Privacy & Cookie Policy

We recognise that your privacy is important, and we are committed to protecting the Personal Data that we collect from you. The Bluebell Railway comprises the Bluebell Railway Preservation Society (BRPS), Bluebell Railway plc, the Bluebell Railway Trust (reg’d. Charity no. 292497) and their subsidiary supporting groups, all being at Sheffield Park Station, Nr. Uckfield, East Sussex TN22 3QL, tel. (01825 720800).

Personal Data is managed in accordance with the UK Data Protection Act 2018, the General Data Protection Regulations (GDPR) and the Privacy and Electronic Communications Regulations (PECR).

The Bluebell Railway will never sell your Personal Data, or otherwise use your data for the benefit of outside parties. We do not use your Personal Data for automated decision making, profiling, screening or other similar processes. We will only use your data for purposes reasonably required in the ordinary course of Bluebell Railway activity. This Privacy & Cookie Policy outlines the types of Personal Data that we may collect, how that Personal Data will be used, disclosed, transferred and stored, and sets out the measures that we take to comply with the above Acts and Regulations.

COLLECTION OF PERSONAL DATA

The Bluebell Railway will only collect and hold Personal Data about you that is reasonably necessary to undertake our normal activities and functions, or as otherwise permitted by law.

Why we collect Personal Data

We may collect your Personal Data for one or more of the reasons outlined below. We will use Legitimate Interest as the legal basis for so doing, excepting where under GDPR we are required to seek your express consent.

  • Providing our membership services to you including newsletters, and information about events and fundraising.
  • To assist with your queries.
  • Processing a booking or application that you have made.
  • Acting as your agent if you request us to do so.
  • For appropriate surveys, direct marketing, promotions or competitions.
  • Facilitating our internal operations including the fulfilment of any legal or regulatory requirements.
  • Analysing our services and member/ customer needs with a view to developing new and/or improved products and services.
  • For Bluebell Railway employees, volunteers, contractors and suppliers, as is reasonably and/or legally necessary.

How we collect your Personal Data

We generally collect Personal Data directly from you, through the use of any of our standard forms, over the internet, via email or through a telephone conversation with you. We may also collect Personal Data from third party contractors or agents who provide our products and services on our behalf.

What kinds of Personal Data we collect

You are under no legal obligation to provide your Personal Data. The types of Personal Data that we collect may include your name, address, email address, social media address or other contact details and such other information that is relevant for us to provide our products and services to you in the manner that you have requested, or to comply with the law.

We do not generally collect sensitive information from you. However, if you provide such information to us, we will only collect that information with your express consent and only where such information is reasonably required in order for us to provide our products or services to you (such as special access or an assistance requirement due to a health condition). We shall not disclose sensitive data to any other party beyond necessary third-party contractors or agents without your consent.  We will hold your Personal Data as current for up to two years after its last active use or to legally required timescales (whichever is the longer), after which your Personal Data will be archived and not used or maintained, unless you contact us further.

Cookies

If you access our websites or any mobile applications (“apps”), we may collect additional Personal Data about you including:

  • Server address/ IP address
  • Date and time of visit
  • Pages visited
  • Documents downloaded
  • The site you visited prior to visiting our website
  • The browser that you are using to access our website
  • If you have visited our website before
  • Tracking user preferences
  • Location data

Our website automatically deploys a cookie on your computer when you arrive at our website, provided cookies are not blocked by your browser. The main purpose of cookies is to monitor usage of our websites and apps to prepare customised web pages so that we may serve you more effectively. This is anonymised and cookies are not used to collect personal information. You may wish to configure your browser so that it does not accept cookies, however you may not be able to access some functions on our websites or apps if they are disabled.

We use Google Analytics, a third party service, to collect standard anonymised internet log information and details of visitor behaviour patterns.  We do this to monitor activities such as the number of visitors to various parts of our website. This information is only processed in a way which does not identify website visitors. This anonymised data is kept indefinitely. For more information about Google Analytics see www.google.com/policies/privacy/partners/, or any other URL Google may provide from time to time.

We use Facebook Pixel on our website. Facebook Pixel is a tracking code which allows us to track and monitor the success of advertisements we use on Facebook and to improve the effectiveness of those advertisements by recording information such as the device you used to access our website and the actions you took on our website using cookies. We may also use Facebook Pixel to create retargeting advertisements and custom audiences for our advertisements on Facebook. You can find out more about  how Facebook handles information they collect about you and other individuals by accessing their privacy policy, which is available here: https://www.facebook.com/about/privacy

Where social media channels are used, the platform providers’ terms, privacy and cookie arrangements will apply.

You might also want to visit www.aboutcookies.org which provides instructions on how to block cookies on all the major browsers. This site also explains how you can delete cookies that have already been stored on your computer as well as general information about cookies.

Failure to provide Personal Data

If the Personal Data you provide to us is incomplete and/or inaccurate, or you chose not to provide us with the Personal Data that we have requested, it may affect our ability to provide you with our products and services.

DEALING WITH PERSONAL DATA

Legitimate Interest

We will use Legitimate Interest as the legal basis for holding and processing your Personal Data, where this is assessed to be appropriate under the terms of the General Data Protection Regulations. In other instances, and for all ‘new’ individuals’ Personal Data from 25 May 2018 onwards, we will require positive consent before holding and processing such data.

Use and Disclosure

In order to provide products and services to you we may disclose your Personal Data to:

  • Between the Bluebell Railway entities, being Bluebell Railway Preservation Society, Bluebell Railway plc, The Bluebell Railway Trust, and their subsidiary supporting groups. This will include updating your details where held (e.g. for change of address)
  • providers, contractors, agents or other appropriate partners who assist us in providing our products and services to you
  • External providers of services where you have engaged us to act as your agent
  • Other service providers, who provide the various services that you have requested and we have arranged
  • Where we are required to disclose such information under law
  • Other parties with your consent and direction.

We will only provide such Personal Data to those third parties as required to provide our products or services, unless otherwise authorised by you or required under law. Your Personal Data will not be used for automated decision-making, profiling or screening.

Handling your Personal Data overseas (where necessary)

The provision of products or services including online ticket orders, eNewsletters and emails may involve Personal Data being provided to or via necessary third parties outside the UK. By engaging us to provide products and services to you and/or providing us with your Personal Data, you consent to the disclosure of your Personal Data outside the United Kingdom (UK), and acknowledge that we are not required to ensure that overseas recipients handle your Personal Data in compliance with UK Privacy law. However, we will only disclose your personal data where we are satisfied the privacy arrangements of the third party satisfactorily comply with the Bluebell’s privacy policy. For the EU this requires compliance with the EU GDPR. For the United States, this will include protection under “Privacy Shield” arrangements with the UK. Appointed data processors in other countries will be required to agree to the Bluebell’s Privacy & Cookie Policy.

CCTV and webcams

We employ CCTV at some of our stations and workshops in order to:

  • prevent, deter and detect crime
  • apprehend and prosecute offenders, and provide evidence to take civil action in the courts
  • help provide a safer environment for our staff
  • protect public safety
  • help to provide improved customer service, for example by enabling staff to see customers requiring assistance
  • monitor operational and safety related incidents
  • assist with the verification of claims

You have the right to make a Subject Access Request for CCTV images of yourself and to ask for a copy of them. You will need to complete an application form provided by us in order for us to establish your identity as the person in the pictures and assist us in finding the images in our system. See ‘Access and Correction’ below.

We reserve the right to withhold information where permissible by the General Data Protection Regulations and we will only retain CCTV images for a reasonable period or as long as is required by law. In certain circumstances we may need to disclose CCTV images for legal reasons. When this is done there is a requirement for the organisation that has received the images to adhere to the GDPR.

We have installed webcams at our stations and other sites of interest, for viewing and enjoyment via our website by the general public. The fixed cameras do not ’track’ individuals, and the images are not recorded or stored.

INTEGRITY OF PERSONAL DATA

Security

The security of your Personal Data is important to us. We may store your Personal Data in different ways, including in paper form, electronic form, telephone recordings and utilising secure document retention services (including those located offsite). We take all reasonable measures to ensure that your Personal Data is stored safely to protect it from misuse, loss, unauthorised access, modification or disclosure, including electronic (firewalls and access controls) and physical security measures.

Links to other websites

Our websites or apps may contain links to other websites. We are not responsible for the security or privacy of any information collected by third party websites or other services. You should exercise caution and review the privacy statements applicable to the third-party websites and services you use.

ACCESS AND CORRECTION

You may request access (a Data Subject Access Request) to the Personal Data that we hold about you at any time by contacting our Data Protection Officer using the details set out in this Privacy Policy. We will respond to any such request for access within a reasonable timeframe and will provide you with access to the Personal Data we hold that belongs to you, unless we are authorised not to do so by law. We may charge you a reasonable fee for processing your request and should we decline you access to your Personal Data we will provide you with a written explanation setting out the legal reasons for doing so.

Correction and Erasure

If, upon receiving access to your Personal Data, or at any other time, you believe the Personal Data that we hold about you is inaccurate, incomplete, out of date or should be erased, please notify our Data Protection Officer using the details set out in this Privacy Policy.

Where you notify us that your Personal Data is inaccurate or incomplete, out of date, should be erased, should be transferred to a third party at your request (Data Portability), or you with withdraw your Consent, we will take reasonable steps to correct or process the data unless we are authorised not to do so by law. Should we decline your request to correct your Personal Data we will provide you with a written explanation setting out the legal reasons for doing so.

CONTACTING THE BLUEBELL RAILWAY

Contact Details

Email: data.protection@bluebell-railway.com

Tel: 01825 720800

The Data Protection Officer

Bluebell Railway

Sheffield Park Station

Nr. Uckfield

East Sussex  TN22 3QL

 

Feedback

If you have any comments, queries or concerns about our Privacy & Cookie Policy or the way in which we handle your Personal Data, please contact our Data Protection Officer using the details set out in this Policy.

Complaints

Should you believe that we have not fulfilled our obligations under the GDPR or the PECR (as applicable), have not complied with the terms of our Privacy & Cookie Policy, or you would like to appeal a decision made by us relating to your Personal Data, you can make a complaint in writing to our Data Protection Officer using the details set out in this Policy. We will respond to you within a reasonable period of time to acknowledge your complaint and inform you of the next steps we will take in dealing with your complaint.

If you are unhappy with a response that you have received from the Bluebell Railway, you have the right to direct your complaint to the Information Commissioner’s Office, at ico.org.uk or tel. 0303 123 1113 (local rate) or by post at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

AMENDMENTS TO THIS PRIVACY & COOKIE POLICY

We may amend this Privacy & Cookie Policy at any time. Amendments to this Policy will be posted on our websites and will be effective when posted. We encourage you to check our website regularly for any updates to this Privacy Policy.

6th May 2018 (updated 22 Feb 2021 re 1) Cookies and 2) webcams).