1. Introduction
This Privacy Notice sets out how Nexus collects, uses and protects any personal data of our customers or other external parties, as well as your rights in respect of such personal data.
Nexus is committed to ensuring your privacy is protected. Information by which you may be identified will only be used in accordance with this Privacy Notice.
Nexus must have a valid lawful basis in order to process personal data. This Notice sets out the lawful basis that applies and also the purposes for which your personal data will be processed.
Nexus may update this Privacy Notice from time to time and will publish an up to date copy of the Privacy Notice here. This Notice is effective from October 2022.
2. How we collect personal data
We may collect and process the following data about you:
2.1 Information you give us. You may give us information about yourself by filling in forms on our site www.nexus.org.uk (our site) or by corresponding with us by phone, email, social media, apps or otherwise. This includes information you provide when you register to use our site, register to use our apps, register for a Pop Shop account, subscribe to our services, place an order on our site, and/or enter a competition, promotion or survey and when you report a problem with our site or apps. The information you give us may include your name, social media identifier, address, date of birth, email address and phone number, financial and credit card information, personal description and photograph.
We may also collect a range of personal information during the course of revenue protection activity. This may include name, address, date of birth, proof of ID, journey details, physical descriptions and other information you provide us with.
2.2 Information we collect about you. With regard to each of your visits to our website or apps or when you use the Tyne and Wear Metro and Shields Ferry, we may automatically collect the following information:
- technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our website (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number;
- information about your use of the Nexus website including the detail of your visit i.e. resources you access, pages you use, transactions you engage in;
- information provided by you voluntarily e.g. when you register for updates or purchase a product through our web retail pages; • information that you provide when you communicate with us;
- information that you provide as you use public transport with your Smartcard, apps or mobile tickets, for instance a record of the journeys you make using your Smartcard; and
- CCTV footage.
Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and allows us to improve our site. For detailed information on the Cookies we use and the purposes for which we use them see our Cookie policy at https://www.nexus.org.uk/website-policies/cookies.
2.3 Information we receive from other sources. We may receive information about you if you use any of the other services we provide. We also work closely with third parties (including, for example, business partners, sub-contractors in technical, ticketing, payment and delivery services, advertising networks, analytics providers and search information providers) and may receive information from them.
3. Why and how we use personal data
Nexus must have a valid lawful basis in order to process your personal data. Nexus will process your personal data because you have provided your consent to the processing of your personal data for one or more specific purposes.
We will also process your personal data where it is necessary for the performance of a contract to which you are party to or to take necessary steps at your request subject to entering into a contract.
Nexus will also process your personal data in order to comply with a legal or regulatory obligation.
In relation to personal data processed for revenue protection activity, Nexus will process this as it is necessary for our legitimate interests.
We use information held about you in the following ways:
3.1 Information you give to us. We will use this information:
- to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;
- to provide you with information about goods or services we feel may interest you. If you are an existing customer, we will only contact you by electronic means (email or SMS) with information about goods and services similar to those which were the subject of a previous sale or negotiations of a sale to you, and where you have previously consented to this. If you are a new customer, and where we permit selected third parties to use your data, we (or they) will contact you by electronic means only if you have consented to this;
- to notify you about changes to our service;
- to ensure that content from our website is presented in the most effective manner for you and for your computer.
3.2 Information we collect about you. We will use this information:
- to administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to improve our website to ensure that content is presented in the most effective manner for you and for your computer;
- to allow you to participate in interactive features of our service, when you choose to do so;
- as part of our efforts to keep our website safe and secure;
- to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you, and where you have consented to this;
- to make suggestions and recommendations to you and other users of our website about goods or services that may interest you or them, where you have consented to this;
- to administer our penalty fare scheme, revenue protection, collection of unpaid fares, fraud prevention, the prosecution of travel offences, prevention and detection of crime including anti-social behaviour and fare evasion.
Nexus, its subsidiaries and service providers, will use your personal information and that of the child named in applications for the purposes of customer services and administration, the provision of travel related information, customer research and fraud prevention. Nexus may contact you before the expiry of any travel concession, to inform you of the ticketing options available from that date.
Information we receive from other sources: We may combine this information with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).
4. Special category personal data
Nexus recognises the significance of special category personal data and will only process such information if certain conditions are met. Special category personal data can be defined as information about an individual’s:
- Race;
- Ethnic origin;
- Politics;
- Religion;
- Trade Union membership;
- Genetics;
- Biometrics (where used for ID purposes);
- Health;
- Sex life;
- Sexual orientation.
When processing special category personal data, Nexus will identify a lawful basis and relevant condition to do so and document it accordingly.
5. Disclosure and sharing of personal data
We may share your information with selected third parties including:
- business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you; and
- analytics and search engine providers that assist us in the improvement and optimisation of our site.
We may disclose your personal data to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use (see https://www.nexus.org.uk/website-policies/terms-website-use) or terms and conditions of supply (see https://www.nexus.org.uk/ticket-and-product-terms-use) and other agreements. We may also do so to protect the rights, property, or safety of Nexus, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud detection and protection and revenue protection. This may include sharing personal data as part of the National Fraud Initiative (https://www.nexus.org.uk/national-fraud-initiative).
6. How long do we keep your personal data?
Nexus will keep your personal data only as long as is necessary to conclude the purpose(s) for which it was collected, and in line with our data retention policies.
Personal data will be securely destroyed when no longer required by Nexus.
7. Third-party sites
Our website and apps may contain links to sites owned and operated by third parties. They have their own Privacy Notices, and we would urge you to review them before browsing or providing personal data to those sites and apps. Nexus do not accept any responsibility or liability for the privacy practices of such third-party websites or apps and your use of such websites and apps is at your own risk.
8. Your information rights
Data protection legislation provides the following rights for individuals in relation to their personal data:
8.1 Right to withdraw consent
If we have relied on consent as the ground for processing your personal data, you can withdraw this consent at any time. You can withdraw consent by contacting the Data Protection Officer by email at [email protected].
8.2 Right to be informed
An organisation must inform you if it is using your personal data. This should be done when it first collects your information.
8.3 Right of access
Individuals have the right to access copies of their personal data. This is done via a subject access request. To make a subject access request to Nexus please visit https://www.nexus.org.uk/data-protection.
8.4 Right to rectification
Individuals can challenge the accuracy of personal data which is held by an organisation and in some circumstances request that it is corrected.
8.5 Right to erasure
The right to erasure gives individuals, in certain circumstances, the opportunity to ask organisations to delete personal data it holds about them.
8.6 Right to restrict processing
Individuals have the right to limit the way an organisation uses their personal data.
8.7 Right to data portability
The right to data portability allows individuals to request their personal data from an organisation in a way that is accessible.
8.8 Right to object
Individuals have the right to object to the processing of their personal data in certain circumstances.
8.9 Rights relating to automated decision-making including profiling
This right enables individuals, in certain circumstances, to prevent the automated profiling of their personal data.
For further information on the rights of an individual please visit https://ico.org.uk/your-data-matters/.
9. Security
Nexus is committed to ensuring that your personal data is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect from you.
Where Nexus engages third parties to process personal data on our behalf, they do so on the basis of clear written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measure to ensure the security of the data.
The data that we collect from you is stored in the UK. It may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"), and it may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. By submitting your personal data to Nexus, you agree to this transfer, storing or processing.
Nexus will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Notice.
All information you provide to us is stored on secure servers. Any payment transactions carried out by Nexus will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
10. How to contact us
Nexus is the trading name of Tyne and Wear Passenger Transport Executive and its address is Nexus House, St James’ Boulevard, Newcastle upon Tyne, NE1 4AX.
In relation to the collection and processing of personal data, Nexus is the data controller. Nexus can be contacted by phoning 0191 20 20 747 or email [email protected].
If you require further information about how your personal data will be held and processed by Nexus, or if you wish to make a complaint about any data protection matter, contact the Nexus Data Protection Officer by email at [email protected]
11. Complaints to the Information Commissioner
Nexus tries to meet the highest standards when collecting and using personal data. For this reason, we take any complaints we receive about this very seriously.
If you are unhappy at the handling of any complaint made to Nexus about how your Personal Data has been handled or processed, you can contact the Information Commissioner’s Office as the statutory body which oversees data protection law.
The Information Commissioner’s Office can be contacted by phoning 0303 123 1113 or in writing at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
In addition, you can report a concern online at https://ico.org.uk/concerns.