Transportation Claims Limited - Privacy Policy

ON THE MOVE: THIS IS WHAT YOU NEED TO KNOW

We always recommend that our customers read this privacy policy in full. It explains who we are, how and why we collect personal data from you, how and why it will be processed by us and our commitment to protecting your data.

But just in case you're on the move or do not have time to read it in full we have summarised the key points for you in our 'speed read' section below.

Transportation Claims Limited (TCL, we, our or us) is a subsidiary of FirstGroup plc. We are registered as a data controller with the Information Commissioner's Office and our registration number is Z132705X.
We have appointed a Data Protection Officer. They are responsible for our approach to data protection and protecting your privacy. You can contact them at TCL.DPO@firstgroup.co.uk.
We process (i.e. handle) your personal data to provide services to you or our clients. Under data protection laws, we are only permitted to process your personal data where we have a legal basis for doing so. We will only ever process your personal data in compliance with applicable law.
We may share your personal data with our third party suppliers, including insurers, solicitors, investigators, accident management providers, government agencies, counter fraud and law enforcement agencies to enable the efficient and secure provision of services to you or our clients. Except as explained in this privacy policy, we will not share your data with third parties without your consent unless required to do so by law or for fraud prevention.
We will keep your data for as long as we need it. How long we need your personal data depends on what we are using it for, whether that is to provide services to you or our clients, for our own legitimate interests (described below) or so that we can comply with the law. We will actively review the information we hold and when there is no longer a customer, legal or business need for us to hold it, we will either delete it securely or in some cases anonymise it.
We may transfer your personal data to a recipient located outside of the United Kingdom (UK). If we do this, we will ensure that the transfer mechanism provides an adequate level of protection, which has been recognised by the United Kingdom.
You have important rights under laws aimed at protecting your personal data. This policy sets out your rights and how can you exercise them. For more information, click here. You also have the right to make a complaint to the Information Commissioner's Office if you are unhappy with how we have handled your personal data. For more information click here.

ABOUT TRANSPORTATION CLAIMS LIMITED
This section sets out who we are. It provides some useful information about us including our company number, registered address and data controller registration number (provided by the Information Commissioner's Office).
ABOUT THIS PRIVACY POLICY
This section tells you when this privacy policy applies (e.g. when you communicate with us). It also lets you know how and when we will communicate updates of this privacy policy to you.
WHAT PERSONAL DATA DO WE COLLECT ABOUT YOU?
This section informs you of exactly what personal data we collect about you and why. This includes information that is provided to us directly by you as well as information that we gather from FirstGroup and information that we receive from other sources.
HOW IS YOUR PERSONAL DATA COLLECTED?
This section explains to you the different ways in which we will collect the personal data that you provide to us.
PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA
This section explains the purposes for which we will use your personal data we hold. We also set out what we consider to be the legal basis for processing your personal data for each purpose, this is to ensure that you have all the information that we are required to provide you by law.
COMMUNICATIONS
This section explains how we will ensure that you only receive communications that you may wish to receive. We will ensure that you have total control over the information that you receive.
WHO WILL HAVE ACCESS TO YOUR PERSONAL DATA?
This section explains which of our employees will have access to your personal data. It also explains the reason for our employees accessing your personal data.
WHO ELSE MIGHT WE SHARE YOUR PERSONAL DATA WITH?
This section informs you of who we share your personal data with. It also explains the reason for sharing; this is largely so that we can provide our services to you or our clients.
HOW DO WE PROTECT YOUR PERSONAL DATA?
This section explains how we keep your personal data safe and where it will be held. It also explains how we may process your personal data outside of the United Kingdom, but that we will only do so using recognised mechanisms which offer an adequate level of protection.
HOW LONG DO WE KEEP YOUR PERSONAL DATA?
This section explains the length of time that we will retain your personal data. It also explains why we would hold your personal data for such time periods.
WHAT ARE YOUR RIGHTS?
This section explains that you have rights in relation to your personal data. It also explains what these rights are and how you can go about exercising them.
WHO CAN YOU ASK FOR MORE INFORMATION?
This section provides you with contact information should you have any questions or concerns about the way we handle your personal data. It also explains how you can contact the data protection regulator should you be unsatisfied with our response to your data protection issues.

1 ABOUT TRANSPORTATION CLAIMS LTD

Transportation Claims Ltd (TCL, we, our or us) is a company registered in England and Wales under company number 02149400 whose registered office is at The Point, 37 North Wharf Road, London W2 1AF.

We are registered as a data controller with the Information Commissioner's Office and our registration number is Z132705X.

2 ABOUT THIS PRIVACY POLICY

This privacy policy applies to the personal data we collect about you by post, by telephone and when you otherwise communicate with us. It also applies to information that we receive about you from FirstGroup plc and its subsidiaries (FirstGroup), as further explained below.

This privacy policy may change from time to time, and if it does, the up-to-date version will always be available on our Website.

3 WHAT PERSONAL DATA DO WE COLLECT ABOUT YOU?

This section informs you of what information we collect about you and why. Personal data means any information about an individual from which that individual can be identified.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

Identity Data includes first name, surname, username or similar identifier, marital status, title, date of birth, gender, photographic evidence and CCTV footage.
Contact Data includes email address, postal address and telephone numbers.
Financial Data includes bank account details for settlement payments, payment card details used to purchase products or services from FirstGroup and information to investigate or validate claims.
Transaction Data includes details as to your journeys, details about payments to and from you and other details of products and services you have purchased from FirstGroup.
Health Data includes information relating to any medical condition, mobility and disability status or injury.
Communications Data includes your communication preferences.

Special Category Data includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. We do not seek to collect or otherwise process your Special Category Data, except where:

the processing is necessary for compliance with a legal obligation;
the processing is necessary for the detection or prevention of crime (including the prevention of fraud) to the extent permitted by applicable law;
you have manifestly made those Special Category Data public;
the processing is necessary for the establishment, exercise or defence of legal rights; or
processing is necessary for reasons of substantial public interest and occurs on the basis of an applicable law that is proportionate to the aim pursued and provides for suitable and specific measures to safeguard your fundamental rights and interests.

4 HOW IS YOUR PERSONAL DATA COLLECTED?

We use different methods to collect data from and about you including through:

Direct interactions:

We collect personal data about you when you correspond with us directly by telephone, email or otherwise. This includes information you voluntarily provide and/or when you:

report or witness an incident;
issue a claim against FirstGroup;
request information about the status of your claim or investigation; or
report a problem with our service or give us feedback

No automated decision-making or profiling will take place using your personal data.

Information we receive from other sources:

We may receive information about you from FirstGroup, representatives acting on your behalf, insurers, solicitors, investigators, accident management providers, counter fraud and law enforcement authorities.

The information provided from FirstGroup may include CCTV or recordings made by on-demand audio recording and body worn video (BWV) cameras. FirstGroup employs such cameras to capture, record and monitor what takes place at its offices, stations, car parks and on its services in order to help provide a safe environment for both their employees and customers, reduce the number of assaults on its employees and prevent, deter and detect crime. The footage may be shared with us to assist with our investigation of any claim.

When we receive information from other sources, we rely on them having the appropriate provisions in place telling you how they collect data and who they may share it with. We carefully check our sources to ensure that we only receive your information when it is lawful for us to do so.

5 PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA

This section explains how we will use personal data you provide to us in order to carry out the activities relevant to the provision of our services to you or our clients.

We must have a legal basis for processing your personal data. We consider that we have a legal basis where:

you have given us consent to do so for the specific purposes which we have told you about;
it is necessary for us to do so to enable us to provide you with the services that you or our clients have requested from us - for example, contacting you about the status of your claim or investigation;
it is necessary in order to fulfil our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
it is necessary for the establishment, exercise or defence of legal claims; or
the law otherwise permits or requires it.

Where we process your personal data on the basis of our legitimate interests, these are our (or our third party's) interests in providing our services to you or our clients in an efficient and secure manner.

We have set out below a list of all the ways we may use your personal data and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate.

In some cases we may use more than one legal basis for processing your personal data; this will depend on the specific purpose for which we are using your personal data. Please contact us if you have any queries about the specific legal basis that we rely on for processing your personal data.

What we use your personal data for (purpose)	Type of data	Legal basis for processing (including basis of legitimate interest)
To investigate and/or process your claim which will include: a) establishing the facts; b) speaking with witnesses, medical teams, supervisors and management; and c) collecting and viewing evidence; and d) offering and providing our service, liaising with representative acting on your behalf and providing services to assist with rehabilitation or accident repairs.	(a) Identity (b) Contact (c) Health (d) Financial (e) Transactional (f) Communications	(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interest (for incident and safety management, fraud prevention and for the purpose of establishing, exercising or defending our legal rights)
To manage our relationship with you which will include: a) managing payments, paying refunds or compensation; b) collecting and recovering money owed to us or FirstGroup; c) provide you with the information, that you request from us; d) notifying you about changes to our services or privacy policy; and e) asking you to leave a review or take a survey	(a) Identity (b) Contact (c) Financial (d) Transactional (e) Health (f) Communications	(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to pay compensation owed to you)
To administer and protect our business (including training our employees, troubleshooting, data analysis, testing, system maintenance, security audits, support, reporting and hosting of data).	(a) Identity (b) Contact (c) Financial (d) Transactional (e) Health (f) Communications	(a) Necessary for our legitimate interest (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation
To establish, exercise and defend our legal rights	(a) Identity (b) Contact (c) Financial (d) Transactional (e) Health (f) Communications	(a) Necessary for compliance with a legal obligation (b) Necessary for our legitimate interest (for the purpose of establishing, exercising or defending our legal rights)

6 COMMUNICATIONS

This section is to explain how we will ensure that you only receive communications that you wish to receive.

As detailed in the table at section 5, we may send you communications such as those which relate to any information that you request from us, the offer of our services or the collection of debt (e.g. updates of your claim's status). We consider that we can lawfully send these communications to you as we have a legitimate interest to do so, namely to effectively provide the best service we can.

7 WHO WILL HAVE ACCESS TO YOUR PERSONAL DATA

This section is to explain who, within TCL, will have access to your data. Your personal data will only be seen or used by our employees who have a legitimate business need to access your personal data for the purposes set out in this privacy policy.

We take your privacy seriously and have implemented appropriate physical, technical and organisational security measures designed to secure your personal data against accidental loss, destruction or damage and unauthorised access, use, alteration or disclosure. This section explains how we keep your personal data safe and where it will be held.

8 WHO ELSE MIGHT WE SHARE YOUR PERSONAL DATA WITH

This section will inform you of who we share your personal data with and why. Except as explained in this privacy policy, we will not share your personal data without your consent unless required to do so by law.

We may share your personal data with you, and where appropriate, your family, your associates and your representatives.

We may share your personal data with any member of our group which means our ultimate holding company (FirstGroup plc) and its subsidiaries as defined in section 1159 of the UK Companies Act 2006.

We may share your personal data with the following third-parties who assist us with administering the provision of our service to our clients:

business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you;
law enforcement authorities, government agencies or other rail and road industry bodies including but not restricted to the Office of Rail and Road, other Rail Operators, Network Rail, Transport Focus, the Department for Transport, Transport for the North and London TravelWatch, DVLA, MIAFTR, Motor Insurers Bureau, Department for Work and Pensions and the Insurance Fraud Bureau, in order to comply with our legal and regulatory obligations and to help resolve complaints or other issues which may relate to incident and safety management; process claims and prevent fraud;
agents we engage to perform functions on our behalf including sending communications, investigating incidents, processing claims and payments, recovering debts, providing marketing assistance, researching customer satisfaction and providing customer service. They have access to personal data needed to perform their functions, but may not use it for other purposes.

If a business transfer or change of business ownership takes place or is envisaged we may transfer your personal data to the new owner (or a prospective new owner). If this happens, you will be informed of this transfer.

9 HOW DO WE PROTECT YOUR PERSONAL DATA?

This section explains how we keep your personal data safe and where it will be held.

We take your privacy seriously and are committed to maintaining the privacy and security of your personal data, and the choices you have regarding our collection and use of your personal data.

Once we have received your personal data, we follow strict security procedures as to how your personal data is stored and used, and who sees it, to help stop any unauthorised access.

The information that we collect from you may be transferred to, and stored at, a destination outside the United Kingdom (UK). When we transfer and store your personal data outside of the UK we will ensure that it is adequately protected by using appropriate safeguards as further detailed below.

Staff operating outside the UK who work for us, or one of our suppliers, may process the information. Such staff may be engaged in, among other things, the provision of support services.

Where your personal data is transferred from the UK to a recipient outside the UK in a country not recognised by the United Kingdom as providing an adequate level of protection for personal data, such transfer shall be covered by a framework recognised by the relevant authorities or courts as providing an adequate level of protection for personal data including but not limited to:

Standard Contractual Clauses (the agreement in the form annexed to the European Commission's decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which can be found here); or
The EU-US Privacy Shield Framework.

Unfortunately, the transmission of your personal data via the internet is not completely secure and although we do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us over the internet and you acknowledge that any transmission is at your own risk.

10 HOW LONG DO WE KEEP YOUR PERSONAL DATA

This section explains the length of time that we will retain your personal data.

We will keep your personal data for no longer than is necessary for the purposes for which it was obtained. The criteria for determining the duration for which we will retain your personal data are as follows:

(1) we will retain your personal data in a form that permits identification only for as long as:

we maintain an ongoing relationship with you; or
your personal data is necessary in connection with the lawful purposes set out in this policy for which we have a valid legal basis.

plus

(2) the duration of:

any limitation period under applicable law (i.e. any period during which any person could bring a legal claim against us in connection with your personal data, or to which your personal data may be relevant); or
an additional reasonable period following the end of such applicable limitation period.

and

(3) in addition, if any relevant legal claims are brought, we may continue to process your personal data for such additional periods as are necessary in connection with that claim.

During the periods in paragraphs (2)a and (2)b above, we will restrict our processing of your personal data to the storage of, and maintaining the security of, those data, except to the extent that those data need to be reviewed in connection with any legal claim, fraud prevention requirement or obligation under applicable law.

After this period your personal data will be anonymised so that you are no longer identified or identifiable from such information, or securely deleted/destroyed.

Any third parties that we engage will keep your data stored on their systems for as long as is necessary to provide the relevant services to you or our clients. If we end our relationship with any third party providers, we will make sure, subject to any applicable laws and their retention policies that they securely delete or return your personal data to us.

11 WHAT ARE YOUR RIGHTS?

This section explains that you have a number of rights in relation to your personal data. There are circumstances in which your rights may not apply. You have the right to request that we:

provide you with a copy of the information we hold about you;
update any of your personal information if it is inaccurate or out of date;
delete the personal data we hold about you;
restrict the way in which we process your personal data;
stop processing your data if you have valid objections to such processing; and
transfer your personal data to a third party.

For more information on your rights and how to use them, or if you would like to make any of the requests set out above, please contact us using the details provided in this section. We will respond to all such requests within the time period required by law. Occasionally it may take us longer than a month if your request is particularly complex, you have made a number of requests or you have not supplied the information we need to respond to you. In this case, we will notify you and keep you updated.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

12 WHO CAN YOU ASK FOR MORE INFORMATION

If you have any questions or concerns about how we handle your personal data, you can contact us using any one (or more) of the following:

Post: Transportation Claims Ltd. Aquis House, 49-51 Blagrave Street, Reading, Berkshire, RG1 1PL
Email: gdpr@transportationclaims.co.uk Please note this email address is for GDPR / Data Protection matters. For claim related matters please email: admin@transportationclaims.co.uk
Telephone: 0870 162 9002

We have appointed a Data Protection Officer. They are responsible for our approach to data protection and protecting your privacy. You can contact them at TCL.DPO@firstgroup.co.uk.

If you are unsatisfied with our response to any data protection issues you raise with us or our DPO, you have the right to make a complaint to the ICO. The ICO is the authority in the UK which is tasked with the protection of personal data and privacy.

Transportation Claims Limited - Privacy Policy

ON THE MOVE: THIS IS WHAT YOU NEED TO KNOW

CONTENTS

ABOUT TRANSPORTATION CLAIMS LIMITED

ABOUT THIS PRIVACY POLICY

WHAT PERSONAL DATA DO WE COLLECT ABOUT YOU?

HOW IS YOUR PERSONAL DATA COLLECTED?

PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA

COMMUNICATIONS

WHO WILL HAVE ACCESS TO YOUR PERSONAL DATA?

WHO ELSE MIGHT WE SHARE YOUR PERSONAL DATA WITH?

HOW DO WE PROTECT YOUR PERSONAL DATA?

HOW LONG DO WE KEEP YOUR PERSONAL DATA?

WHAT ARE YOUR RIGHTS?

WHO CAN YOU ASK FOR MORE INFORMATION?