Your personal data is in safe hands with the South Devon Railway.
We respect your privacy and are committed to protecting your personal data and, as part of this, we regularly review our privacy statement so that you can see how we use your personal data.
We will never sell your personal data to third parties.
A few quick notes:
- This privacy statement explains what data we collect, how we collect it and why we use your personal data
- This policy applies to everyone whether you are a member, donor, volunteer, customer or employee or use any of our services, visit our website, email, call or write to us. In certain circumstances we may also provide an extra privacy notice, which will always refer to this page.
- We will never sell your personal data. We will only share it with organisations we work with who meet our high privacy standards.
1. Data Protection Act 2018 (GDPR)
The General Data Protection Regulation (GDPR) is a set of EU-wide data protection rules that have been brought into UK law as the Data Protection Act 2018.
The Data Protection Act 2018, in basic terms, governs how companies can legally collect and process personal data, how that data can be stored and the length of time it can be stored for.
There are seven key principles set out in GDPR:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Data protection: Glossary of Terms
- Processing is essentially anything that is done to or with personal data. This includes but is not limited to collecting, recording, organising, structuring, storing, adapting, altering, erasing or destroying.
- A data subject is an identified or identifiable person.
- A controller determines the purposes and means of the processing of personal data.
- A processor processes data on behalf of a controller.
For further information on the Data Protection Act 2018 (GDPR) and your rights, please refer to the ICO website – https://ico.org.uk/your-data-matters/ or the Which? website – https://www.which.co.uk/consumer-rights/regulation/gdpr-data-protection-act – which is also a very good source of information for consumers, in an easy to understand format.
2. Important Information
Our Privacy Statement forms just part of our Terms and Conditions, it is important that you read through all of our terms and conditions as they contain information on us and our relationship with you.
3. Who we are
The South Devon Railway operates a heritage railway between Buckfastleigh and Totnes in the county of Devon. Alongside running heritage steam and diesel trains we undertake many heritage, commercial and educational activities such as Dining Trains, Driver Experiences, Train Hire, School and Group Visits as well as operating a Refreshment Room and Gift and Model Shop through our Retail and Catering company and Contract Railway Engineering, such as Tire Fitting, Boilersmiths and Carriage Parts, through our Engineering Company.
We are made up of a group of companies that, together, operate the South Devon Railway and the activities it undertakes.
South Devon Railway Limited is the company responsible for the day to day running and operation of the activities of the South Devon Railway. It is registered as a Community Benefit Society with the Financial Conduct Authority with registration number 8114.
South Devon Railway Trust is the legal owner of the South Devon Railway’s land and major assets, such as buildings and certain locomotives, which are long-term leased to South Devon Railway Limited to manage and operate the railway. South Devon Railway Trust also performs the vital role of fundraising for the South Devon Railway. It is registered in England and Wales with company number 01157099 and with the Charity Commission with charity number 800299.
South Devon Railway Retail and Catering Ltd. is the company that operates our refreshment rooms and gift & model shop, trading as South Devon Railway Refreshment Rooms and South Devon Railway Gifts and Models respectively. It is owed by South Devon Railway Limited and incorporated in England and Wales with company number 12059280.
South Devon Railway Engineering Ltd. is the company that undertakes outside contracted engineering work on behalf of the South Devon Railway. It is owned by South Devon Railway Trust and is incorporated in England and Wales with company number 06667353.
South Devon Railway Road Services Ltd. is the company that operates our London Routemaster Bus RM1872, it is incorporated in England and Wales with company number 08011082.
The registered office of the companies listed above is:
The Station, Dart Bridge Road, Buckfastleigh, Devon, TQ11 0DZ
The South Devon Railway is a data controller of the personal information we process in relation to our business activities and we are responsible for your personal data.
We are bound by applicable data protection laws in respect of the handling and collection of your personal data and are registered as a data controller in England and Wales, with the Information Commissioner’s Office (ICO) under the following ICO numbers:
- South Devon Railway Limited – Z2673305
- South Devon Railway Trust – Z267328X
- South Devon Railway Engineering Ltd. – ZA631393
- South Devon Railway Retail and Catering Ltd. – ZA635024
In this privacy statement references to “South Devon Railway”, “we”, “us” or “our” should be taken to include all of the companies listed in the ‘Who we are’ section, except where explicitly stated as otherwise.
5. What data we collect about you and how we collect it
We will collect and use your personal data. Personal Data or Personal Information means any information which identifies you, or which can be identified as relating to you personally, such as your name, address, phone number, email address or member or account number. It does not include data where the identity has been removed (anonymous data) or data relating to a corporate entity.
We only collect the personal data we need and we make it clear at the point of collection why we are collecting it.
The personal data you give us may include your name, title, address, date of birth, age, gender, employment status, demographic information, email address, telephone numbers, personal description, photographs, CCTV images, attitudes, opinions, usernames and passwords.
We have grouped together the information we process into the following sections based on when we collect them.
Visitors to Our Website
We may collect and process personal data about you in the following circumstances:
- when you complete forms on our website (“Site”). This includes your name, address, email and telephone number, which is provided at the time of registering to use our Site, where you ask us to contact you about our goods or services or subscribe to our mailing list;
- whenever you provide information to us when reporting a problem with our Site, making a complaint, making an enquiry or contacting us for any other reason. If you contact us, we may keep a record of that correspondence;
- details of your visits to our Site including, but not limited to, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise, and the resources that you access (see section on Cookies below); and
- whenever you disclose your information to us, or we collect information from you in any other way, through our Site.
We may also collect data in the following ways:
- IP Address – We may collect information about your device, including where available your Internet Protocol address, for reasons of fraud protection. We may also collect information about your device’s operating system and browser type, for system administration and to improve our Site. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual.
We may use your personal data for our legitimate interests in order to:
- provide you with information, or services that you requested from us;
- allow you to participate in interactive features of our Site, when you choose to do so;
- ensure that content from our Site is presented in the most effective manner for you and for your device;
- improve our Site and services;
- process and deal with any complaints or enquiries made by you; and
- contact you for marketing purposes where you have signed up for these.
Our Site may, from time to time, contain links to and from the websites of third parties. Please note that if you follow a link to any of these websites, such websites will apply different terms to the collection and privacy of your personal data and we do not accept any responsibility or liability for these policies. When you leave our Site, we encourage you to read the privacy notice/policy of every website you visit.
We may collect and use personal information such as your name and contact details when you make any enquiries with us via any method including our website, by phone, email or letter. We will process this data to answer your enquiry and may retain it for future reference regarding the enquiry.
We may share your personal data with third parties only if it is required as part of the enquiry.
We will collect details such as your name, address, phone number and email address when you order goods or services from us either via any method including: our Site or linked social media sites / other third party partner sites, by phone, email or letter, or by any other method. We will use this information to process your order and comply with our contractual obligations.
In order to perform our contract with you, we may also need to share personal data with third parties such as payment providers and postal service organisations to assist in the delivery of goods or services you have ordered; this could include EDI partners, third party couriers, or warranty providers.
We may also advertise your feedback on our website and marketing materials (subject to obtaining your prior consent where necessary);
We hold and process these details under the lawful bases of Performance of Contract and Vital Interest.
We need to process these details to fulfil our Contract with you, ie to supply you with the goods you have ordered.
We will retain your information for up to 7 (seven) years after the date on which you placed your order. This is to protect our Vital Interests in respect to any disputes in relations to your rights under the Consumer Rights Act 2015. Where you have subscribed to receive marketing correspondence from, us we will keep your personal data until you withdraw your consent.
We will collect details such as your employee names, telephone numbers and email addresses in order to contact you about goods or services ordered with you, to place further orders and to pay you for the goods and/or services supplied. We will keep the personal data for 7 (seven) years further to being provided with the goods/services.
Employees, Volunteers and Supporters
Employees, volunteers and supporters are regarded the same as any other individual when using any of our public online services such as our website or online store.
We may collect and use ‘sensitive personal data’ on our employees and volunteers. Sensitive Personal Data is defined as information about racial or ethnic origin, political opinions, religious or other similar beliefs, trade union membership, physical or mental health, sexual life, and criminal allegations, proceedings or convictions.
If you volunteer at the South Devon Railway we may collect extra information about you. This information could include references, criminal records checks, details of emergency contacts, medical conditions and competence records. We will hold this information for legal and regulatory reasons, to protect us and you including in the event of an insurance or legal claim, and for safeguarding purposes.
We may collect and use financial information of employees and volunteers; for example, bank account details, in order for us to remit any payments such as wages or expenses.
Some of our buildings and property have Closed Circuit Television (CCTV) installed and you may be recorded if when you visit us.
CCTV is used to provide security and protect both our staff and visitors and the South Devon Railway. CCTV will only be viewed when necessary (for example, to detect or prevent crime) and footage is stored for a set period of time, after which it is recorded over. The South Devon Railway complies with the Information Commissioner’s Office CCTV Code of Practice and we put up notices so you know when CCTV is used.
Children's personal data
We may collect certain personal data on children under 18 for certain services we offer, such as Santa trains where we may collect names and ages to personalise their experience. This information must be provided with the express permission of a parent or legal guardian. We will only use this information for the purpose of delivering the agreed service.
We may use aggregated data, that does not identify individuals, for the delivery of, or to improve, our future services. An example could be calculating how many children of a certain age range were on our Santa trains to order enough appropriate gifts.
We may collect personal data of children under 18 who register on our website, which is only available to people aged 13 and over or if they sign up to receive our newsletter. They are able to withdraw their consent for this at any time by contacting us, unregistering from our website or unsubscribing from our newsletter.
Employment and volunteering opportunities
We don’t want to exclude under-18s from opportunities to support our work through employment opportunities such as work experience or apprenticeships or by volunteering. We may therefore need to collect and store their personal information as set out in the volunteering and employment sections of this document. Children should always ask a parent or guardian for permission before sending personal information to anyone online.
We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but has been anonymised and is not considered personal data in law as this data does not directly or indirectly reveal your identity. As an example, we may aggregate your Usage Data to analyse the usage of specific features of our website or services we offer. If we ever combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, the combined data will be treated as personal data and will only be used in accordance with this privacy statement.
Other generated data
We may conduct research and analysis on the information we hold which can in turn create further personal data. For example, by analysing your interests and involvement with us we may be able to build a profile which helps us send you communications that are likely to interest you. The sections Research and Profiling give more detail about how we use information for profiling and targeted advertising, including giving you more relevant digital content. We use this information to identify ways in which you could support the South Devon Railway and invite you do to so if appropriate.
This analysis may be carried out by us or by third party organisations working for us.
6. How we use your personal data
We will only process your personal data in accordance with the Data Protection Act 2018 (GDPR) and under the following legal bases:
Performance of Contract
We will process your personal data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract. For example, when you place an order on our online shop, we will process your personal data so that we can deliver the products you ordered.
We will process your data when it is in our vital interest. An example could be that we will retain your details if you place an order via our online store, this is so we can resolve any problems if any goods were to develop a fault, or to email you if there was a product recall, and to defend ourselves in case of disputes.
We may process your personal data if it is in our legitimate interest to conduct and manage our business. This could include processing your personal data to enable us to improve our products/services. Before we process your personal data for our legitimate interests we always consider and balance any potential impact on you (both positive and negative) and your rights. We will not use your personal data for activities the impact on you outweighs our interests (unless we have your explicit consent or are otherwise required or permitted to by law).
This is where we have obtained your explicit consent to process your personal data. Your Consent must be given freely, and you must be informed of exactly what you are consenting to. You must provide a definite indication of that you consent to us processing your personal data (this is often demonstrated by you ticking a box). Generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sending our newsletters and/or marketing material to you via email, post, phone, text message and social media. You have the right to withdraw consent to newsletters and/or marketing at any time by contacting us (please see the ‘Opting Out / Unsubscribing’, the ‘Withdraw consent at any time’ and the ‘CONTACT’ sections).
Legal or Regulatory Obligation
This is where we have to process your personal data for compliance with a legal or regulatory obligation that we are subject to.
We may process your personal data for more than one lawful base depending on the specific purpose for which we are using your data.
The exact manner of our processing will always be dependent on the nature of our relationship with you and how you interact with us, as well as other factors. Below are the main ways we will use your data. To make it easier to understand, we have group them into activities.
Providing our services to you
Mail order purchases
Mail order purchases include any orders placed via our website, over the phone or in our physical store that we are required to deliver.
We will process your personal data under the legal base of Performance of Contract. This means that we have to process your personal data to perform the obligations of the contract between us and you – delivering your order to you.
We may share your data with third party service providers to allow us to perform our obligations to you. For example, we may share your address and contact details with a courier so that they can deliver your order and contact you if there are any issues.
We will retain your information, relating to your order, for up to 7 (seven) years after the date on which you placed the order. This is to protect our Vital Interests in respect to any problems in relations to your rights under the Consumer Rights Act 2015.
We offer many ticketed services, both online and in person at the South Devon Railway, as well as group bookings, education bookings, diner bookings, weddings and other ad hoc events and services.
Some of our booking services may require personal information, such as name, contact details and any food allergies for us to be able to provide the service to you. We will only process relevant information under the legal base of Performance of Contract.
We may share your data with third parties to allow us to perform our contractual obligations. For example, if you have booked a ticket on our dining train, we may share your name, menu choice and any food allergies with our catering provider.
We will process the personal data of customers who voluntarily purchase Gift Aid tickets, the donor’s name and address are submitted securely to HMRC and need to be retained in line with HMRC’s requirements.
Primarily our marketing communications are in the form of electronic newsletters, but we may use any medium, physical or digital, to send you information that we think will be of interest to you.
If you agree to receive marketing communications from us, we will hold and process your personal data under the legal base of consent. You can always change your mind at a later date; if you no longer want to receive marketing communications from us, please see the information in the “Your data protection rights” and “withdrawal of consent” sections.
We will never share your information with companies outside the South Devon Railway who want to use it for their marketing.
Fundraising, donations and bequests
Where we have your consent, we may invite you to support the South Devon Railway by making a donation, getting involved in our fundraising activities or by leaving a gift in your will.
As a charity that is reliant on fundraising income, it is in our legitimate interests to use personal information in the ways described below, to help us understand our supporters and potential supporters, tailor our communications and use our resources effectively:
- We may invite supporters to attend events where they can find out more about the ways donations and gifts in wills make a difference. We may keep a record of which events you are invited to and whether you were able to attend.
- If you make a donation to the South Devon Railway, we will use your personal information to record the nature and amount of your gift, to claim Gift Aid where you have told us you are eligible, and to thank you for your gift. We may make notes of anything else relevant and store this securely on our systems.
- If you inform us that you plan to fundraise to support our cause, we will use your personal information to record your plans and contact you to support your fundraising efforts.
Charity Commission rules require us to know where funds have come from, as well as any conditions that may be attached to them. We may request additional information in order to fulfil this obligation particularly for donors who have made, or are likely to make, a significant donation to the South Devon Railway.
We may also carry out research using publicly available information and professional resources.
We may use your aggregated information to help us understand the profile of our supporters. We do this so that we can target our communications more effectively in future and use our resources as cost effectively as possible.
We are committed to looking after your data carefully and we store your personal data on our secure systems. If you are attending a meeting or event, we may need to share some basic information about you with staff, Trustees or advocates who are helping us to fundraise on a voluntary basis. It is only shared with those who need to know the information for the purposes set out in this privacy notice, when they need to know it.
If you want to change whether or how you hear from us, or have any questions about the data we hold or how we long we hold it, please contact us at email@example.com.
Gifts in wills
If you have advised us that you have left a gift in your will, or are thinking about doing so, we will keep details of this. We may make notes of any conversation or interaction with you (or with someone who contacts us in relation to your will, such as your solicitor), to ensure we direct your gift as you wanted.
Where a donor has passed away and we are in the process of receiving their legacy gift, we will process personal data of individuals involved in the estate administration for the purpose of ensuring our compliance with legal obligations in receiving and using the legacy gift for our charitable purposes. Access to this personal data is restricted and stored for as long as necessary to administer the legacy. More detailed information about use of personal data for this purpose is provided to the estate Executors, Trustees or their professional advisors during the legacy administration process and can be found below.
We rely on legitimate interests to process personal data of individuals involved with the supporter and their estate. Where we would like to process data that is not for the direct purpose of the legacy administration process, we will seek specific consent from an individual – for example, if we would like to remain in contact with a donor’s relative to update them on how the legacy has been used to benefit a specific area of our work.
Where we collect personal data from:
- Executors, Trustees, solicitors and any other professional third party instructed in the legacy administration process.
- Copies of wills either provided by Executors, Trustees or other professionals acting in the administration, or publicly available online.
- Other co-beneficiary charities that have a similar interest to us under the will
- The public domain
Whose personal data we collect:
- Donors who have left us a gift in their will
- Employees of organisations that we need to communicate with during the administration process including charity legacy officers, solicitor employees, estate agents etc.
- Executors of the estate and Trustees of Will Trusts, who may be family or friends of the donor, or a professional advisor such as a solicitor, accountant or banker.
- Other individuals named as beneficiaries in a will, including those who have a life interest in an ongoing Will Trust.
- Next of kin and or family members that we seek permission to thank and report on the progress of a legacy gift and how it has benefited the South Devon Railway.
What data do we collect for gifts in wills:
- Home address and contact details
- Co-beneficiaries’ level of entitlement to any gifts or share of an estate in which we receive a benefit.
- Telephone, email, internet, fax, instant messenger use or other electronic communication details where provided to us.
- Sensitive personal information such as health status, if it is pertinent to the legacy case and there is a clear reason for doing so.
How do we use gifts in wills data?
We will only use personal information for the purposes of the legacy administration process, the purposes for which it was obtained. For example we will not use personal data to market or fundraise from the Executor or next of kin without their express consent to do so.
We only share your information internally where it is directly relevant to those who need to know, when they need to know it.
We may need to share your information with ‘data processors’ such as associated organisations and agents who provide us with a legacy administration service or other charity beneficiaries who have a similar interest to our own. These ‘data processors’ will only act under our instruction for use and security of your data.
How do we store gifts in wills data?
Personal data is stored on our electronic case management system and restricted access directory. Any paperwork containing personal data is kept to a minimum, locked away when not in use and securely destroyed when no longer needed. Our systems are subject to South Devon Railway security policies.
Personal data is held for as long as is necessary to ensure our legal entitlement is administered without challenge. Some legacy administration cases can be ongoing for long periods. There may be some cases where a longer retention period is required, for example were the where we are acting as Executor or Administrator and have an ongoing duty to comply with conditions attached to the gift.
If you volunteer with us, we need to use your personal data to manage your volunteering. This starts from your enquiry into volunteering and, depending on the information, may continue for some time after you finish volunteering with us.
This personal information is held under the legal bases of legitimate interest and legal or regulatory obligation. You must provide us with this information in order to volunteer with us.
Uses of your personal information could include:
- contacting you about a role you have said you might be interested in
- contacting you with health, safety and regulatory information
- contacting you for other legitimate company needs, such as to see if you are available to help us cover a shift
- recording shifts you have worked, or are going to work
- recording evidence of any training, competence and qualifications you undertake with us or with a third party
- recording your fitness to work
- contacting your next of kin in an emergency
- recognising your contribution
- asking for your opinions on your volunteering experience
- processing expense claims you have made
Due to the nature of what we do and the strict regulations that we have to adhere to, certain pieces of your personal data will be kept, and could be processed, for many years after you have finished volunteering with us.
From time to time we carry out research with our supporters, customers, staff and volunteers to get their feedback. We use this feedback to improve the South Devon Railway and the experiences we offer.
If you choose to take part in our research, we will tell you when you start what data we will collect, why and how we will use it. All the research we conduct is optional and you can choose not to take part. For some of our research we may ask you to provide sensitive personal data (for example, ethnicity). You do not have to provide this data and we also provide a ‘prefer not to say’ option. We only use it at an aggregate rather than individual level (for example, for reporting on equal opportunities).
We may give some of your personal data (for example, contact information) to a research agency so that they can carry out research on our behalf.
As a charitable organisation it is important that we use our resources in a responsible and cost-effective way. To help us with this we use profiling and targeting to understand our supporters and make sure that:
- our communications (for example, emails) and services (for example, our website) are relevant, personalised and interesting to you;
- our services meet the needs of our customers and supporters;
- we only ask for further support and help from you if it is appropriate;
- we use our resources responsibly and keep our costs down.
To do this we analyse how you interact with us (for example, on our website) and use both geographic and demographic information understand your interests.
The personal information we collect may include transactional information, for example order numbers for online ticket and shop purchases, donations, and membership information. We also collect your activity data on when you create or log into our website.
Much of the information we collect is aggregated, which means you are not identifiable at an individual level. However, we may also collect some personal data to personalise your experience, tailor our marketing campaigns to your interests, and ensure the website is functioning as we want it to.
If you have agreed that we can contact you for marketing purposes, we may also gather additional information about you to customise your experience.
Data Aggregation is any process in which information is gathered and expressed in a summary form, for purposes such as statistical analysis. A common aggregation purpose is to get more information about particular groups based on specific variables such as age, profession, or income.
We may also use personal data to create profiles which help us target our communications, to you and to other people. For example, we may use your personal data to find online users with a similar profile to you who may also be interested in our products or services.
We may sometimes use third parties to capture some of your data on our behalf, but only where we are confident that the third party will treat your data securely, in accordance with our terms and in line with the requirements set out in the GDPR.
Recruitment and employment
If you work for us, or apply for a job with us, we will process your personal data, including sensitive personal data, to comply with our contractual, statutory and management obligations and responsibilities.
This data can include, but is not limited to, information relating to your health, racial or ethnic origin, and criminal convictions. In certain circumstances, we may process personal data or sensitive personal data without explicit consent. You can find further information on the data we collect and why below.
Our contractual responsibilities include those arising from a contract of employment. This includes, but is not limited to, data relating to: payroll, bank account, postal address, sick pay, leave, maternity pay, pension and emergency contacts.
Our statutory responsibilities are those imposed by law on us as an employer. This includes, but is not limited to, data relating to: tax, national insurance, statutory sick pay, statutory maternity pay and family leave.
Our management responsibilities are those necessary for the way the organisation functions. This includes, but is not limited to, data relating to: recruitment and employment, training and development, absence, disciplinary matters and contact details.
Use of sensitive personal data
In certain circumstances, we may legally collect and process sensitive personal data without requiring the explicit consent of an employee or volunteer.
(a) We will process data about an employee’s health where it is necessary, for example, to record absence from work due to sickness, to pay statutory sick pay, to make appropriate referrals to the Occupational Health Service, and to make any necessary arrangements or adjustments to the workplace in the case of disability. This processing will not normally happen without the employee’s knowledge and, where necessary, consents.
(b) We will process data about, but not limited to, an employee’s or volunteers racial and ethnic origin, their sexual orientation and their religious beliefs, but only where they have volunteered such data and only for the purpose of monitoring and upholding our equal opportunities policies.
(c) We will hold data about an employee’s or volunteer’s DBS Check as necessary.
7. If you fail to provide personal data
Where we need to collect your personal data by law, or to satisfy a contract we have, or are trying to enter into, with you and you fail to provide that data when requested, we may not be able to fulfil that contract. For example, if you do not provide us with your address, we will not be able to deliver your order to you. In this case, we may have to suspend or cancel our contract with you, we would notify you if this were the case.
8. How we share your personal data
We will never sell your personal information to a third party.
We may share your information with partners to allow them to perform services on our behalf. Where applicable we have contracts in place with our suppliers, which require them to comply with the Data Protection Regulation Act (2018) and The Privacy and Electronic Communications Regulations (or PECR), and to have robust systems and processes to protect the security of your information.
Below are some examples of the types of organisations with which we may share your data:
- Third party service providers – enable us to fulfil some of our services, such as couriers, online ticketing and newsletter software.
- Partner organisations – we have many partner organisations at the South Devon Railway including locomotive owner, and support groups.
- Analytics partners – to enable us to track the effectiveness of our website.
- Website and app partners – to help us develop websites and apps that give you the best possible online experience.
9. Data security
We want to keep our customers, volunteers, employees, members and contractors safe; the security of your data and of our information systems is incredibly important to us.
We have put in place appropriate security measures, such as SSL technology, to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. You can check this when you enter information on our website by right clicking on the padlock icon in the address bar.
We limit access to your personal data to those employees, agents, contractors and other third parties who have a legitimate business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
Our staff complete information security and data protection training to reinforce their responsibilities and requirements.
The South Devon Railway is based in the UK and where possible that is where we store most of your data. We would prefer to keep all data within the UK, but this is not always possible so some of our services are provided by third party organisations who may transfer your data outside the UK and European Economic Area.
We only work with third party service providers who are GDPR compliant to ensure that your data is protected. Any data transferred outside the EEA will be adequately protected in accordance with US Privacy Shield or Standard EU contractual clauses.
Payment card security
The South Devon Railway has an active PCI-DSS (Payment Card Industry Data Security Standard) compliance programme. This is the stringent international standard for safe card payment processes. As part of our compliance, we ensure that our IT systems do not directly collect or store your payment card information, such as the full 16-digit number on the front of the card or the security code on the back.
Our online payment solutions are carried out using a ‘payment gateway’ (such as Paypal) which is a direct connection to a payment service provider. This means that when you input card data into the payment page, you are communicating directly with the payment service provider who will process your payment and send the funds to us. This means that your payment card information is handled only by them and not processed or held by us.
10. Data retention periods
How long we store your data for does depend on the what the data in question is, what it is being used for and any statutory legal requirements, directly or indirectly, requiring its retention.
We will only use and store your information for as long as it is required for the purposes it was collected for.
Please contact us if you require specific details regarding our data retention periods.
11. Your legal rights
Individuals have certain rights over their personal data and data controllers are responsible for fulfilling these rights. Where we decide how and why personal data is processed, we are a data controller and have provided further information about the rights that individuals have and how to exercise them below.
Access to personal data
You have a right of access to your personal data that is held by us as the data controller. This right may be exercised by emailing us at firstname.lastname@example.org, or by writing to us at:
Data Protection Officer,
South Devon Railway,
Dart Bridge Road,
You may be asked to provide the following details to enable us to process your request:
- The personal information you want to access
- Where it is likely to be held
- The date range of the information you wish to access.
We will need you to confirm your identity. If we hold personal information about you, we will provide you with a copy of the information in a machine-readable format together with an explanation of why we hold and use it. We will aim to respond to any requests for information promptly, and in any event within the legally required time limits (30 days). This timeframe may be extended by up to two months if your request is particularly complex.
Withdrawal of consent
Where you have given consent for the South Devon Railway to use your personal data, you have the right to withdraw that consent at any time. You also have the right to ask us to stop using your personal data for direct marketing purposes. To stop receiving our marketing emails, please click on the unsubscribe link that can be found in any marketing emails received from us.
Amendment of personal data
You can update or amend your personal data at any point via your ‘My Account’ page on our website or via HOPS if you are a volunteer.
Once you have informed us that any personal data we are processing is no longer accurate, we will make corrections, based on your updated information, as soon as practicable.
You may alternatively:
Call us on 01364 644 370 (normal call rates apply) during normal office opening hours and speak to a member of our team, or
Write to us at:
South Devon Railway
Dart Bridge Road,
We will update or amend your personal data within 30 days of receipt of your request.
Other data subject rights
12. What to do if you are not happy
In the first instance, please talk to us, so we can try to resolve any problem or query and make improvements where necessary. You can send us an email with the details of any data protection complaint to email@example.com. We will respond to any complaints we receive.
You have the right to contact the Information Commissioner’s Office (“ICO”) (the UK data protection regulator). For further information on your rights and how to complain to the ICO, please refer to the ICO website – https://ico.org.uk
The Which? website – https://www.which.co.uk/consumer-rights/regulation/gdpr-data-protection-act – is also a very good source of information for consumers, in an easy to understand format.