPECIAL CATEGORY DATA”.

WHERE WE GET YOUR PERSONAL DATA FROM

We collect personal information from you:

Directly: for example, when you:

enter or send us information, such as when you register with us to use our members’ area,

fill out forms provided via our Websites, for example in relation to rail staff travel and eligibility,

correspond with us via our Websites and / or by e-mail, telephone or through our social media platforms.

apply for a vacancy with us; or

Indirectly: for example:

through your browsing activity while on our Websites. This may include (but is not limited to) the time and date you access the Websites and the pages you access.

from other third parties, for example when you attend events, webinars, or promotions that we sponsor.

from service providers for example in relation to bookings, partners, or business networking platforms, such as X and LinkedIn.

We will also collect information indirectly using the technologies explained in the section entitled “COOKIES AND OTHER TRACKING TECHNOLOGIES” below.

NON-PROVISION OF REQUIREDPERSONAL DATA

Where we need to collect personal data from you, for example to enable us to provide services to you, and you fail to provide the data requested we may be unable to provide the relevant services to you.

WHAT PERSONAL DATA WE COLLECT ABOUT YOU

We may collect, use, store and transfer different kinds of personal data about you. What types of personal data we collected about you will depend on our relationship with you and which Websites you engage with, and may include the following:

Candidate Data: this may include information you have provided to us in your curriculum vitae, skills summary, covering letter and/or application particulars, including name, title, address, telephone number(s), personal email address, date of birth, job title, job role, location, employment history, education history and qualifications, areas of specialisms, registrations with professional bodies and salary expectations.

Communication Data: includes information you provide when contacting us through our Websites or by email or other communication channels.

Contact Data: may include (business and / or private) email address, telephone number(s) and addresses.

Eligibility Data: may include any information you may submit to us regarding your, or a family member or other dependent’s, eligibility for rail staff travel privileges which may include (but is not limited to) birth certificate, adoption certificate, guardianship order, marriage certificate, civil partnership certificate, partner or cohabitation declaration, proof of unemployment, proof of address and / or information contained in statutory declaration documentation.

Identity Data: may include name, title, gender, date of birth, age, passport information and any other identity data that you may include in your communications with us (including but not limited to) on any forms you submit to us or where you submit a CV or job application to us.

Images: including photographs and video footage.

Immigration Status Data: inclusive of evidence of right to work and / or visa status.

Location Data: may include your address, phone dialling code, region, county and / or country.

Marketing Data: may include your preferences in receiving marketing (inclusive of surveys) from us, and your communication preferences.

Payment Data: details of payment method, inclusive of cheques, postal orders, bank account details; and / or payment card details inclusive of cardholder name, billing address, credit/debit card long number, expiry date, and security code.

Professional Data: may include job title, industry sector or an organisation worked for or represented.

Profile Data: means information supplied to enable the creation and use of a profile on our Websites, including first name, last name, display name, personal phone number, business phone number, personal email address and business email address.

Referral Scheme Data: includes names of persons referring candidates for vacancies with us.

Sensitive Data: may include special categories of personal data as described in this Notice. This may include information relating to race, ethnicity, religion, disability status and / or sexual orientation.

Technical Data: may include your IP address, your login data, browser type and version, time zone setting and location, browser plugin types and versions, operating system and platform, and other technology on the devices you use to access our Websites.

Usage Data: may include website user stats and information about how you use our Websites and resources and information regarding what pages are accessed and when.

SENSITIVE OR SPECIAL CATEGORY DATA

In connection with our operations, including recruitment and our handling of applications for rail staff travel privileges, we may collect and process personal data which is more sensitive in nature. This is referred to as “special category data” and is more particularly defined under applicable data protection laws, including the UK GDPR and EU GDPR. This data may include:

Information about your race, ethnicity, or nationality, religious beliefs, and/or sexual orientation.

Information about your health, including medical conditions, disabilities, and health or sickness records.

We will only process such personal data where:

It is necessary to fulfil our legal obligations (e.g., compliance with employment laws).

It is necessary in relation to the applications for family member rail staff travel privilege entitlements.

You have provided your explicit consent

Additional information in relation to our use of special category data at Part B of the section of this Notice entitled “Further details about the processing we carry out”.

We have implemented appropriate policies and safeguards, as required by law, to ensure the secure and lawful processing of special category data. For more information on these safeguards, or to request further details about how we handle this type of data, please contact us using the contact details provided in this Notice.

CHILDREN’S DATA

Our Websites are not specifically directed at children under the age of 18 (“Minors”). However, we may collect and process personal data relating to Minors where this is necessary in connection with the provision of our services, including the provision of rail travel bookings and other travel services, and the provision and administration of staff travel benefits (including the issue of travel cards to eligible dependents).

Where we collect personal data relating to Minors, we expect that such personal data shall be provided to us by a parent, legal guardian or other authorized adult having parental authority for the relevant Minor. We take appropriate measures to safeguard personal data relating to Minors.

If you believe that a Minor’s personal data has been provided to us without appropriate authority, please contact using the contact details set out in this Notice. If we become aware that we have inadvertently collected personal information from or relating to a Minor without appropriate parental or legal guardian’s consent, we will take steps to delete the information as soon as possible.

If you believe we may have inadvertently collected data from a child, please contact us at This email address is being protected from spambots. You need JavaScript enabled to view it..

DATA ACCURACY

It is important that the personal data we hold about you is accurate and current. You have the right to request correction of any inaccurate or incomplete personal data we hold about you.

Please keep us informed if your personal data changes during your relationship with us. You can do this by completing our online form or otherwise, by contacting us using the contact details set out in the “CONTACT US” section of this Notice.

OUR LAWFUL BASIS FOR COLLECTING YOUR PERSONAL DATA

We need your personal information to conduct our business, provide our services and provide you with our Websites.

We will only collect, process and/or use personal information where we are satisfied that we have an appropriate legal basis to do so. Most commonly we will use your personal information in the following circumstances:

The processing is necessary to enable us to perform a contract with you or at your request prior to entering into a contract.

The processing is necessary to enable us to contact you regarding your communications with us and / or in relation to applications you make for vacancies with us or in relation to the allocation of rail staff travel privileges.

It is in our legitimate interest to use personal information in such a way to ensure that we operate and provide our services and Websites in the best way that we can, to protect the security of our Websites and to detect or prevent fraud. Where we process on the basis of our legitimate interest, we ensure that your interests, rights and freedoms are carefully considered.

it is our legal obligation to use your personal information to comply with any legal obligations imposed upon us.

Please contact us if you have any questions about how and / or why we use your personal data.

YOUR RIGHTS

Depending on your location and applicable data protection laws, you may have certain rights regarding your personal data. These rights may include the right to access, correct, update, or delete your data; the right to restrict or object to certain types of processing; the right to data portability; and the right to withdraw your consent where processing is based on consent. You may also have the right to lodge a complaint with a supervisory authority.

To exercise your rights or for more information, please contact us by filling out our online form or otherwise, by contacting us using the contact details set out in the “CONTACT US” section of this Notice.

We will review and respond to your request in accordance with applicable data protection laws. Please note that we may need to verify your identity before processing certain requests.

For more information about our basis for processing your personal data see the section below entitled: “ADDITIONAL INFORMATION ABOUT OUR PROCESSING ACTIVITIES”.

WHO WE SHARE YOUR PERSONAL DATA WITH

Internally:

We may share information within RDG and with our members. We may do this for legitimate business purposes, such as for the purposes of providing our Websites and services, for managing our internal operations, and / or for improving consumer and member experience.

Externally:

We will only share personal information with third parties where there is a lawful basis for us to do so. Where we share your personal data with third parties, we will only do so insofar as is reasonably necessary to enable us to deliver our Websites and services to you and for the purposes set out in this Notice. We shall ensure that such third parties are bound to maintain the confidentiality, safety, and security of the personal data we share with them and shall handle it in accordance with applicable data protection laws.

We may share your personal data with the following third parties:

Service providers, including those offering IT, system administration, administrative support and software services.
Third parties Involved in the provision of our services, such as webinar hosts.
Oversight bodies, such as the Department for Transport.
Analytics providers, such as Google Analytics, to assist us with insight analytics.
Legal authorities, such as law enforcement agencies, judicial bodies, tax authorities, or other government and regulatory entities, where required by law.
Third parties involved in our business transactions: for example, as part of a proposed sale, reorganisation, transfer, financial arrangement, asset disposal, or similar transaction related to our business or assets.
Other parties with your permission: We may share data with other third parties explicitly authorised by you.

This list is non-exhaustive, and there may be other situations where we need to share your personal data to effectively provide our Websites and services.

We only share your personal data with organisations that implement appropriate measures to protect your information. Contractual obligations are imposed on these organisations to ensure they use your data solely for the services they provide to us or to you.

We will not share your personal data with any other third party without your explicit consent, unless required or permitted by law. The specific information shared will depend on your interactions with us and will always be limited to what is necessary for the intended purpose.

INAPPLICABILITY OF THIS NOTICE TO THIRD PARTIES

Please note, this Notice does not apply to personal data collected directly by third-parties who may share information with us. We strongly encourage you to review the privacy policies of any third-parties before submitting your personal data to them.

TRANSFERRING YOUR PERSONAL DATA OVERSEAS

We may transfer your personal data to service providers that carry out certain functions on our behalf. This may involve transferring personal data outside the UK and / or EEA to countries which have laws that may not provide the same level of data protection as is provided under the law applicable within the UK and the EEA.

To safeguard your personal information, we ensure that all international transfers comply with applicable data protection laws, including the UK GDPR and, where applicable, EU GDPR.

We undertake thorough due diligence and risk assessments before any data transfer, ensuring your information has an appropriate level of protection. Where required, we implement legal safeguards such as Standard Contractual Clauses (SCCs) or other approved mechanisms to ensure your data is handled securely and lawfully.

For further details about the measures, we use to protect your personal information when it is transferred internationally, please contact us at This email address is being protected from spambots. You need JavaScript enabled to view it..

THIRD PARTY LINKS

Our Websites may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.

We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Websites, we encourage you to read the privacy notice of every website you visit.

PAYMENT PROCESSING

We may provide paid products and/or services via some of our Websites. Where that is the case, we use third-party services for payment processing (e.g. payment processors). We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their own privacy notice.

The payment processors we use adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort between brands such as Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.

WITHDRAWAL OF CONSENT

Where we are relying on consent to process your personal data, you have the right to withdraw your consent to our doing so at any time. However, your withdrawal of consent will not affect the lawfulness of any processing carried out before you withdraw your consent.

Please also be aware that if you withdraw your consent, we may not be able to supply certain products or services to you.

If you wish to withdraw your consent, please contact us by filling out our online form or otherwise by contacting us using the contact details set out in the “CONTACT US” section of this Notice.

AUTOMATED DECISION MAKING AND PROFILING

We do use some automated decision-making in our recruitment process in terms of candidate screening as well as for targeted cookies where these are accepted by the customer or user. We may also use automated decision making for the issuance of customer surveys for instance after a Days Out Guide voucher has been purchased. In terms of partial automated decision making in our recruitment process, this is used to quickly screen high volumes of applications, however this is not a fully automated decision-making process and involves human review and screening. Human review is conducted for any or partial automated decision making that takes place.

Some of our marketing activity may also involve partial low risk customer or user profiling for the purposes of personalising and providing more targeted marketing to customers. However, we do not carry out fully automated decision‑making that produces legal or similarly significant effects to customers as this process will also include human review and decision making too.

We can confirm we do not use automated decision making or conduct profiling involving special category data.

Where automated decision making or profiling is conducted as described above, you have the right to:

Obtain human intervention
Express your point of view
Contest the decision

If you have any questions regarding automated decision making or profiling, please contact us at this email address: This email address is being protected from spambots. You need JavaScript enabled to view it.

USE OF ARTIFICIAL INTELLIGENCE

We use artificial intelligence (AI) technologies to analyse personal data and support the delivery of our services. This may include identifying patterns, generating insights, or assisting our staff in decision making processes. The AI technologies we use are deployed solely as a tool to assist humans and no decisions with legal or similarly significant effects are made by automated means.

The categories of personal data we may process using AI technologies will depend on the purpose of processing. Processing of personal data using or supported by AI technologies will only take place where a lawful basis permitting the relevant processing is in place.

Further information about the ways in which we use of AI technologies is set out as the section of the Notice entitled “Further details about the processing we carry out.”

Our use of AI technologies is monitored to ensure accuracy, fairness and compliance with data protection principles.

HOW WE KEEP YOUR PERSONAL DATA SECURE

We are committed to protecting your personal data and have implemented a range of appropriate technical and organisational measures to safeguard it from loss, misuse, unauthorised access, alteration, or disclosure. These measures include secure IT infrastructure, access controls, encryption, and regular staff training on data protection.

Access to your personal data is restricted to employees, agents, contractors, and other third parties who have a legitimate business need to know. They are required to follow our instructions when handling your data and are bound by duties of confidentiality.

We continuously monitor and review our security practices in line with changes in technology, evolving threats, and updated legal or regulatory requirements. This includes carrying out regular risk assessments and maintaining a tested incident response plan to address any suspected data breaches. Where legally required, we will inform you and the relevant authorities without undue delay.

However, no security system is entirely foolproof. While we take all reasonable steps to protect your data within our systems, we cannot guarantee the security of information transmitted over the internet or processed outside our direct control. You are responsible for safeguarding any login credentials and for using caution when sharing personal data online. We do not control the security of your device or the network path used to connect to our services.

STORAGE AND RETENTION OF YOUR PERSONAL DATA

We will keep your personal information, in line with our data retention and destruction policy and applicable law and for no longer than is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, reporting or other valid business requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

COOKIES AND OTHER TRACKING TECHNOLOGIES

Each time you interact with our Websites we may, depending on the consent provided and your jurisdiction, automatically collect personal information, including technical data about your device, your browsing actions and patterns, content and usage data. We collect this data using cookies and other technologies such as anonymous identifiers, container tags, and other similar technologies like pixels, tags and other identifiers in order to optimize our services, analyse our performance and customize your experience. These technologies may be temporarily stored on your device. Some cookies and similar technologies are used to retrieve personal information, like an IP address, that you have previously provided.

Where required by law, such as under the UK GDPR and EU GDPR we ask for your consent before setting non-essential cookies. You can set your browser or mobile device to refuse all or some non-essential cookies, or to alert you when cookies are being sent. If you disable or refuse cookies, please note that some parts of our Websites may then be inaccessible or may not function properly.

You can manage your cookie preferences at any time through our cookie settings tool or your browser.

For more information about cookies, please visit Your Online Choices at http://www.youronlinechoices.com/uk/. To learn more about our practices concerning cookies and other tracking technologies please see our Cookie Policy.

ADDITIONAL INFORMATIONABOUT OUR PROCESSING ACTIVITIES

We are subject to the UK General Data Protection Regulation (UK GDPR) and, where applicable, the EU General Data Protection Regulation (EU GDPR) in relation to services we offer to individuals and our operations.

Further details about the processing we carry out

The table below describes the ways we plan to use your personal data, and which lawful bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

PROCESSING PURPOSE	TYPES OF PERSONAL DATA PROCESSED	LAWFUL BASIS	EXPLANATION OF LEGITIMATE INTEREST (IF APPLICABLE)
To provide our services: includes set up and management of profiles, fulfilment of transactions, and performance of contractual obligations	Communication Data; Contact Data; Eligibility Data; Location Data; Profile Data Identity Data; Sensitive Data Technical Data	Contractual Necessity (UK GDPR, Article 6(1)(b))	N/A
To maintain and improve our Websites and services: includes management of the Websites in order to identify areas for improvement or update	Communication Data; Location Data; Technical Data; Usage Data	Legitimate Interests (UK GDPR, Article 6(1)(f))	Necessary to ensure the quality, integrity and security performance of our Websites and service provision
To provide and manage our Website services: includes enabling access to user accounts and delivering requested services	Communication Data; Technical Data; Usage Data (where necessary for service delivery)	Contractual Necessity (UK GDPR, Article 6(1)(b))	N/A
Service updates and support: includes the provision of member support and troubleshooting assistance	Communication Data; Contact Data; Identity Data; Location Data; Technical Data; Usage Data	Contractual Necessity (UK GDPR, Article 6(1)(b))	N/A
Fraud prevention: includes detecting and preventing fraud and fraudulent activities	Contact Data; Communication Data; Identity Data; Location Data; Technical Data; Usage Data	Legitimate Interests (fraud prevention) (UK GDPR, Article 6(1)(f))	Ensures the integrity, safety, and quality of services, protecting both our members and RDG from potential risks, while improving / maintaining the quality of service delivery.
To conduct validity checks on issued Railcards	Railcard number, Railcard type Railcard Surname	Legitimate Interests (fraud prevention) (UK GDPR, Article 6(1)(f))	Real-time validation of Railcards, flag Railcards that become invalid (e.g., reported lost or stolen), identify Railcard customers that engage in fraudulent activity and prevent financial loss.
Service security: ensuring the security of our Websites and services	Identity Data; Technical Data; Usage Data	Legitimate interests (security) (UK GDPR, Article 6(1)(f))	Necessary to protect against unauthorized access and to enhance service reliability, to ensure secure and consistent user experience.
Legal compliance: compliance with legal obligations	Potentially all data types in scope	Legal obligation (UK GDPR, Article 6(1)(c))	N/A
Recruitment: processing candidate job applications, screening candidates contacting candidates, performing pre-employment checks as part of the recruitment process and making hiring decisions	Candidate Data; Communication Data; Contact Data; Identity Data; Images; Immigration Status Data; Location Data; Professional Data	Contractual Necessity (UK GDPR, Article 6(1)(b))	N/A
Recruitment: supporting internal recruitment processes, referral schemes, workforce planning, and improving efficiency	Candidate Data; Communication Data; Referral Scheme Data	Legitimate interests (UK GDPR, Article 6(1)(f))	Necessary to enable facilitation of efficient hiring practices and support of company growth and operational needs.
Recruitment: collection and processing of sensitive data for voluntary diversity monitoring	Sensitive Data	Consent (UK GDPR, Article 6(1)(a))	N/A
Managing our business: maintaining and monitoring our Websites and services, and the performance and improvement of same	Communication Data; Contact Data; Identity Data; Location Data; Technical Data; Usage Data	Legitimate interests (business operations and service enhancement) (UK GDPR, Article 6(1)(f))	Necessary to allow for required monitoring and enhancements to deliver high-quality, functional, and reliable services, ensuring ongoing improvement to benefit members and users.
Rights and claims: enforcing terms, exercise rights, defend claims, and comply with laws and regulations	Potentially all data types in scope (as relevant)	Legal Obligation (UK GDPR, Article 6(1)(c))	N/A
Rights and claims: exercising legal rights and defending and / or investigating potential claims	Potentially all data types in scope (as relevant)	Legitimate interests (legal defence and compliance) (UK GDPR, Article 6(1)(f))	Necessary to protect RDG’s legal rights and interests, ensuring compliance with applicable laws and the defence against potential claims when required.
Data analytics: internal data analytics to improve our Websites and services to ensure high quality member relationships, and optimise user experience (excluding the deployment of tracking technologies, including cookies)	Location Data; Technical Data; Usage Data (anonymised or pseudonymised where possible)	Legitimate interests (service and experience improvement) (UK GDPR, Article 6(1)(f))	Necessary to support improvement of our products, services, and the user experience, including by analysing patterns, and optimizing functionality within the Websites. (Excludes data collected via the deployment cookies or similar tracking technologies; see Cookie entries for consented processing under applicable laws, including PECR).
Data subject rights: verifying identity and fulfil data subject rights requests	Potentially all data types in scope	Legal Obligation (UK GDPR, Article 6(1)(c))	N/A
Business acquisition or reorganization: Manage business acquisition, merger, or reorganization	Communication Data; Contact Data; Identity Data; Location Data; Usage Data	Legitimate interests (business continuity) (UK GDPR, Article 6(1)(f))	Necessary to ensure that business operations can continue seamlessly in the event of a merger, acquisition, or reorganization, allowing for the transfer of necessary data in compliance with legal and contractual obligations.
Provision of customer services: including the handling of complaints, queries, communications and other feedback including from Website users (other than where linked to RDG’s provision of products and where not linked or otherwise relating to a contract)	Potentially all data types in scope, depending on the nature of the complaint, query or communication	Legitimate Interest (customer service) (UK GDPR, Article 6(1)(f))	Necessary to provide effective and timely resolution of complaints and queries to improve user experience, ensure service satisfaction, and maintain user trust.
Provision of customer services: including the handling of complaints, queries and other customer and / or Website user feedback and / or communications (where linked to RDG’s provision of products or services or otherwise in relation to a contract)	Potentially all data types in scope, depending on the nature of the complaint, query or communication	Contractual Necessity (UK GDPR, Article 6(1)(b))	N/A
Use of AI technologies to support the effective provision of customer service operations: including complaints, queries, feedback and other communications. Responding to and managing complaints, queries, or feedback and receiving forms submitted via our Websites with the support of AI technologies.	Non-personal data types in scope, depending on the nature of the complaint, query or communication	Legitimate Interest (efficiency of customer service) (UK GDPR, Article 6(1)(f))	Necessary to improve operational efficiency and support staff in delivering efficient customer service.
Use of AI technologies to monitor pedestrian flow at stations: to inform and improve operations, safety, and passenger throughput	Video camera images (blurred) and scan event data	Legitimate Interest (service improvement) (UK GDPR, Article 6(1)(f))	Necessary to optimise station operations, to measure the throughout speed of customers through barriers in order to understand any ticket barrier issues and improve passenger flow and safety.
Payment processing: to include management of payments, fees and charges and collecting and recovering money owed to us.	Contact Data; Eligibility Data; Identity Data; Payment Data; Professional Data	Contractual Necessity (UK GDPR, Article 6(1)(b))	N/A
Conduct of surveys: to gain customer and member insights, satisfaction levels and performance / improvement feedback	Contact Data (Email Address, Postcode, Phone Number) Marketing Data Gender, Age, Region, and Employment Status	Consent (UK GDPR, Article 6(1)(a)) Public Interest (in execution of statutory functions) (UK GDPR, Article 6(1)(e)) Legitimate Interest (customer insight and feedback) (UK GDPR, Article 6(1)(f))	Enhance the user experience across digital channels. Gather feedback on users’ real-world experiences. Measure satisfaction and understand what influences travel behaviour, attraction visits, and spending patterns. Support data driven insights into scheme performance, enhance customer satisfaction, and strengthen partnerships with participating attractions. Support cross industry collaboration by developing a unified view of customer experiences across the sector Understand members’ views of RDG as an organisation, both overall and within their specific areas of engagement. Identify where RDG can make changes to deliver greater value to members. Ensure RDG is focused on strategic and operational priorities.
Marketing: registering for and / or attending an event via our Website or organised or sponsored by us	Contact Data; Marketing Data; Professional Data	Legitimate Interest	Necessary to enable attendance at relevant events and to allow RDG to make required attendance arrangements and issue organisational and follow-up communications.
Rail Staff Travel Privileges: receiving, handling and managing applications for and entitlements to rail staff travel privileges for employees, family members and other dependents	Communication Data; Contact Data; Eligibility Data; Identity Data; Images; Location Data	Contractual Necessity (UK GDPR, Article 6(1)(b))	N/A
Cookies: collection and analysis of information about website usage to improve user experience and functionality of and on our Websites	Technical Data; Usage Data	Legitimate interests (strictly necessary cookies) (UK GDPR, Article 6(1)(f))	Necessary for the operation of the Websites, maintain essential functionality, and ensure a secure and usable user experience
Cookies: collection and analysis of information about website usage to improve user experience and functionality of and on our Websites	Technical Data; Usage Data	Consent (UK GDPR, Article 6(1)(a)) NOTE: Consent is obtained where required by law for non-essential cookies and other tracking technologies	N/A

Your Rights

You have the following rights:

Access: the right to request a copy of the personal data we hold on you. In most cases, this will be free of charge, however in some limited circumstances, for example, repeated requests for further copies, we may apply an administration fee.

Rectification of personal data: this right enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Erasure of personal data: you can ask us to delete or remove your personal information in some circumstances such as where there is no good reason for us to continue to process it.  We may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you.

Restriction of processing personal data: this right enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Objection to processing of personal data: you can ask us to stop processing your personal information, and we will do so, if we are relying on legitimate interests to process your personal information, except if we can show compelling legal grounds for the processing; or if we are processing your personal information for direct marketing purposes.

Automated decision making: you have the right to ask for a decision to be made manually, where a decision is made using automated means and this harmfully affects you. Please, however, note – we do not currently undertake any automated decision making using the personal data we gather in terms of this Notice.

Portability: you have the right to have personal data we hold about you transferred securely to another service provider in electronic form.

In most circumstances, you do not need to pay any charge for exercising your rights. We have one month to respond to you.

To exercise any of your privacy rights, please contact us by filling out our online form or otherwise by contacting us using the contact details set out in the “CONTACT US” section of this Notice.

HOW TO MAKE A COMPLAINT

If you have any concerns about our handling of your personal information or believe your privacy rights have been infringed, you have the right to make a complaint.

We are committed to resolving privacy-related complaints promptly and effectively.

In the event that you would like to make a complaint, we encourage you to contact us directly in the first instance at This email address is being protected from spambots. You need JavaScript enabled to view it. so that we can address any issues promptly and directly with you. However, if you are not satisfied with our response, you also have the right to file a complaint directly with your local privacy regulator. We have provided some contact details for your reference below:

United Kingdom: You can file a complaint with the Information Commissioner’s Office (ICO) via www.ico.org.uk.
European Economic Area (EEA): If you are located in the EEA, you can reach out to your local data protection authority. A list of EEA data protection authorities can be found here.

QUERIES AND FEEDBACK

We welcome your feedback regarding this Notice. If you have questions, comments, or concerns about either one, please contact us by e-mail at This email address is being protected from spambots. You need JavaScript enabled to view it.. We will respond in good faith to all privacy queries.

You may additionally contact us using the contact details given in the “CONTACT US” section above.

UPDATES TO THIS NOTICE

We may modify or amend this Notice from time to time at our discretion to reflect changes in our practices, legal requirements, or for other operational reasons. If we make material changes to this Notice, we will post the updated Notice on our Websites. If required by applicable law, we will also notify you directly or request your consent before the changes take effect. The modified or amended Notice shall be effective as to the personal information governed by this Notice as of the revision date.

The date this Notice was last revised is identified at the top of the page.

We encourage periodic review of this Notice to view any updates, so that you may stay informed about how we protect your personal information.