GDPR Policy

Introduction

This GDPR Policy outlines Tanfield Railway Company LTD's commitment to protecting the personal data of individuals in accordance with the General Data Protection Regulation (GDPR) (Regulation 2016/679).

Data Controller

Tanfield Railway Company LTD is the data controller for the purposes of the GDPR.

Scope

This policy applies to all personal data processed by Tanfield Railway Company LTD, including but not limited to:

• Customer Data: Names, addresses, contact details, payment information, booking history, preferences, and any other information collected during the booking process.

• Employee/Volunteer Data: Names, addresses, contact details, employment/volunteer history, payroll information, and any other information relevant to their engagement.

• Supplier Data: Names, addresses, contact details, and any other information necessary for business relationships.

• Website Visitor Data: IP addresses, browsing history, and other information collected through website analytics.

Data Processing Principles

Tanfield Railway Company LTD processes personal data lawfully, fairly, and transparently. We ensure that personal data is:

• Processed lawfully, fairly, and transparently in relation to the data subject.

• Collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.  

• Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

• Accurate and, where necessary, kept up to date.

• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.  

• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.  

Lawful Basis for Processing

Tanfield Railway Company LTD processes personal data on one or more of the following lawful bases:

• Consent: Where individuals have explicitly consented to the processing of their personal data.

• Contract: Where the processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract.  

• Legitimate Interests: Where the processing is necessary for the legitimate interests pursued by Tanfield Railway Company LTD or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.  

• Legal Obligation: Where the processing is necessary for compliance with a legal obligation to which Tanfield Railway Company LTD is subject.

Data Subject Rights

Individuals have the following rights under the GDPR:

• Right of Access: The right to obtain confirmation of whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data.  

• Right to Rectification: The right to obtain the rectification of inaccurate personal data concerning them.

• Right to Erasure ("Right to be Forgotten"): The right to obtain the erasure of personal data concerning them under certain circumstances.

• Right to Restriction of Processing: The right to obtain restriction of processing of personal data concerning them under certain circumstances.  

• Right to Data Portability: The right to receive their personal data in a structured, commonly used, and machine-readable format and transmit those data to another controller.  

• Right to Object: The right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on legitimate interests.  

• Rights in Relation to Automated Decision-Making, including Profiling: The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.  

Data Security

Tanfield Railway Company LTD implements appropriate technical and organisational measures to ensure the security of personal data, including:

• Access Control: Limiting access to personal data to authorised personnel on a need-to-know basis.

• Data Encryption: Encrypting sensitive data both in transit and at rest.

• Regular Security Audits: Conducting regular security audits and penetration testing to identify and address potential vulnerabilities.

• Employee/volunteer Training: Providing employees/volunteers with training on data security best practices.

• Incident Response Plan: Having a plan in place to respond to any data breaches or security incidents.

Data Retention

Tanfield Railway Company LTD retains personal data only for as long as is necessary for the purposes for which it was collected. We have data retention policies in place for different categories of personal data.

International Transfers

Tanfield Railway Company LTD may transfer personal data to countries outside the European Economic Area (EEA). In such cases, we ensure that appropriate safeguards are in place to protect the rights and freedoms of data subjects, such as the use of Standard Contractual Clauses approved by the European Commission.  

Contact

For any questions or concerns regarding this GDPR Policy or the processing of your personal data, please contact:

Chris Walker
chris.walker@tanfield-railway.co.uk

CCTV Surveillance

Tanfield Railway Company LTD utilises Closed Circuit Television (CCTV) surveillance systems in certain areas of its premises for the purposes of:

• Public safety: To deter and detect crime, and to assist in the identification and apprehension of offenders.

• Security: To protect company assets and property.

• Incident investigation: To provide evidence in the event of accidents, incidents, or disputes.

1. Data Collection and Storage

• CCTV cameras record images and, in some cases, audio.

• Footage is stored securely for a limited period, typically 7 days, after which it is automatically overwritten unless required for investigation purposes.

• Access to CCTV footage is restricted to authorised personnel, such as the security group.

• Access to CCTV is only viewed after notification of an incident or alarm activation.

2. Your Rights

• Access: You have the right to request access to CCTV footage that may contain images of you, subject to certain exemptions (e.g., if it would compromise the security of others or ongoing investigations).

• Objection: You may object to the processing of your personal data captured by CCTV if you believe it is infringing on your fundamental rights and freedoms.

3. Signage

Prominent signage is displayed in areas where CCTV is in operation to inform individuals that recording is taking place.

Children's Data

Tanfield Railway Company LTD recognizes the importance of protecting the privacy of children. We do not knowingly collect personal data from children under the age of 12 without obtaining verifiable parental consent.

Where we process the personal data of children, we ensure that:

• Parental Consent: We obtain verifiable parental consent for the processing of children's personal data, in accordance with applicable laws.

• Child-Friendly Language: We provide information to children in a clear, concise, and age-appropriate manner.

• Data Minimization: We only collect and process the minimum amount of personal data necessary for the purposes for which it is collected.

• Specific Protections: We implement appropriate safeguards to protect children's privacy and online safety.

Changes to this Policy

Tanfield Railway Company LTD may update this GDPR Policy from time to time. Any changes will be posted on our website.