Cookies - we do not use cookies to store personal information about you, we only use them to improve our website for you. For more information see our Cookie & Privacy Policy page.

Search form
Skip Navigation LinksMerseytravel > Data Protection

 Data Protection

Data Protection

Merseytravel is committed to processing your personal information in a responsible, secure and transparent way. On 25th May 2018, the General Data Protection Regulation (GDPR) was introduced across Europe, replacing the Data Protection Act 1998 as the law governing how personal information is handled.
Personal information is anything that relates to a living, identifiable individual, either on its own or when combined with other information.

The GDPR is based around six Principles, which ensure that personal information will be:

  • processed fairly, lawfully and in a transparent manner
  • collected for a specified, explicit and legitimate purpose
  • adequate, relevant and limited to what is necessary for that purpose
  • accurate and, where necessary, kept up to date
  • not kept for in an identifiable form for longer than is necessary
  • protected by appropriate security and measures


In addition, the GDPR provides you with the following rights when it comes to your personal data:

  1. the right to be informed how your personal data is being processed
  2. the right of access to the personal data we hold about you, which includes providing copies of the information to you within one month of a request. We may charge a reasonable fee to provide this information based on our administrative costs of responding (i.e. photocopying, postage, etc.)
  3. the right to rectification of any incorrect or incomplete data we hold about you
  4. the right to erasure, also known as ‘the right to be forgotten’, where
     - your information is no longer required for the purpose it was collected
     - you withdraw your consent
     - you object to Merseytravel processing your information (and there is no overriding legitimate interest for continuing
       the processing)
     - Merseytravel has breached the GDPR when processing your data
     - there is a legal obligation to delete the data (such as a court order)
  • the right to restrict processing, which limits what Merseytravel can do with your information
  • the right to data portability, where any automated processing of your information based on your consent or as part of a contract is made available for your reuse
  • the right to object to direct marketing or any processing based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics. 
  • the rights in relation to automated decision making and profiling, where a decision made by a computer has a legal or significant effect on you.

As mentioned above, one of your rights is to receive copies of any personal data that is held about you through, such as CCTV images or Walrus travel card data. This is known as a ‘subject access request’.
You are required to provide proof of your identity or, if you are making a requester on behalf of someone else (such as an insurance company asking for CCTV footage of an incident involving their client) proof that you are authorised to receive their information. Merseytravel will respond within one month.

Subject Access Requests

For details of how to submit a subject access request, exercise any of your other rights or if you have any other questions about the GDPR, please contact
You also have the right to complain to the Information Commissioner if you believe that Merseytravel have failed to fulfil our legal obligations. Contact details for the Commissioner, along with guidance on the legislation, can be found at
All of Merseytravel’s Fair Processing Notices can be found here.
You can view Merseytravel’s Data Protection Policy here and CCTV Code of Practice her​e​.