Fair Processing Notice
Merseytravel is committed to processing your personal information in a clear and transparent manner. The Fair Processing Notices detail how your data is handled as part of our activities.
Identify and contact details of the controller and where applicable, the controller’s representative and the data protection officer
The Liverpool City Region Combined Authority (‘the CA’) is the ‘controller’ for your personal information.
This means that we decide the purpose and means of how your data is used as part of our Comments system.
If you have any questions about how your information is being used you can contact the CA’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing and the legal basis for the processing
Your information is being used by the CA to administer and respond to your Comments, and we are able to do this as part of our official functions and for the reasons of substantial public interest under the Transport Act.
Description of the categories of personal data
You have the option of contacting us anonymously if you choose.
This will, however, mean that we are unable to respond to your enquiry.
If you would like to receive a response, the categories of information being processed include your name, preferred method of contacting you (email address, postal address or phone number) and any personal opinions expressed in your correspondence with us.
In addition, depending on the nature of your enquiry we may also process some ‘special categories’ of your personal data, such as information related to your:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- data concerning health
- sex life or sexual orientation
Any recipient or categories of recipients of the personal data
You will be given the option of allowing the CA to share your information with third parties relevant to your enquiry (such as bus operators) for the purposes of responding to you.
Should our comments system require support or maintenance, your data may also be accessed by our service provider, Sunrise Software Limited, in order to address any issues. Your data will not be used for any other purpose.
Retention period or criteria used to determine the retention period
Your data will be kept for a period of one year from the date of your initial enquiry.
This retention has been determined by the CA’s business need.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal data:
- The right to be informed how your personal data is being processed
- The right of access to the personal data we hold about you, which includes providing copies of the information to you within one month of a request. We may charge a reasonable fee to provide this information based on our administrative costs of responding (i.e. photocopying, postage, etc.).
- The right to rectification of any incorrect or incomplete data we hold about you
- The right to erasure, also known as ‘the right to be forgotten’, where
- Your information is no longer required for the purpose it was collected
- You withdraw your consent
- You object to the CA processing your information (and there is no overriding legitimate interest for continuing the processing)
- The CA has breached the GDPR when processing your data
- There is a legal obligation to delete the data (such as a court order)
- The right to restrict processing, which limits what the CA can do with your information
- The right to data portability, where any automated processing of your information based on your consent or as part of a contract is made available for your reuse
- The right to object to direct marketing or any processing based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics.
- Rights in relation to automated decision making and profiling, where a decision made by a computer has a legal or significant effect on you.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Disabled Persons Travel for Severe Mental Disorder Fair Processing Notice
Merseytravel is the ‘data controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of administration of the English National Concessionary Travel Scheme for Disabled Persons Travel Passes.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Your information is being used by Merseytravel to administer the Disabled Persons Travel Passes and we are able to do this due to a legal obligation that we have in line with Department for Transport Guidance and under section 92of the Road Traffic Act 1988 and the Transport Act 2008.
In the case of sensitive/special categories of personal data, our legal basis for processing is based on reasons of substantial public interest, namely Merseytravel’s obligations under the Transport Act 2008.
The categories of information being processed include your name, address, postcode, photograph, date of birth, contact telephone number, email address, carer or guardians contact details, information in relation to your disability under one of the seven categories and your signature. In addition we also process some special categories of your personal data such as information related to your data concerning health.
Your information will be shared with partners such as the Department for Transport for the purposes of administration of the English National Concessionary Travel Scheme.
Your data will be kept for a period of 5 years from the date of application. This retention has been determined by the legal requirement of the Transport Act 2008 to facilitate the English National Concessionary Travel Scheme.
The GDPR provides you with the following rights when it comes to your personal data:
The right to be informed how your personal data is being processed.
The right of access to the personal data we hold about you, which includes providing copies of the information to you within one month of a request. We may charge a reasonable fee to provide this information based on our administrative costs of responding (ie photocopying, postage, etc).
The right to rectification of any incorrect or incomplete data we hold about you.
The right to erasure, also known as ‘the right to be forgotten’, where:
your information is no longer required for the purpose it was collected;
you withdraw your consent;
you object to Merseytravel processing your information (and there is no overriding legitimate interest for continuing the processing);
Merseytravel has breached the GDPR when processing your data;
there is a legal obligation to delete the data (such as a court order).
The right to restrict processing, which limits what Merseytravel can do with your information.
The right to data portability, where any automated processing of your information based on your consent or as part of a contract is made available for your reuse.
The right to object to direct marketing or any processing based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling, where a decision made by a computer has a legal or significant effect on you.
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Merseytravel is required to process your information in accordance with statutory requirements as detailed within the Department for Transport Guidance and Transport Act 2008. Failure to provide your personal data would lead to the inability for Merseytravel to process your application and participation in the English National Concessionary Travel Scheme.
Disabled Persons Travel Pass Fair Processing Notice
Merseytravel is the ‘data controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of administration of the English National Concessionary Travel Scheme for Disabled Persons Travel Passes.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Your information is being used by Merseytravel to administer the Disabled Persons Travel Passes and we are able to do this due to a legal obligation that we have in line with Department for Transport Guidance and the Transport Act 2008.
In the case of sensitive/special categories of personal data, our legal basis for processing is based on reasons of substantial public interest, namely Merseytravel’s obligations under the Transport Act 2008.
The categories of information being processed include your name, address, postcode, photograph, date of birth, contact telephone number, email address, carer or guardians contact details, information in relation to your disability under one of the seven categories and your signature. In addition we also process some special categories of your personal data such as information related to your data concerning health.
Your information will be shared with partners such as the Department for Transport for the purposes of administration of the English National Concessionary Travel Scheme.
For online submissions details are securely stored and under strict access control. Your application form and supporting evidence is retained for 6 months and then automatically deleted. Your data will be kept for a period of 5 years from the date of application.
This retention has been determined by the legal requirement of the Transport Act 2008 to facilitate the English National Concessionary Travel Scheme.
The GDPR provides you with the following rights when it comes to your personal data:
- The right to be informed how your personal data is being processed
- The right of access to the personal data we hold about you, which includes providing copies of the information to you within one month of a request. We may charge a reasonable fee to provide this information based on our administrative costs of responding (ie photocopying, postage, etc).
- The right to rectification of any incorrect or incomplete data we hold about you
- The right to erasure, also known as ‘the right to be forgotten’, where:
- your information is no longer required for the purpose it was collected;
- you withdraw your consent;
- you object to Merseytravel processing your information (and there is no overriding legitimate interest for continuing the processing);
- Merseytravel has breached the GDPR when processing your data;
- there is a legal obligation to delete the data (such as a court order).
- The right to restrict processing, which limits what Merseytravel can do with your information
- The right to data portability, where any automated processing of your information based on your consent or as part of a contract is made available for your reuse
- The right to object to direct marketing or any processing based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics.
- Rights in relation to automated decision making and profiling, where a decision made by a computer has a legal or significant effect on you.
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Merseytravel is required to process your information in accordance with statutory requirements as detailed within the Department for Transport Guidance and Transport Act 2008. Failure to provide your personal data would lead to the inability for Merseytravel to process your application and participation in the English National Concessionary Travel Scheme.
English National Concessionary Travel Scheme - Merseytravel Fair Processing Notice
Merseytravel is the ‘data controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of administration of the English National Concessionary Travel Scheme.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Your information is being used by Merseytravel to administer the English National Concessionary Travel Scheme and we are able to do due to a legal obligation that we have in line with Department for Transport Guidance the Transport Act 2008.
In the case of sensitive/special categories of personal data, our legal basis for processing is based on reasons of substantial public interest, namely Merseytravel’s obligations under the Transport Act 2008.
The categories of information being processed include your name, address, postcode, photograph, date of birth, contact telephone number, email address, proof of residence, proof of age and your signature.
Your information will be shared with partners such as the Department for Transport for the purposes of administration of the English National Concessionary Travel Scheme.
For online submissions details are securely stored and under strict access control. Your application form and supporting evidence is retained for 6 months and then automatically deleted. Your data will be kept for a period of 5 years from the date of application.
This retention has been determined by the legal requirement of the Transport Act 2008 to facilitate the English National Concessionary Travel Scheme.
The GDPR provides you with the following rights when it comes to your personal data:
- The right to be informed how your personal data is being processed
- The right of access to the personal data we hold about you, which includes providing copies of the information to you within one month of a request. We may charge a reasonable fee to provide this information based on our administrative costs of responding (ie photocopying, postage, etc).
- The right to rectification of any incorrect or incomplete data we hold about you
- The right to erasure, also known as ‘the right to be forgotten’, where:
- your information is no longer required for the purpose it was collected;
- you withdraw your consent;
- you object to Merseytravel processing your information (and there is no overriding legitimate interest for continuing the processing);
- Merseytravel has breached the GDPR when processing your data;
- there is a legal obligation to delete the data (such as a court order).
- The right to restrict processing, which limits what Merseytravel can do with your information.
- The right to data portability, where any automated processing of your information based on your consent or as part of a contract is made available for your reuse.
- The right to object to direct marketing or any processing based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics.
- Rights in relation to automated decision making and profiling, where a decision made by a computer has a legal or significant effect on you.
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Merseytravel is required to process your information in accordance with statutory requirements as detailed within the Department for Transport Guidance. Failure to provide your personal data would lead to the inability for Merseytravel to process your application and participation in the English National Concessionary Travel Scheme.
Mersey Tunnels Concessionary Travel T-FLOW – Fair Processing Notice
Merseytravel is the ‘data controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of administering the Mersey Tunnels Concessionary Travel TFLOW scheme.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at:
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Your information is being used by Merseytravel to administer the Mersey Tunnels Concessionary Travel TFLOW Scheme and we are able to do this as part of a contract with you.
The categories of information being processed include your name, address, postcode, contact telephone number, email address, Vehicle Registration Number (VRN), vehicle make and vehicle colour, and signature.
Your information will be shared with partners for the purposes of administration of the scheme.
Your data will be kept for a period of 6 years from the date of application. This retention has been determined by Merseytravel in line with requirements of HM Revenue & Customs in respect of Income Tax, National Insurance and VAT transactions.
Merseytravel use Vehicle Registration Number (VRN) to establish the toll classification for your vehicle for TFLOW (pay by plate). This information will be held on our database to ensure that you are charged the appropriate toll when your vehicle presents at the toll lane.
The GDPR provides you with the following rights when it comes to your personal data:
· The right to be informed how your personal data is being processed
· The right of access to the personal data we hold about you, which includes providing copies of the information to you within one month of a request. We may charge a reasonable fee to provide this information based on our administrative costs of responding (i.e. photocopying, postage, etc).
· The right to rectification of any incorrect or incomplete data we hold about you
· The right to erasure, also known as ‘the right to be forgotten’, where
· Your information is no longer required for the purpose it was collected
· You withdraw your consent
· You object to Merseytravel processing your information (and there is no overriding legitimate interest for continuing the processing)
· Merseytravel has breached the GDPR when processing your data
· There is a legal obligation to delete the data (such as a court order)
· The right to restrict processing, which limits what Merseytravel can do with your information
· The right to data portability, where any automated processing of your information based on your consent or as part of a contract is made available for your reuse
· The right to object to direct marketing or any processing based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics.
· Rights in relation to automated decision making and profiling, where a decision made by a computer has a legal or significant effect on you.
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF www.ico.gov.uk
0303 123 1113
Merseytravel is required to process your information in accordance with contractual requirement with you. Failure to provide your personal data would lead to the inability for Merseytravel to process your application for concessionary travel through Mersey Tunnels and participation in the Mersey Tunnels Concessionary TFLOW Scheme.
Fast Tag – Fair Processing Notice
Merseytravel is the ‘data controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of administering the Mersey Tunnels Fast Tag Scheme.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at:
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Your information is being used by Merseytravel to administer the Mersey Tunnels Fast Tag Scheme and we are able to do this as part of a contract with you.
The categories of information being processed include your name, address, postcode, contact telephone number, email address, Direct Debit details and signature.
Your information will be shared with partners for the purposes of administration of the scheme.
Your data will be kept for a period of 6 years from the date of application. This retention has been determined by Merseytravel in line with requirements of HM Revenue & Customs in respect of Income Tax, National Insurance and VAT transactions.
For customers wishing to register for the Liverpool City Region Residents Discount Scheme, proof of eligibility is required. Merseytravel use agencies to verify and confirm your residency and identity.
If this is not possible for any reason we will ask you to provide the following evidence to support your application;
Your current UK Driving Licence, Council Tax or Utility Bill and Vehicle Registration Document V5C or Lease Agreement.
These documents will be uploaded via secure link and retained for a period of 12 months. Unsuccessful applications will be held for 3 months.
The GDPR provides you with the following rights when it comes to your personal data:
The right to be informed how your personal data is being processed
The right of access to the personal data we hold about you, which includes providing copies of the information to you within one month of a request. We may charge a reasonable fee to provide this information based on our administrative costs of responding (ie photocopying, postage, etc).
The right to rectification of any incorrect or incomplete data we hold about you
The right to erasure, also known as ‘the right to be forgotten’, where:
your information is no longer required for the purpose it was collected;
you withdraw your consent;
you object to Merseytravel processing your information (and there is no overriding legitimate interest for continuing the processing);
Merseytravel has breached the GDPR when processing your data;
there is a legal obligation to delete the data (such as a court order).
The right to restrict processing, which limits what Merseytravel can do with your information
The right to data portability, where any automated processing of your information based on your consent or as part of a contract is made available for your reuse
The right to object to direct marketing or any processing based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling, where a decision made by a computer has a legal or significant effect on you.
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Merseytravel is required to process your information in accordance with contractual requirement with you. Failure to provide your personal data would lead to the inability for Merseytravel to process your application and participation in the Mersey Tunnels Fast Tag Scheme.
Mersey Tunnels T-FLOW – Fair Processing Notice
Merseytravel is the ‘data controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of administering the Mersey Tunnels TFLOW Scheme.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Your information is being used by Merseytravel to administer the Mersey Tunnels TFLOW Scheme and we are able to do this as part of a contract with you.
The categories of information being processed include your name, address, postcode, contact telephone number, email address, Vehicle Registration Number (VRN), vehicle make and vehicle colour, Direct Debit details and signature.
Your information will be shared with partners for the purposes of administration of the scheme.
Your data will be kept for a period of 6 years from the date of application. This retention has been determined by Merseytravel in line with requirements of HM Revenue & Customs in respect of Income Tax, National Insurance and VAT transactions.
Merseytravel use Vehicle Registration Number (VRN) to establish the toll classification for your vehicle for pay by plate. This information will be held on our database to ensure that you are charged the appropriate toll when your Vehicle presents at the toll lane.
The GDPR provides you with the following rights when it comes to your personal data:
- The right to be informed how your personal data is being processed
- The right of access to the personal data we hold about you, which includes providing copies of the information to you within one month of a request. We may charge a reasonable fee to provide this information based on our administrative costs of responding (i.e. photocopying, postage, etc).
- The right to rectification of any incorrect or incomplete data we hold about you
- The right to erasure, also known as ‘the right to be forgotten’, where
- Your information is no longer required for the purpose it was collected
- You withdraw your consent
- You object to Merseytravel processing your information (and there is no overriding legitimate interest for continuing the processing)
- Merseytravel has breached the GDPR when processing your data
- There is a legal obligation to delete the data (such as a court order)
- The right to restrict processing, which limits what Merseytravel can do with your information
- The right to data portability, where any automated processing of your information based on your consent or as part of a contract is made available for your reuse
- The right to object to direct marketing or any processing based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics.
- Rights in relation to automated decision making and profiling, where a decision made by a computer has a legal or significant effect on you.
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
0303 123 1113
Merseytravel is required to process your information in accordance with contractual requirement with you. Failure to provide your personal data would lead to the inability for Merseytravel to process your application and participation in the Mersey Tunnels TFLOW Scheme.
Concessionary Fast Tag Fair Processing Notice
Merseytravel is the ‘data controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of the administration of the Mersey Tunnels Concessionary Fast Tag Scheme.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at:
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Your information is being used by Merseytravel to administer the Mersey Tunnels Concessionary Fast Tag Scheme and we are able to do this as part of our functions under the Transport Act 2008.
In the case of sensitive/special categories of personal data, our legal basis for processing is based on reasons of substantial public interest, namely Merseytravel’s obligations under the Transport Act 2008.
The categories of information being processed include your name, address, postcode, email address, telephone number, date of birth, photograph, vehicle registration number, disabled persons blue badge number and proof of eligibility for this concession, along with your signature.
Your information will be shared with partners for the purposes of administration of the scheme.
Your data will be kept for a period of 3 years from the date of application. This retention has been determined by Merseytravel’s business needs and in line with Local Authorities Blue Badge scheme.
The GDPR provides you with the following rights when it comes to your personal data:
The right to be informed how your personal data is being processed.
The right of access to the personal data we hold about you, which includes providing copies of the information to you within one month of a request. We may charge a reasonable fee to provide this information based on our administrative costs of responding (i.e. photocopying, postage, etc).
The right to rectification of any incorrect or incomplete data we hold about you.
The right to erasure, also known as ‘the right to be forgotten’, where:
your information is no longer required for the purpose it was collected;
you withdraw your consent;
You object to Merseytravel processing your information (and there is no overriding legitimate interest for continuing the processing);
Merseytravel has breached the GDPR when processing your data;
There is a legal obligation to delete the data (such as a court order).
The right to restrict processing, which limits what Merseytravel can do with your information.
The right to data portability, where any automated processing of your information based on your consent or as part of a contract is made available for your reuse.
The right to object to direct marketing or any processing based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling, where a decision made by a computer has a legal or significant effect on you.
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Merseytravel is required to process your information in accordance with our functions under the Transport Act 2008. Failure to provide your personal data would lead to the inability for Merseytravel to process your application and participation in the Mersey Tunnels Concessionary Fast Tag Scheme.
Merseytravel is the ‘data controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of the administration of the Merseylink Scheme.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at:
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Your information is being used by Merseytravel to administer the Merseylink Scheme to process your application and we are able to do this as part of our functions under the Transport Act 2008.
In the case of sensitive/special categories of personal data, our legal basis for processing this data is based on reasons of substantial public interest, namely Merseytravel’s obligations under the Transport Act 2008.
The categories of information being processed include your name, address, postcode, contact telephone number, email address, date of birth, emergency contact name, photograph, proof of eligibility and mobility needs and signature.
Your information will be shared with partners such as our service providers for the purposes of administration of the scheme.
For online submissions details are securely stored and under strict access control. Your application form and supporting evidence is retained for 1 months and then automatically deleted. Your data will be kept for a period of 5 years from the date of application. This retention has been determined by Merseytravel’s business need.
The GDPR provides you with the following rights when it comes to your personal data:
- The right to be informed how your personal data is being processed.
- The right of access to the personal data we hold about you, which includes providing copies of the information to you within one month of a request. We may charge a reasonable fee to provide this information based on our administrative costs of responding (ie photocopying, postage, etc).
- The right to rectification of any incorrect or incomplete data we hold about you
- The right to erasure, also known as ‘the right to be forgotten’, where:
- your information is no longer required for the purpose it was collected;
- you withdraw your consent;
- you object to Merseytravel processing your information (and there is no overriding legitimate interest for continuing the processing);
- Merseytravel has breached the GDPR when processing your data;
- there is a legal obligation to delete the data (such as a court order).
- The right to restrict processing, which limits what Merseytravel can do with your information
- The right to data portability, where any automated processing of your information based on your consent or as part of a contract is made available for your reuse
- The right to object to direct marketing or any processing based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics.
- Rights in relation to automated decision making and profiling, where a decision made by a computer has a legal or significant effect on you.
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Merseytravel is required to process your information in accordance with Merseylink Terms and Conditions. Failure to provide your personal data would lead to the inability for Merseytravel to process your application and participation in the Merseylink Scheme.
Fair Processing Notice – FOI & EIR Requests
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer Merseytravel is the ‘controller’ for your personal information. This means that we decide the purpose and means of how your data is used in the administration of your request.
If you have any questions about how your information is being used you can contact
Merseytravel’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing and the legal basis for the processing
Your information is being used by Merseytravel to process your request under either the Freedom of Information Act (FOIA) or the Environmental Information Regulations
(EIR), and we are able to do this as it is necessary in the exercise of official authority vested in Merseytravel by the legislation.
Description of the categories of personal data
The categories of information being processed include your name and address for correspondence. As FOIA and EIR do not allow the use of pseudonyms, it may on occasion be necessary for Merseytravel to process additional personal data in order to verify your identity. It is not anticipated that this will include any special categories of your personal data,
which are defined as information related to your
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data (i.e. DNA data)
- biometric data (i.e. finger prints)
- data concerning health
- sex life or sexual orientation
Retention period or criteria used to determine the retention period
Your data will be kept for a period of two years from the date of your request. This retention has been determined by Merseytravel’s business need.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal data:
- The right to be informed how your personal data is being processed
- The right of access to the personal data we hold about you, which includes
providing copies of the information to you within one month of a request. We
may charge a reasonable fee to provide this information based on our
administrative costs of responding (i.e. photocopying, postage, etc.). - The right to rectification of any incorrect or incomplete data we hold about you
- The right to erasure, also known as ‘the right to be forgotten’, where
Your information is no longer required for the purpose it was collected
You withdraw your consent
You object to Merseytravel processing your information (and there is
no overriding legitimate interest for continuing the processing)
Merseytravel has breached the GDPR when processing your data
There is a legal obligation to delete the data (such as a court order) - The right to restrict processing, which limits what Merseytravel can do with
your information - The right to data portability, where any automated processing of your
information based on your consent or as part of a contract is made available
for your reuse - The right to object to direct marketing or any processing based on the
performance of a task in the public interest/exercise of official authority or for
the purposes of scientific/historical research and statistics. - Rights in relation to automated decision making and profiling, where a
decision made by a computer has a legal or significant effect on you.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data [where applicable] Merseytravel is required to process your information in accordance with the FOIA and EIR. Failure to provide your personal data would lead to Merseytravel not being
able to process and respond to your enquiry.
Fair Processing Notice – Subject Access Requests
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer
Merseytravel is the ‘controller’ for your personal information. This means that we decide the purpose and means of how your data is used in the administration of your
request.
If you have any questions about how your information is being used you can contact
Merseytravel’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing and the legal basis for the processing
Your information is being used by Merseytravel to process your subject access request under the General Data Protection Regulation (GDPR), and we are able to do this as it is necessary in the exercise of official authority vested in Merseytravel by the legislation.
Should it be necessary for you to provide any special categories of personal data, our legal basis for processing it is the substantial public interest based in UK/EU law, namely the GDPR.
Description of the categories of personal data
The categories of information being processed include your name, address for correspondence, and any further details used by you to verify your identity.
It is not anticipated that this will include any special categories of your personal data, which are defined as information related to your
racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data (i.e. DNA data)
biometric data (i.e. finger prints)
data concerning health
sex life or sexual orientation
Retention period or criteria used to determine the retention period
Your data will be kept for a period of two years from the date of your request. This retention has been determined by Merseytravel’s business need.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal
data:
The right to be informed how your personal data is being processed
The right of access to the personal data we hold about you, which includes
providing copies of the information to you within one month of a request. We
may charge a reasonable fee to provide this information based on our
administrative costs of responding (i.e. photocopying, postage, etc.).
The right to rectification of any incorrect or incomplete data we hold about you
The right to erasure, also known as ‘the right to be forgotten’, where
Your information is no longer required for the purpose it was collected
You withdraw your consent
You object to Merseytravel processing your information (and there is
no overriding legitimate interest for continuing the processing)
Merseytravel has breached the GDPR when processing your data
There is a legal obligation to delete the data (such as a court order)
The right to restrict processing, which limits what Merseytravel can do with
your information
The right to data portability, where any automated processing of your
information based on your consent or as part of a contract is made available
for your reuse
The right to object to direct marketing or any processing based on the
performance of a task in the public interest/exercise of official authority or for
the purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling, where a
decision made by a computer has a legal or significant effect on you.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data [where applicable]
Merseytravel is required to process your information in accordance with the GDPR. Failure to provide your personal data would lead to Merseytravel not being able to respond to your subject access request.
Fair Processing Notice – Manchester Ship Canal Cruises
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer
Merseytravel is the ‘controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of your booking on the Manchester Ship Canal Cruise.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing and the legal basis for the processing
Your information is being used by Merseytravel to process your booking, and we are able to do this due to a legal obligation that we have to comply with Maritime Regulations.
In the case of any special category processing, your information is processed to ensure the equality of opportunity or treatment.
Description of the categories of personal data
The categories of information being processed include your name, postal address and email address.
In addition, we may also process some ‘special categories’ of your personal data, such as information related to your health in order for us to provide you with any necessary assistance.
Any recipient or categories of recipients of the personal data
In the event of an emergency occurring while on board, your information will be shared with relevant bodies to provide any necessary assistance to you.
Retention period or criteria used to determine the retention period
Your data will be kept only for the duration of your cruise. This retention has been determined by the Maritime Regulations.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal
data:
The right to be informed how your personal data is being processed
The right of access to the personal data we hold about you, which includes
providing copies of the information to you within one month of a request. We
may charge a reasonable fee to provide this information based on our
administrative costs of responding (i.e. photocopying, postage, etc.).
The right to rectification of any incorrect or incomplete data we hold about you
The right to erasure, also known as ‘the right to be forgotten’, where
Your information is no longer required for the purpose it was collected
You withdraw your consent
You object to Merseytravel processing your information (and there is
no overriding legitimate interest for continuing the processing)
Merseytravel has breached the GDPR when processing your data
There is a legal obligation to delete the data (such as a court order)
The right to restrict processing, which limits what Merseytravel can do with
your information
The right to data portability, where any automated processing of your
information based on your consent or as part of a contract is made available
for your reuse
The right to object to direct marketing or any processing based on the
performance of a task in the public interest/exercise of official authority or for
the purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling, where a
decision made by a computer has a legal or significant effect on you.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Fair Processing Notice – U-Boat Story
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer
Merseytravel is the ‘data controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of our U-boat
Story’s marketing activities.
If you have any questions about how your information is being used you can contact
Merseytravel’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing and the legal basis for the processing
Your information is being used as part of our marketing activities, and we are able to do this with your consent that you provided when you signed up on our website to
receive regular news, updates and special offers about U-Boat Story.
Description of the categories of personal data
The categories of information being processed include your title, first name, last name and email address.
Your information will be shared with Dot Mailer, for the purposes of U-boat Story email marketing. Dot Mailer are an email marketing software provider, based here in
the UK.
Retention period or criteria used to determine the retention period
Your data will be kept indefinitely from the date of when you signed up, unless you unsubscribe, which you are able to do at any time following the instructions found at
the bottom of every email we send to you. This retention has been determined by Uboat Story’s business need.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal
data:
The right to be informed how your personal data is being processed
The right of access to the personal data we hold about you, which includes
providing copies of the information to you within one month of a request. We
may charge a reasonable fee to provide this information based on our
administrative costs of responding (i.e. photocopying, postage, etc.).
The right to rectification of any incorrect or incomplete data we hold about you
The right to erasure, also known as ‘the right to be forgotten’, where
Your information is no longer required for the purpose it was collected
You withdraw your consent
You object to Merseytravel processing your information (and there is
no overriding legitimate interest for continuing the processing)
Merseytravel has breached the GDPR when processing your data
There is a legal obligation to delete the data (such as a court order)
The right to restrict processing, which limits what Merseytravel can do with
your information
The right to data portability, where any automated processing of your
information based on your consent or as part of a contract is made available
for your reuse
The right to object to direct marketing or any processing based on the
performance of a task in the public interest/exercise of official authority or for
the purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling, where a
decision made by a computer has a legal or significant effect on you.
The right to withdraw consent at any time
You have the right to withdraw your consent and stop receiving our marketing at any time.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be
reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Fair Processing Notice – Travel Alerts
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer
Merseytravel is the ‘data controller’ for your personal information. This means that we decide the purpose and means of how your data is used for Travel Alerts.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing and the legal basis for the processing
Your information is being used by Merseytravel as part of our Travel Alerts activities, and we are able to do this with your consent, which you give when you sign up on the Merseytravel website to receive travel alerts.
Description of the categories of personal data
The categories of information being processed include your title, first name, surname, email address, post code and year of birth. Your information will be shared with Dotmailer, for the purposes of Merseytravel Travel Alerts email marketing. Dotmailer are an email marketing software provider, based here in the UK.
Retention period or criteria used to determine the retention period
Your data will be kept indefinitely from the date of when you signed up, unless you unsubscribe, which you are able to do at any time following the instructions found at the bottom of every email we send to you. This retention has been determined by Merseytravel’s business need.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal
data:
The right to be informed how your personal data is being processed
The right of access to the personal data we hold about you, which includes
providing copies of the information to you within one month of a request. We
may charge a reasonable fee to provide this information based on our
administrative costs of responding (i.e. photocopying, postage, etc.).
The right to rectification of any incorrect or incomplete data we hold about you
The right to erasure, also known as ‘the right to be forgotten’, where
Your information is no longer required for the purpose it was collected
You withdraw your consent
You object to Merseytravel processing your information (and there is
no overriding legitimate interest for continuing the processing)
Merseytravel has breached the GDPR when processing your data
There is a legal obligation to delete the data (such as a court order)
The right to restrict processing, which limits what Merseytravel can do with
your information
The right to data portability, where any automated processing of your
information based on your consent or as part of a contract is made available
for your reuse
The right to object to direct marketing or any processing based on the
performance of a task in the public interest/exercise of official authority or for
the purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling, where a
decision made by a computer has a legal or significant effect on you.
The right to withdraw consent at any time
You have the right to withdraw your consent and stop receiving our marketing at any time.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Fair Processing Notice - Solo & Refurbished Bike For Work
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer
Merseytravel is the ‘data controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of application for a Solo or refurbished bicycle.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing and the legal basis for the processing
Your information is being used by Merseytravel to process your Solo or Refurbished Bike For Work application. We are able to do this as it is part of our public tasks carried out under the Transport Act 1968.
Description of the categories of personal data
The categories of information being processed include your name, contact details and employment history. No special category or sensitive data will be processed.
Retention period or criteria used to determine the retention period
Your data will be kept for a period of 2 years from the date of your application. This retention has been determined by Merseytravel’s business need.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal data:
- The right to be informed how your personal data is being processed
- The right of access to the personal data we hold about you, which includes providing copies of the information to you within one month of a request. We may charge a reasonable fee to provide this information based on our administrative costs of responding (i.e. photocopying, postage, etc.).
- The right to rectification of any incorrect or incomplete data we hold about you
- The right to erasure, also known as ‘the right to be forgotten’, where
Your information is no longer required for the purpose it was collected
You withdraw your consent
You object to Merseytravel processing your information (and there is no overriding legitimate interest for continuing the processing)
Merseytravel has breached the GDPR when processing your data
There is a legal obligation to delete the data (such as a court order) - The right to restrict processing, which limits what Merseytravel can do with your information
- The right to data portability, where any automated processing of your information based on your consent or as part of a contract is made available for your reuse
- The right to object to direct marketing or any processing based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics.
- Rights in relation to automated decision making and profiling, where a decision made by a computer has a legal or significant effect on you.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Fair Processing Notice – Cycling & Walking to Work Fund Programme
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer
Merseytravel is the ‘data controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of the monitoring and evaluation of the Cycling and Walking to Work Fund Programme and reporting the findings to stakeholders.
If you have any questions about how your information is being used you can contact
Merseytravel’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing and the legal basis for the processing
Your information is being used by Merseytravel to determine the success of the Cycling and Walking to Work Fund Programme based on your participation in the programme. We are able to do this as it is part of our public tasks carried out under the Transport Act 1968.
Any recipient or categories of recipients of the personal data
Your information will be shared with the following WSP for the purposes of facilitating the Cycling and Walking to Work programme:
WSP who have been commissioned to deliver the Business Support Officers
scheme
Living Streets who have been commissioned to deliver a Walking to Work
Package of measures; and
SYSTRA who are providing an overall monitoring and evaluation service
across the Cycling and Walking to Work programme.
Description of the categories of personal data
The categories of information being processed include your name, contact details and employment history. No special category or sensitive data will be processed.
Retention period or criteria used to determine the retention period
Your data will be kept for a period of 3 years from the date of your participation in the programme. This retention has been determined by Merseytravel’s business need.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal
data:
The right to be informed how your personal data is being processed
The right of access to the personal data we hold about you, which includes
providing copies of the information to you within one month of a request. We
may charge a reasonable fee to provide this information based on our
administrative costs of responding (i.e. photocopying, postage, etc.).
The right to rectification of any incorrect or incomplete data we hold about you
The right to erasure, also known as ‘the right to be forgotten’, where
Your information is no longer required for the purpose it was collected
You withdraw your consent
You object to Merseytravel processing your information (and there is
no overriding legitimate interest for continuing the processing)
Merseytravel has breached the GDPR when processing your data
There is a legal obligation to delete the data (such as a court order)
The right to restrict processing, which limits what Merseytravel can do with
your information
The right to data portability, where any automated processing of your
information based on your consent or as part of a contract is made available
for your reuse
The right to object to direct marketing or any processing based on the
performance of a task in the public interest/exercise of official authority or for
the purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling, where a
decision made by a computer has a legal or significant effect on you.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal
data to the UK’s supervisory authority, the Information Commissioner, who can be
reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Fair Processing Notice – Bus Network Survey
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer
Merseytravel is the ‘controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of the Bus Network
review.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing and the legal basis for the processing
Your information is being used by Merseytravel to understand better how you use the region’s bus network, and we are able to do this with your consent.
In the case of sensitive/special categories of personal data, our legal basis for processing is your explicit consent. This is to allow Merseytravel to assess whether we are receiving feedback from a representative cross-section of society.
Description of the categories of personal data
The categories of information being processed include your postcode and age.
In addition, we also process some ‘special categories’ of your personal data, such as information related to your racial or ethnic origin and data concerning health. Any recipient or categories of recipients of the personal data [where applicable]
Your information will be shared with Snap Surveys for the purposes of administering the survey process. You can read more about Snap Surveys on their website at snapsurveys.com
Details of transfers to third country and safeguards [where applicable]
Your personal data will be transferred outside the European Economic Area (all EU Member States, plus Iceland, Norway and Liechtenstein) to United States of America. We ensure that the security of your personal data is guaranteed by the safeguards of the EU-US Privacy Shield.
Retention period or criteria used to determine the retention period
Your data will be kept for a period of 12 months from the date of survey completion. This retention has been determined by Merseytravel’s business need.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal
data:
The right to be informed how your personal data is being processed
The right of access to the personal data we hold about you, which includes
providing copies of the information to you within one month of a request. We
may charge a reasonable fee to provide this information based on our
administrative costs of responding (i.e. photocopying, postage, etc.).
The right to rectification of any incorrect or incomplete data we hold about you
The right to erasure, also known as ‘the right to be forgotten’, where
Your information is no longer required for the purpose it was collected
You withdraw your consent
You object to Merseytravel processing your information (and there is
no overriding legitimate interest for continuing the processing)
Merseytravel has breached the GDPR when processing your data
There is a legal obligation to delete the data (such as a court order)
The right to restrict processing, which limits what Merseytravel can do with
your information
The right to data portability, where any automated processing of your
information based on your consent or as part of a contract is made available
for your reuse
The right to object to direct marketing or any processing based on the
performance of a task in the public interest/exercise of official authority or for
the purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling, where a
decision made by a computer has a legal or significant effect on you.
The right to withdraw consent at any time
As our legal basis for processing your personal data is your consent, you have the right to withdraw this at any time.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be
reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Fair Processing Notice - The Beatles Story Newsletters
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer
Merseytravel, who own The Beatles Story, is the ‘controller’ for your personal information. This means that we decide the purpose and means of how your data is used.
If you have any questions about how your information is being used you can contact
Merseytravel’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing and the legal basis for the processing
Your information is being used by Merseytravel to update you on The Beatles Story news, and we are able to do this with your consent.
Description of the categories of personal data
The categories of information being processed include your name and email address.
Details of transfers to third country and safeguards [where applicable]
The Beatles Story use MailChimp to manage our newsletters. As a result, your personal data will be transferred outside the European Economic Area (all EU
Member States, plus Iceland, Norway and Liechtenstein) to the United States of America. We ensure that the security of your personal data is guaranteed by the EUUS Privacy Shield.
Retention period or criteria used to determine the retention period
Your data will be kept indefinitely from the date of when you signed up, unless you unsubscribe, which you are able to do at any time following the instructions found at
the bottom of every email we send to you. This retention has been determined by The Beatles Story’s business need.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal
data:
The right to be informed how your personal data is being processed
The right of access to the personal data we hold about you, which includes
providing copies of the information to you within one month of a request. We
may charge a reasonable fee to provide this information based on our
administrative costs of responding (i.e. photocopying, postage, etc.).
The right to rectification of any incorrect or incomplete data we hold about you
The right to erasure, also known as ‘the right to be forgotten’, where
Your information is no longer required for the purpose it was collected
You withdraw your consent
You object to Merseytravel processing your information (and there is
no overriding legitimate interest for continuing the processing)
Merseytravel has breached the GDPR when processing your data
There is a legal obligation to delete the data (such as a court order)
The right to restrict processing, which limits what Merseytravel can do with
your information
The right to data portability, where any automated processing of your
information based on your consent or as part of a contract is made available
for your reuse
The right to object to direct marketing or any processing based on the
performance of a task in the public interest/exercise of official authority or for
the purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling, where a
decision made by a computer has a legal or significant effect on you.
The right to withdraw consent at any time
As our legal basis for processing your personal data is your consent, you have the
right to withdraw this at any time.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal
data to the UK’s supervisory authority, the Information Commissioner, who can be
reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Fair Processing Notice – Bus Service Consultation
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer
Merseytravel is the ‘controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of the Bus Service Consultation.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing and the legal basis for the processing
Your information is being used by Merseytravel and bus operators (Arriva, Stagecoach, Warrington’s Own Buses) to understand better how you use the region’s bus network, and we are able to do this with your consent.
In the case of sensitive/special categories of personal data, our legal basis for processing is your explicit consent. This is to allow Merseytravel to assess whether we are receiving feedback from a representative cross-section of society.
Description of the categories of personal data
The categories of information being processed include any personal data you share within qualitative comments within the survey and the post code data you share for start and end of your journey.
Any recipient or categories of recipients of the personal data [where applicable]
Your information will be shared with Snap Surveys for the purposes of administering the survey process. You can read more about Snap Surveys on their website at snapsurveys.com
Details of transfers to third country and safeguards [where applicable]
Your personal data will be transferred outside the European Economic Area (all EU Member States, plus Iceland, Norway and Liechtenstein) to United States of America. We ensure that the security of your personal data is guaranteed by the
safeguards of the EU-US Privacy Shield.
Retention period or criteria used to determine the retention period
Your data will be kept for a period of three years from the date of survey completion.This retention has been determined by Merseytravel’s business need.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal
data:
The right to be informed how your personal data is being processed
The right of access to the personal data we hold about you, which includes
providing copies of the information to you within one month of a request. We
may charge a reasonable fee to provide this information based on our
administrative costs of responding (i.e. photocopying, postage, etc.).
The right to rectification of any incorrect or incomplete data we hold about you
The right to erasure, also known as ‘the right to be forgotten’, where
Your information is no longer required for the purpose it was collected
You withdraw your consent
You object to Merseytravel processing your information (and there is
no overriding legitimate interest for continuing the processing)
Merseytravel has breached the GDPR when processing your data
There is a legal obligation to delete the data (such as a court order)
The right to restrict processing, which limits what Merseytravel can do with
your information
The right to data portability, where any automated processing of your
information based on your consent or as part of a contract is made available
for your reuse
The right to object to direct marketing or any processing based on the
performance of a task in the public interest/exercise of official authority or for
the purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling, where a
decision made by a computer has a legal or significant effect on you.
The right to withdraw consent at any time
As our legal basis for processing your personal data is your consent, you have the right to withdraw this at any time.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Fair Processing Notice – National Fraud Initiative 2024
Background
The National Fraud Initiative (NFI) is an exercise that matches electronic data within
and between public and private sector organisations to prevent and detect fraud. The
NFI is run by the Cabinet Office.
Further details of the NFI can be found on the GOV.UK website at this link.
This notice sets out how your personal data is used, and your rights in line with data
Protection Legislation (including the Data Protection Act 2018 and General Data
Protection Regulation (GDPR).
The Data
As a Combined Authority, we are required to share data with The NFI on a
mandatory basis, and we submit data for:
• Trade Creditors
• Payroll
• Transport Passes & Permits
There are data specifications which set out exactly what data we process in the
above areas for this data matching exercise. Further information can be found at this
link.
Criminal Convictions
Should data matching through the NFI result in a prosecution, then this may also be
recorded by participating organisations. This information is for recording outcomes
purposes only and the data won’t be shared further.
Purpose
The purpose(s) for which we are processing your personal data is: To assist in the
prevention and detection of fraud.
Automated Profiling
Your personal data will be subject to the following automated profiling (as defined in
Article 4, paragraph 4 UK GDPR):
Data matching involves comparing sets of data, such as the payroll or benefits
records of an organisation, against other records held by the same or another
organisation to see how far they match. The data is usually personal information.
The data matching allows potentially fraudulent claims and payments to be identified.
Where a match is found it may indicate that there is an inconsistency that requires
further investigation. No assumption can be made as to whether there is fraud, error,
or other explanation until an investigation is carried out.
All organisations participating in the Cabinet Office’s data matching exercises
receive a report of matches that they should investigate, to detect instances of fraud,
over or under-payments and other errors, to take remedial action and update their
records accordingly.
Legal basis of processing
The legal basis for processing your personal data is that processing is necessary for
the performance of a task carried out in the public interest or in the exercise of
official authority vested in the data controller. The National Fraud Initiative is
conducted using the data matching powers bestowed on the Minister for the Cabinet
Office by Part 6 of the Local Audit and Accountability Act 2014.
Under the Local Audit and Accountability Act legislation:
• The Cabinet Office may carry out data matching exercises for the purpose of
assisting in the prevention and detection of fraud.
• The Cabinet Office requires certain organisations (as set out in the Act) to
provide data for data matching exercises.
• The Cabinet Office may disclose the results of data matching exercises where
this assists in the prevention and detection of fraud, including disclosure to
organisations that have provided the data and to auditors that it appoints as well
as in pursuance of a duty under an enactment.
• The Cabinet Office may disclose both data provided for data matching and the
results of data matching to the Auditor General for Wales, the Comptroller and
Auditor General for Northern Ireland, the Auditor General for Scotland, the
Accounts Commission for Scotland and Audit Scotland, for the purposes of
preventing and detecting fraud.
• Wrongful disclosure of data obtained for the purposes of data matching by any
person is a criminal offence. A person found guilty of the offence is liable on
summary conviction to a fine not exceeding level 5 on the standard scale.
• The Cabinet Office must prepare and publish a Code of Practice. All bodies
conducting or participating in its data matching exercises, including the Cabinet
Office itself, must have regard to the Code.
• The Cabinet Office may report publicly on its data matching activities.
The processing of data by the Cabinet Office in a data matching exercise is carried
out with statutory authority under its powers in Part 6 of the Local Audit and
Accountability Act 2014. It does not require the consent of the individuals concerned
under data protection legislation or the GDPR.
Recipients
Your information will be shared for the purposes of the NFI.
Your personal data will be shared with the Cabinet Office, who will then further share
your data as necessary for the purposes of preventing and detecting fraud with:
• The Auditor General for Wales
• The Comptroller and Auditor General for Northern Ireland
• The Auditor General for Scotland
• The Accounts Commission for Scotland
• Audit Scotland
And with mandatory participants who include:
• District and county councils
• London and metropolitan boroughs
• Unitary authorities
• Combined authorities
• Police authorities
• Fire and rescue authorities
• Pension authorities
• NHS Trusts
• Foundation Trusts
• Integrated Care Boards
• Passenger transport authorities
• Passenger transport executives
• Waste authorities
• Greater London Authority and its functional bodies
In addition, the following bodies provide data to the NFI for matching on a voluntary
basis:
• Private sector pension schemes (various)
• Metropolitan Police – Operation Amberhill
• Special health authorities
• Housing associations and other social housing providers
• Probation authorities
• National Park authorities
• Central government pensions schemes
• Insurance Fraud Bureau
• Central government departments
• Social Security Scotland
• Synectics Solutions Limited SIRA
• LexisNexis Risk Solutions Ltd
• AirBnB
• Tenancy Deposit Protection Scheme
• Credit reference agencies
• Other private organisations/companies
The Cabinet Office will share records containing personal data with HMRC. These
will be matched against HMRC records and additional HMRC information appended
and fed back to the NFI. The HMRC matching will seek to identify persons at the
address provided and relevant income related information. Data matching services
are then provided to the NFI by the Department for Work and Pensions, and our IT
Supplier using only UK Data Centres.
The Cabinet Office also share NFI data with Synectics Solutions Limited SIRA and
LexisNexis Risk Solutions Ltd for them to use in their anti-fraud data matching
services. Where your personal data is used for these purposes, Synectics Solutions
Ltd and LexisNexis Risk Solutions Ltd are the responsible data controllers. Their
privacy notices are available at the following links:
https://risk.lexisnexis.com/corporate/data-privacy
https://www.synectics-solutions.com/privacy-policy
Retention
Your personal data will be held by the Cabinet Office for the periods set out in their
Data Deletion Schedule at this link.
Your Rights
You have the right to:
• Request information about how your personal data is processed, and to request a
copy of that personal data.
• Request that any inaccuracies in your personal data are rectified without delay.
• Request that any incomplete personal data are completed, including by means of
a supplementary statement.
• Request that your personal data are erased if there is no longer a justification for
them to be processed.
• In certain circumstances (for example, where accuracy is contested) to request
that the processing of your personal data is restricted.
• You have the right to object to the processing of your personal data where it is
processed for direct marketing purposes.
Who can you contact about data protection and your rights?
If you have any questions about how your information is being used, you can contact
our Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
The Cabinet Office acts as a data controller for this information. This is because they
conduct the data matching exercise. They can be contacted at
[email protected]
Head of the NFI
10 South Colonnade
Canary Wharf
London
E14 4QQ
The contact details for the data controller’s Data Protection Officer (DPO) are:
[email protected]
Stephen Jones
DPO
Cabinet Office
70 Whitehall
London
SW1A 2AS
The Cabinet Office’s Privacy Notice for the NFI can be found at this link.
For independent advice about data protection, privacy, and data sharing issues or to
lodge a complaint about how we have handled your information you can contact the
Information Commissioner’s Office (ICO) at:
[email protected]
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
Telephone: 0303 123 1113
Fair Processing Notice – Cycling Works website
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer
Merseytravel is the ‘data controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of ‘Cycling Works’ marketing activities.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing and the legal basis for the processing
Your information is being used as part of our marketing activities, and we are able to do this with your consent that you provided when you signed up on our website to
receive newsletters, updates and special offers about Cycling Works.
Description of the categories of personal data
The categories of information being processed may include your title, first and last name, home address, email address, telephone number, gender, weight, height, age
band, personal methods of transport and cycling habits.
Retention period or criteria used to determine the retention period
Your data will be kept indefinitely from the date of when you signed up, unless you unsubscribe, which you are able to do at any time following the instructions found at
the bottom of every email we send to you. This retention has been determined by Merseytravel in order for the website to calculate money saved by cycling, as well as
the bike miles clocked up, the calories burnt and CO2 saved.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal
data:
The right to be informed how your personal data is being processed
The right of access to the personal data we hold about you, which includes
providing copies of the information to you within one month of a request. We
may charge a reasonable fee to provide this information based on our
administrative costs of responding (i.e. photocopying, postage, etc.).
The right to rectification of any incorrect or incomplete data we hold about you
The right to erasure, also known as ‘the right to be forgotten’, where
Your information is no longer required for the purpose it was collected
You withdraw your consent
You object to Merseytravel processing your information (and there is
no overriding legitimate interest for continuing the processing)
Merseytravel has breached the GDPR when processing your data
There is a legal obligation to delete the data (such as a court order)
The right to restrict processing, which limits what Merseytravel can do with
your information
The right to data portability, where any automated processing of your
information based on your consent or as part of a contract is made available
for your reuse
The right to object to direct marketing or any processing based on the
performance of a task in the public interest/exercise of official authority or for
the purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling, where a
decision made by a computer has a legal or significant effect on you.
The right to withdraw consent at any time
You have the right to withdraw your consent and stop receiving our marketing at any time.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Fair Processing Notice – Merseytravel Employers’ Network
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer
Merseytravel is the ‘data controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of the Employers’ Network.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing and the legal basis for the processing
Your information is being used as part of our marketing activities, and we are able to do this with your consent when you signed up to receive newsletters, updates and special offers about the Employers’ Network.
Description of the categories of personal data
The categories of information being processed include your name, business telephone number, postal address and email address and approximate number of employees. Any survey data obtained may include additional personal details including age, gender, travel habits and opinions on modes of transport.
Details of transfers to third country and safeguards [where applicable]
Merseytravel’s Employers’ Network uses Survey Monkey solely for the purpose to run workplace travel surveys. As a result, any disclosed personal data will be transferred outside the European Economic Area (all EU Member States, plus Iceland, Norway and Liechtenstein) to the United States of America. We ensure that the security of your personal data is guaranteed by the EU US Privacy Shield.
Retention period or criteria used to determine the retention period
Your membership data will be kept indefinitely from the date of when you signed up,unless you unsubscribe, which you are able to do at any time following the instructions found at the bottom of every email we send to you. Any information obtained via Survey Monkey that contains personal data will be retained for a maximum of 12 months. This retention has been determined by Merseytravel’s business need.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal
data:
The right to be informed how your personal data is being processed
The right of access to the personal data we hold about you, which includes
providing copies of the information to you within one month of a request. We
may charge a reasonable fee to provide this information based on our
administrative costs of responding (i.e. photocopying, postage, etc.).
The right to rectification of any incorrect or incomplete data we hold about you
The right to erasure, also known as ‘the right to be forgotten’, where
Your information is no longer required for the purpose it was collected
You withdraw your consent
You object to Merseytravel processing your information (and there is
no overriding legitimate interest for continuing the processing)
Merseytravel has breached the GDPR when processing your data
There is a legal obligation to delete the data (such as a court order)
The right to restrict processing, which limits what Merseytravel can do with
your information
The right to data portability, where any automated processing of your
information based on your consent or as part of a contract is made available
for your reuse
The right to object to direct marketing or any processing based on the
performance of a task in the public interest/exercise of official authority or for
the purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling, where a
decision made by a computer has a legal or significant effect on you.
The right to withdraw consent at any time
You have the right to withdraw your consent and stop receiving our marketing at any time.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Fair Processing Notice – Liverpool City Region Active Travel Forum
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer
Merseytravel is the ‘data controller’ for your personal information. This means that
we decide the purpose and means of how your data is used as part of the ongoing development of the Liverpool City Region Local Cycling and Walking Infrastructure Plan (LCWIP) and associated engagement and marketing activities.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing and the legal basis for the processing
Your information is being used as part of our ongoing engagement and marketing activities, for the development of the LCWIP and we are able to do this with your consent that you provided when you signed up to be a member of the Liverpool City Region Active Travel Forum.
Description of the categories of personal data
The categories of information being processed may include your title, first and last name, home address, email address, telephone number, gender, age band, personal methods of transport and cycling and walking habits.
Retention period or criteria used to determine the retention period
Your data will be kept for a maximum period of ten years, unless you unsubscribe, which you are able to do at any time following the instructions found at the bottom of every email we send to you. This retention has been determined by Merseytravel as the timeframe for the development and delivery of the LCWIP.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal data:
- The right to be informed how your personal data is being processed
- The right of access to the personal data we hold about you, which includes providing copies of the information to you within one month of a request. We may charge a reasonable fee to provide this information based on our administrative costs of responding (i.e. photocopying, postage, etc.).
- The right to rectification of any incorrect or incomplete data we hold about you
- The right to erasure, also known as ‘the right to be forgotten’, where
- Your information is no longer required for the purpose it was collected
- You withdraw your consent
- You object to Merseytravel processing your information (and there is no overriding legitimate interest for continuing the processing)
- Merseytravel has breached the GDPR when processing your data
- You object to Merseytravel processing your information (and there is no overriding legitimate interest for continuing the processing)
- Merseytravel has breached the GDPR when processing your data
- There is a legal obligation to delete the data (such as a court order)
- The right to restrict processing, which limits what Merseytravel can do with your information
- The right to data portability, where any automated processing of your information based on your consent or as part of a contract is made available for your reuse
- The right to object to direct marketing or any processing based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics.
- Rights in relation to automated decision making and profiling, where a decision made by a computer has a legal or significant effect on you.
The right to withdraw consent at any time
You have the right to withdraw your consent and stop receiving our marketing at any time.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Informaton Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Fair Processing Notice – Merseytravel Smart Ticketing Scheme
Identify and contact details of the controller and where applicable, the controller’s representative and the data protection officer.
Merseytravel is the ‘data controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of the registration for either a Walrus or a MetroCard smart ticket online account.
Please be aware that rail operators may also collect your data if purchasing a Railpass product on your smart ticket, that data is collected for different purposes and not part of this scheme.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing at legal basis for the processing
Your information is being used by Merseytravel to process your Walrus or MetroCard registration. We are able to do this as part of our public tasks carried out under the Transport Act 1968. Your information will be shared with partners for the purposes of
administration of the scheme.
Description of the categories of personal data
The categories of information being processed include your name, home address and postcode, telephone number and email address. This is in order to verify your email address and register your information to allow online account management
and the purchasing of tickets online, either for yourself or on behalf of associated smart card holders.
Retention period or criteria used to determine the retention period
- Your data will be kept for a period of 6 years from the date of the card’s expiry. This retention has been determined by Merseytravel’s obligations under the Limitation Act 1980 and in compliance with UK ITSO Smartcard Scheme.
- The existence of each of data subject’s rights
- The GDPR provides you with the following rights when it comes to your personal data:
- The right to be informed how your personal data is being processed.
- The right of access to the personal data we hold about you, which includes providing copies of the information to you within one month of a request. We may charge a reasonable fee to provide this information based on our administrative costs of responding (i.e. photocopying, postage, etc.).
- The right to rectification of any incorrect or incomplete data we hold about you.
- The right to erasure, also known as ‘the right to be forgotten’ where your information is no longer required for the purpose it was collected;
- You withdraw your consent;
- You object to Merseytravel processing your information (and there is no overriding legitimate interest for continuing the processing);
Merseytravel has breached the GDPR when processing your data; - There is a legal obligation to delete the data (such as a court order);
- The right to restrict processing, which limits what Merseytravel can do with your information.
- The right to data portability, where any automated processing of your information based on your consent or as part of a contract is made available for your reuse.
- The right to object to direct marketing or any processing based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics.
- Rights in relation to automated decision making and profiling, where a decision made by a computer has a legal or significant effect on you.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Merseytravel is required to process your information in line with the registration process. Failure to provide your personal data would lead to the inability for Merseytravel to process your application to register your smartcard for online
account management and online ticket purchase.
Mersey Ferries Photography
The right to withdraw consent at any time
If you have featured in official Mersey Ferry photography/ videography you have the right to withdraw your consent to be featured in photography/ videography at any time. To do so, contact our Data Protection Officer using at:
[email protected].
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
The photography/ videography may be used for the purpose of promoting Mersey Ferries and may appear online, in print and on social media.
If your photo has been used in printed material, withdrawal of your consent will mean that it is not used in any future publications.
Should you not wish to have your image taken whilst on a Mersey Ferries cruise please speak to a member of staff on-board during the cruise.
Retention Period
The photography/ videography will be kept for a period of 10 years from the date of collection.
Fair Processing Notice
GDPR provides you with the following rights when it comes to your personal data.
The right to be informed how your personal data is being processed.
The right of access to the personal data we hold about you, which includes
providing copies of the information to you within one month of a request. We
may charge a reasonable fee to provide this information based on our
administrative costs of responding (i.e. photocopying, postage, etc.).
The right to rectification of any incorrect or incomplete data we hold about you
The right to erasure, also known as ‘the right to be forgotten’, where:
your information is no longer required for the purpose it was collected
you withdraw your consent
you object to Mersey Ferries processing your information (and there is
no overriding legitimate interest for continuing the processing)
Mersey Ferries has breached the GDPR when processing your data
there is a legal obligation to delete the data (such as a court order)
The right to restrict processing, which limits what Mersey Ferries can do with
your information.
The right to data portability, where any automated processing of your
information based on your consent or as part of a contract is made available
for your reuse.
The right to object to direct marketing or any processing based on the
performance of a task in the public interest/exercise of official authority or for
the purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling, where a
decision made by a computer has a legal or significant effect on you.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Marketing Fair Processing Notice
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer
Merseytravel is the ‘data controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of our Mersey Ferries marketing activities.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing and the legal basis for the processing
Your information is being used as part of our marketing activities, and we are able to do this with your consent that you provided when you signed up on our website to receive regular news, updates and special offers about Mersey Ferries.
Description of the categories of personal data
The categories of information being processed include your title, first name, last name and email address.
Your information will be shared with Dotmailer, for the purposes of Mersey Ferries email marketing. Dotmailer are an email marketing software provider, based here in the UK.
Retention period or criteria used to determine the retention period
Your data will be kept indefinitely from the date of when you signed up, unless you unsubscribe, which you are able to do at any time following the instructions found at the bottom of every email we send to you. This retention has been determined by Mersey Ferry’s business need.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal data:
The right to be informed how your personal data is being processed
The right of access to the personal data we hold about you, which includes providing copies of the information to you within one month of a request. We may charge a reasonable fee to provide this information based on our administrative costs of responding (i.e. photocopying, postage, etc.).
The right to rectification of any incorrect or incomplete data we hold about you
The right to erasure, also known as ‘the right to be forgotten’, where
Your information is no longer required for the purpose it was collected
You withdraw your consent
You object to Merseytravel processing your information (and there is no overriding legitimate interest for continuing the processing)
Merseytravel has breached the GDPR when processing your data
There is a legal obligation to delete the data (such as a court order)
The right to restrict processing, which limits what Merseytravel can do with your information
The right to data portability, where any automated processing of your information based on your consent or as part of a contract is made available for your reuse
The right to object to direct marketing or any processing based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling, where a decision made by a computer has a legal or significant effect on you.
The right to withdraw consent at any time
You have the right to withdraw your consent and stop receiving our marketing at any time.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Fair Processing Notice – Apprenticeship Travel Discount Scheme
Identify and contact details of the controller and where applicable, the controller’s representative and the data protection officer.
Merseytravel is the ‘controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of the Apprenticeship Travel Discount Scheme for card issuing purposes. Please be aware
that rail operators may also collect your data if purchasing a Railpass product, and that data is collected for different purposes and not part of this scheme.
If you have any questions about how your information is being used you can contact Merseytravel’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing at legal basis for the processing
Your information is being used by Merseytravel, to process your application for the Apprenticeship Travel Discount Scheme, and we are able to do this as part of Merseytravel’s management of a travel discount eligibility schemefor eligible
residents of the Liverpool City Region.
Description of the categories of personal data
The categories of information being processed include your name, home and work address and postcode, telephone number and email address. This is in order to verify your eligibility to take part in the scheme.
Retention period or criteria used to determine the retention period
Your data will be kept for a period of 3 years from the date of the card’s expiry. This retention has been determined by the Combined Authority’s business need to monitor and audit the scheme.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal data:
- The right to be informed how your personal data is being processed.
- The right of access to the personal data we hold about you, which includes
providing copies of the information to you within one month of a request. We
may charge a reasonable fee to provide this information based on our
administrative costs of responding (ie photocopying, postage, etc). - The right to rectification of any incorrect or incomplete data we hold about
you. - The right to erasure, also known as ‘the right to be forgotten’ where
Your information is no longer required for the purpose it was collected;
You withdraw your consent;
You object to Merseytravel processing your information (and there is
no overriding legitimate interest for continuing the processing);
Merseytravel has breached the GDPR when processing your data;
There is a legal obligation to delete the data (such as a court order); - The right to restrict processing, which limits what Merseytravel can do with
your information. - The right to data portability, where any automated processing of your
information based on your consent or as part of a contract is made available
for your reuse. - The right to object to direct marketing or any processing based on the
performance of a task in the public interest/exercise of official authority or for
the purposes of scientific/historical research and statistics. - Rights in relation to automated decision making and profiling, where a
decision made by a computer has a legal or significant effect on you.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Identify and contact details of the controller and where applicable, the controller’s representative and the data protection officer
The Liverpool City Region Combined Authority (‘the CA’) is the ‘controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of our Contact Centre system.
If you have any questions about how your information is being used you can contact the CA’s Data Protection Officer at
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing and the legal basis for the processing
Your information is being used by the CA to administer and respond to your queries to our Contact Centre, and we are able to do this as part of our official functions and for the reasons of substantial public interest under the Transport Act.
Description of the categories of personal data
You have the option of contacting us anonymously if you choose. This will, however, mean that we are unable to respond to your enquiry.
If you would like to receive a response, the categories of information being processed include your name, preferred method of contacting you (email address, postal address or phone number) and any personal opinions expressed in your correspondence with us.
In addition, depending on the nature of your enquiry we may also process some ‘special categories’ of your personal data, such as information related to your:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Data concerning health
- Sex life or sexual orientation
Any recipient or categories of recipients of the personal data
You will be given the option of allowing the CA to share your information with third parties relevant to your enquiry (such as bus operators) for the purposes of responding to you.
Retention period or criteria used to determine the retention period
An audio recording of your call will be retained for three months. If we collect any of your data in order to respond to your enquiry this will be kept for a period of one year from the date of your initial enquiry. These retention periods have been determined by the CA’s business need.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal data:
- The right to be informed how your personal data is being processed
- The right of access to the personal data we hold about you, which includes providing copies of the information to you within one month of a request. We may charge a reasonable fee to provide this information based on our administrative costs of responding (i.e. photocopying, postage, etc.).
- The right to rectification of any incorrect or incomplete data we hold about you
- The right to erasure, also known as ‘the right to be forgotten’, where
- Your information is no longer required for the purpose it was collected
- You withdraw your consent
- You object to the CA processing your information (and there is no overriding legitimate interest for continuing the processing)
- The CA has breached the GDPR when processing your data
- There is a legal obligation to delete the data (such as a court order)
- The right to restrict processing, which limits what the CA can do with your information
- The right to data portability, where any automated processing of your information based on your consent or as part of a contract is made available for your reuse
- The right to object to direct marketing or any processing based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics.
- Rights in relation to automated decision making and profiling, where a decision made by a computer has a legal or significant effect on you.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Fair Processing Notice – Headbolt Lane Station, Kirkby
Identity and contact details of the controller and where applicable, the controller’s representative and the data protection officer
The Liverpool City Region Combined Authority (‘the CA’) is the ‘controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of our Headbolt Lane Station consultation.
If you have any questions about how your information is being used, you can contact the CA’s Data Protection Officer at
[email protected]
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing and the legal basis for the processing
Your information is being used by the CA help us understand as part of preparation of the Station proposals. It allows us to effectively communicate and help build an aggregate understanding of needs as part of the process. We are able to do this as it is part of the exercise of our official public functions. We are able to do this with your consent. Where you have opted in to receive communications regarding Headbolt Lane Station, we are relying on your consent to process your personal
data. You can withdraw your consent at any time to stop receiving updates.
Description of the categories of personal data & sensitive data
The categories of information being processed include your email address, age range, gender, postcode, your education or employment status. We may also ask for certain special category data (e.g. ethnicity or disability
information) on an optional basis for purposes of monitoring and effective
engagement. This information will not be published.
You may in the future be offered the opportunity to sign up to the CA’s Customer Relationship Management (CRM) system. Any contact would be to provide you with information about and other opportunities to get involved in the work of CA.
Any recipient or categories of recipients of the personal data
Our online engagement platform is run by Commonplace (Commonplace Digital Ltd.) who process personal data and information on our behalf. An anonymous sample of your comments may be quoted as part of the Station’s Planning application process with Knowsley Council.
Retention period or criteria used to determine the retention period
Your data will be kept for as long as required in order for the completion of Headbolt Lane Station build (including planning application, submission and acceptance) expected in 2023. This retention has been determined by the Combined Authority’s business need.
If you have signed up for our mailing / contact list, your details will be kept until you
Unsubscribe, same if you give us your permission in the future to add your details to our contact database (CRM system).
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal data:
• The right to be informed how your personal data is being processed
• The right of access to the personal data we hold about you, which includes providing copies of the information to you within one month of a request. We may charge a reasonable fee to provide this information based on our administrative costs of responding (i.e. photocopying, postage, etc.).
• The right to rectification of any incorrect or incomplete data we hold about you
• The right to erasure, also known as ‘the right to be forgotten’, where
o Your information is no longer required for the purpose it was collected
o You withdraw your consent
o You object to the CA processing your information (and there is no overriding legitimate interest for continuing the processing)
o The CA has breached the GDPR when processing your data
o There is a legal obligation to delete the data (such as a court order)
• The right to restrict processing, which limits what the CA can do with your information
• The right to data portability, where any automated processing of your information based on your consent or as part of a contract is made available for your reuse
• The right to object to direct marketing or any processing based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics.
• Rights in relation to automated decision making and profiling, where a decision made by a computer has a legal or significant effect on you.
The right to withdraw consent at any time
As our legal basis for processing your personal data is your consent, you have the right to withdraw this at any time. To do so, either click the ‘unsubscribe’ link in our mailing or contact the DPO.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
Identity and contact details of the controller and where applicable, the controller’s representative and the data protection officer
The Liverpool City Region Combined Authority (‘the CA’) is the ‘controller’ for your personal information. This means that we decide the purpose and means of how your data is used as part of the Be More Brokerage programme.
If you have any questions about how your information is being used you can contact the CA’s Data Protection Officer at
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Purpose of the processing and the legal basis for the processing
Your information is being used by the CA to provide the Be More Brokerage programme, and we are able to do this as part of our official authority vested in us by our devolved powers from central Government.
Description of the categories of personal data
For learners, the categories of information being processed may include, where applicable, your
- name
- postal address
- email address
- telephone number
- date of birth
- photograph
- gender at birth
- National Insurance number
- residency status
- eligibility to work in the UK
- employment status
- learning record
- Unique Learner Number reference number(s)
The CA will also process the name and correspondence details of the employer/placement provider’s contact member of staff.
Where applicable, we also process some ‘special categories’ of your personal data, such as information related to any additional needs, disability or learning difficulty that you may have, and your ethnicity for equal opportunities monitoring.
Any recipient or categories of recipients of the personal data
Your information may be shared with other organisations (e.g. Awarding Bodies) and other key Government Agencies such as the ESFA for administrative, statistical and research purposes and to monitor progress of participants.
The information shared will be anonymised unless personal data is specifically required.
Retention period or criteria used to determine the retention period
Your data will be kept until 31st October 2030. This retention has been determined by a funding requirement from SIF.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal data:
- The right to be informed how your personal data is being processed
- The right of access to the personal data we hold about you, which includes providing copies of the information to you within one month of a request. We may charge a reasonable fee to provide this information based on our administrative costs of responding (i.e. photocopying, postage, etc.).
- The right to rectification of any incorrect or incomplete data we hold about you
- The right to erasure, also known as ‘the right to be forgotten’, where
- Your information is no longer required for the purpose it was collected
- You withdraw your consent
- You object to the CA processing your information (and there is no overriding legitimate interest for continuing the processing)
- The CA has breached the GDPR when processing your data
- There is a legal obligation to delete the data (such as a court order)
- The right to restrict processing, which limits what the CA can do with your information
- The right to data portability, where any automated processing of your information based on your consent or as part of a contract is made available for your reuse
- The right to object to direct marketing or any processing based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics.
- Rights in relation to automated decision making and profiling, where a decision made by a computer has a legal or significant effect on you.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House, Water Lane,
Wilmslow,
Cheshire SK9 5AF
0303 123 1113
The purposes of the data processing
The information you provide to the Combined Authority will be used to evaluate this project and to report to the Combined Authority and Strategic Investment Fund for monitoring purposes.
Your information will also be shared with research organisations working on behalf of the Combined Authority who may contact you to discuss your involvement in the project for research purposes. Participation in research is voluntary and you will be asked to consent before taking part in any research activity you may be contacted about.
Data will not be used or shared for any commercial or marketing purposes.
At all times your information will be kept securely, and nobody will have access to it that shouldn’t.
Regulatory and legal basis behind the requirement to collect data
For the purposes of the General Data Protection Regulation (GDPR), the LCR Combined Authority is the data controller in respect to information processed which relates to all participation in the Strategic Investment Fund. Contracted training partners are data processors in respect to information processed which relates to participants in the operations and projects funded by the Strategic Investment Fund. The Combined Authority is not the controller for any other / additional data collected by ‘the training partner’ that is not essential for delivering the programme, or for any personal data that would normally be collected anyway by the training partner.
The retention periods for the personal data
All personal data held by the Combined Authority or research contractors for the purposes of evaluation will be permanently deleted no more than six months after the research has been completed.
Personal data held by the Combined Authority will be retained in line with the current guidance on GOV.UK.
The rights available to individuals in respect of the processing
If you do not wish your personal data to be used for evaluation purposes please contact [email protected] and we will delete your data held for these purposes and you won’t be contacted about participating in research.
The Liverpool City Region Combined Authority HR Fair Processing Notice: Candidates
The Combined Authority is the ‘data controller’ for the personal information you provide. This means that we decide the purpose and means of how your data is used as part of your prospective or actual employment with the Combined Authority.
The Fair Processing Notice applies to all candidates, both those applying for employment with the Liverpool City Region Combined Authority and those applying for employment with Merseytravel.
If you have any questions about how your information is being used you can contact the Combined Authority’s Data Protection Officer at:
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
Description of the categories of personal data
The categories of information being processed include your name, contact details, academic and training qualifications and employment history.
In addition, we also process some ‘special categories’ of your personal data, such as information related to your:
- Racial or ethnic origin.
- Political opinions.
- Religious or philosophical beliefs.
- Trade union membership.
- Data concerning health.
- Sex life or sexual orientation.
When applicable, we also process data related to criminal convictions.
In some cases, the Combined Authority collects personal data about you from third parties, such as references supplied by former employers, information from employment background check providers and information from criminal records checks permitted by law.
Purpose of the processing and the legal basis for the processing
Your information is being used by the Combined Authority to process your job application, and we are able to do this with a view to entering into an employment contract with you.
In the case of special categories of personal data, we process data about your health to protect your vital interests and to ensure that you are medically fit to perform the role. We will only request data relating to your health once a provisional offer of employment has been made and we share the data with an external occupational health advisor.
We collect data relating to disability in order to ensure that, where needed, reasonable adjustments are made to the recruitment and selection process.
We are also required to process information related to your protected characteristics as defined by the Equality Act 2010 as part of our obligations under employment law, specifically the Public Sector Equality Duty as derived from the Equality Act 2010.
You are not required to complete the non-mandatory fields of the application form. If you choose to do so our processing will be based on your consent, or in the case of special category data your explicit consent. This information is used for the purposes of equal opportunities monitoring and meeting our duties under the Public Sector Equality Duty.
Any recipient or categories of recipients of the personal data
Your information will be shared with our service providers for the purposes of payroll administration and occupational health services. Contact details of these providers are available from the Data Protection Officer.
The General Data Protection Regulation (GDPR) allows for your information to be shared for reasons such as fraud investigation and criminal investigations. The Combined Authority will at all times ensure that any disclosure of your information is necessary for a legitimate purpose under the legislation.
Retention period or criteria used to determine the retention period
In the event of your successful appointment to the role your data will be kept for a period of 6 years from the date you leave your employment with the Combined Authority. This retention has been determined by the Combined Authority’s legal obligations under the Limitation Act 1980.
For individual vacancies, the data of unsuccessful applicants will be kept for a period of 6 months from the notification of the successful candidate. This retention has been determined by the Combined Authority’s legal obligations under the Equality Act 2010. For any talent pool recruitment campaigns, the data of unsuccessful applicants will be kept for a period of 12 months so that we can contact you in the event of future opportunities. This retention has been determined by the Combined Authority’s business need.
Further details of how long information is stored can be found in the Combined Authority’s Records Retention Schedule, which is available from the Data Protection Officer.
The existence of each of data subject’s rights
The GDPR provides you with the following rights when it comes to your personal data:
- The right to be informed how your personal data is being processed.
- The right of access to the personal data we hold about you, which includes providing copies of the information to you within one month of a request. We may charge a resonable fee to provide this information based on our administrative costs of responding (i.e. photocopying, postage, etc.).
- The right to rectification of any incorrect or incomplete data we hold about you.
- The right to erasure, also known as ‘the right to be forgotten’, where:
- Your information is no longer required for the purpose it was collected
- You withdraw your consent
- You object to the Combined Authority processing your information (and there is no overriding legitimate interest for continuing the processing)
- The Combined Authority has breached the GDPR when processing your data
- There is a legal obligation to delete the data (such as a court order).
- The right to restrict processing, which limits what the Combined Authority can do with your information.
- The right to data portability, where any automated processing of your information based on your consent or as part of a contract is made available for your reuse.
- The right to object to direct marketing or any processing based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics.
- Rights in relation to automated decision making and profiling, where a decision made by a computer has a legal or significant effect on you.
The right to withdraw consent at any time
If our legal basis for processing your personal data is your consent, you have the right to withdraw this at any time.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of your personal data to the UK’s supervisory authority, the Information Commissioner, who can be reached using the details below:
The Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
www.ico.gov.uk
0303 123 1113
The Combined Authority is required to process your information with a view to entering into an employment contract with you. Failure to complete the mandatory fields on the application form would lead to the Combined Authority being unable to process your submission and would mean that we would ultimately not be able to employ you.
The Liverpool City Region Combined Authority HR Fair Processing Notice: Employees
The Combined Authority is the ‘data controller’ for the personal information you provide. This means that we decide the purpose and means of how your data is used as part of your prospective or actual employment with the Combined Authority.
The Fair Processing Notice applies to all employees of Liverpool City Region Combined Authority.
If you have any questions about how your information is being used you can contact the Combined Authority’s Data Protection Officer at:
0151 330 1679
1 Mann Island, Liverpool, L69 3HN
The Combined Authority collects and processes personal data relating to our employees to manage the employment relationship. The Combined Authority is committed to being transparent about how we collect and use that data and to meeting our data protection obligations.
What information does the Combined Authority collect?
The Combined Authority collects and processes a range of information about you. This includes:
- your name, address and contact details, including email address and telephone number, date of birth and gender;
- the terms and conditions of your employment;
- details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the organisation;
- information about your remuneration, including entitlement to benefits such as pension;
- details of your bank account and national insurance number;
- information about your marital status, next of kin, dependants and emergency contacts;
- information about your nationality and entitlement to work in the UK;
- information about your criminal record;
- details of your schedule (days of work and working hours) and attendance at work;
- details of periods of leave taken by you, including holiday, TOIL, flexi leave, sickness absence, special/bereavement leave, leave related to pregnancy and parenthood and career breaks, and the reasons for the leave;
- details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
- assessments of your performance including Individual Performance Plans, performance reviews, training you have participated in, performance improvement plans and related correspondence;
- information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments;
- details of trade union membership; and
- equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.
The Combined Authority collects this information in a variety of ways. For example, data is collected through application forms; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.
In some cases, the Combined Authority collects personal data about you from third parties, such as references supplied by former employers, information from employment background check providers and information from criminal records checks permitted by law.
Data is stored in a range of different places, including in the Combined Authority’s HR management systems and in other IT systems (including the Combined Authority’s email system).
Why does the Combined Authority process personal data?
The Combined Authority needs to process data to enter into an employment contract with you and to meet our obligations under your employment contract. For example, we need to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer pension entitlements.
In some cases, the Combined Authority needs to process data to ensure that we are complying with our legal obligations. For example, we are required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled. For certain positions, it is necessary to carry out criminal records checks to ensure that individuals are permitted to undertake the role in question.
In other cases, the Combined Authority has a legitimate interest in processing personal data before, during and after the end of the employment relationship. Processing employee data allows the Combined Authority to:
- run recruitment processes;
- maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
- operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
- operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
- operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
- obtain occupational health advice, to ensure that we comply with duties in relation to individuals with disabilities, meet our obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;
- operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the Combined Authority complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
- ensure effective general HR and business administration;
- provide references on request for current or former employees;
- respond to and defend against legal claims; and
- maintain and promote equality in the workplace.
Where the Combined Authority relies on legitimate interests as a reason for processing data, we have considered whether or not those interests are overridden by the rights and freedoms of employees or workers and have concluded that they are not.
Some special categories of personal data, such as information about health or medical conditions, are processed to carry out employment law obligations (such as those in relation to employees with disabilities and for health and safety purposes). Information about trade union membership is processed to allow the Combined Authority to operate check-off for union subscriptions.
Where the Combined Authority processes other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring and to meet the requirements of the Public Sector Equality Duty which is derived from the Equality Act 2010. Data that the Combined Authority uses for these purposes is collected with the express consent of employees, which can be withdrawn at any time. Employees are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so. When published, such data is anonymised.
Who has access to data?
Your information will be shared internally, including with members of the HR team (including payroll), your line manager, managers in the business area in which you work and IT staff if access to the data is necessary for performance of their roles. The information shared with managers is limited to information that they need to know for the purposes of managing particular situations during the course of your employment.
The Combined Authority shares your data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third-party providers and obtain necessary criminal records checks from the Disclosure and Barring Service.
The Combined Authority also shares your data with third parties that process data on our behalf, in connection with payroll, the provision of pension benefits and the provision of occupational health services.
The Combined Authority will not transfer your data to countries outside the European Economic Area.
How does the Combined Authority protect data?
The Combined Authority takes the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. Access to the electronic HR system which contains the full complement of employee personal data is restricted to the HR team. Line managers and Heads of Service are given limited access to their employees’ data for the purposes of managing the employee on a day to day basis.
Where the Combined Authority engages third parties to process personal data on our behalf, we do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
For how long does The Combined Authority keep data?
The Combined Authority will hold your personal data for the duration for which it is needed. This will vary depending on the nature of the data. Full details relating to data retention periods for different record types are set out in the Record Retention Schedule & Guidance on One Place. This includes the periods for which your data is held after the end of employment.
Your rights
As a data subject, you have a number of rights. You can:
- access and obtain a copy of your data on request;
- require the Combined Authority to change incorrect or incomplete data;
- require the Combined Authority to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
- object to the processing of your data where the Combined Authority is relying on its legitimate interests as the legal ground for processing; and
- ask the Combined Authority to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the organisation's legitimate grounds for processing data.
If you would like to exercise any of these rights, including making a subject access request, please contact the Data Protection Officer ([email protected]).
If you believe that the Combined Authority has not complied with your data protection rights, you can complain to the Information Commissioner.
What if you do not provide personal data?
You have some obligations under your employment contract to provide the Combined Authority with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide the Combined Authority with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.
Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable the Combined Authority to enter a contract of employment with you. If you do not provide other information, this will hinder the Combined Authority’s ability to administer the rights and obligations arising as a result of the employment relationship efficiently.
Automated decision-making
Employment decisions are not based solely on automated decision-making