Introduction

We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and how to contact us. We seek at all times to comply with the General Data Protection Regulation (GDPR).

A copy of this privacy notice in pdf format is available to download here.

Who we are

The Festiniog Railway Company, trading as Ffestiniog and Welsh Highland Railways, collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the GDPR which applies across the European Union (including in the UK) and we are responsible as ‘controller’ of that personal information for the purposes of the GDPR. The GDPR will be supplemented in due course by additional UK specific data protection legislation.

The controlling shareholder of the Festiniog Railway Company, The Ffestiniog and Welsh Highland Railways Trust (the Trust), is responsible for our Diamond Jubilee Appeal, and will be the ‘controller’ of personal information you give us if you become a subscriber or donate to the Appeal.

What personal information do we collect?

We collect personal information about you when you:

• Become a volunteer or apply to be one
• Travel on the Ffestiniog Railway or Welsh Highland Railway as a passenger
• Visit our website, join a mailing or marketing list, contact us on social media or by email, complete a survey or enter a competition organised by us
• Purchase products or services from any of our sites
• Make a donation to the Trust
• Contract directly with us
• Contract with us as a third party
• Through the use of certain data capturing devices (for example studying which pages of our website you read the most through the use of cookies).

How do we collect information?

You may give us the information orally, by web form, email, telephone or by letter. You may also give information to booking agents acting on our behalf or booking agents (including family members and others) who seek to purchase a service from us.

How long do we keep your personal data?

All personal data is kept no longer than is necessary and the length of time will vary depending on the activity by which your personal data is obtained:
• In the case of a volunteer we keep your personal information whilst you continue to volunteer. Once you cease to volunteer then we keep your personal information for a further period of seven years
• In the case of a contract concluded with The Festiniog Railway Company we keep your personal data for a period of seven years from the date when the contract is completed
• In the case of donors and other supporters, we assume that you will continue to be interested in hearing about the railways indefinitely so we will keep your contact details until you tell us to stop contacting you (which you can do at any time). If we have your bank details we keep these for seven years after you cease to subscribe.
• If as a donor you become party to the Trust’s ‘Share for Life’ scheme we will retain your contact details for seven years after you cease to hold a share.
• In all other cases we keep your personal data for a period of seven years from the date of collection of that personal information.

We have a world class railway heritage archive. At the point of destruction of paper records or the deletion of electronic records then a decision is taken by The Festiniog Railway Company as to whether the relevant information should be retained indefinitely and form part of the archive for future public examination.

What is the lawful basis for you processing my information?

We must have a lawful basis for processing your information; this will vary on the circumstances of how and why we have your information, but typical examples include:

• The activities are within our legitimate interests as a railway company seeking to engage with and provide services to prospective and current customers, employees, volunteers and third parties or to archive important historical information.
• The activities are within the legitimate interests of the Trust in raising funds for the railways and in providing information to and maintaining contact with supporters.
• You have given consent for us to process your information e.g. in relation to marketing activities
• We are carrying out necessary steps in relation to a contract to which you are a party or prior to you entering into a contract e.g. because you wish to book tickets or arrange for us to carry out a service for you
• The processing is necessary for compliance with a legal operation to which we are subject e.g. for us to be able to comply with legal obligations imposed by the Office of Rail and Road Regulation
• To protect your vital interests e.g. if you were unfortunate enough to fall ill or suffer injury on one of our trains or premises.

If we process any special categories of information i.e information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, processing of genetic or biometric data for the purpose of uniquely identifying individuals, health data, or data concerning your sex life or sexual orientation or information revealing criminal convictions or offences, we must have a further lawful basis for processing. This may include:
• Where you have given us your explicit consent to do so e.g. to obtain your medical details to satisfy requirements imposed by the Office of Rail and Road Regulation and in the interests of ensuring the safe operation of both railways
• Where the processing is necessary to protect your vital interests or someone else’s vital interests
• You have made the information public
• The processing being necessary for the establishment, exercise or defence of legal claims
• The processing being necessary for reasons of substantial public interest e.g. as a consequence of your employment, for equal opportunity obligations, preventing or detecting unlawful acts or dishonesty, for safeguarding reasons or the arranging of relevant and necessary insurance policies.

How do we use your information?

We use the information:
• To provide information that you may require regarding the services that we offer
• To meet the safety requirements of volunteers and customers
• To provide information to the Office of Rail and Road Regulation if demanded
• To fulfil our contract with you
• To comply with our statutory and regulatory obligations
• To send you marketing communications
• To administer competitions
• To administer supporters’ donations and to provide them with information about the progress and funding of the railway.

Disclosure of your information

Some of the information you provide to us may be transferred to, stored and processed by third party organisations who process data on our behalf. These third parties may be based (or store or process information) in the United Kingdom, or elsewhere including outside of the European Economic Area (EEA). These third parties may include third party IT platforms (including cloud-based platforms), suppliers of administrative and support services and suppliers of other specialist products.

If you donate or subscribe to the Diamond Jubilee Appeal, your personal information may be provided to your bank (if you pay by standing order); to HMRC (if your donation is gift-aided) and to the parties involved in providing any benefits you become entitled to in connection with your donation. If you are entitled to become a member of the Ffestiniog Railway Society and/or the Welsh Highland Railway Society we will provide the appropriate information to them and they will be responsible for its use. If as a donor you notify the Trust of a change of contact details we may pass this on to either or both of the societies where appropriate.

We may be obliged to disclose data by order of a court, by statute or by order of the Office of Rail and Road Regulation, or we may be permitted to disclose it under applicable data protection laws in other circumstances.

How do we protect your information?

All our computers are protected by firewalls and reputable anti-virus software to which all patches and updates are applied as soon as possible. External servers are similarly protected and provided by organisations we trust. Our computers and programmes are protected by passwords. Information in hard form is kept in locked drawers or filing cabinets.

Where we transfer information to third parties to enable them to process it on our behalf, we ensure that the providers meet or exceed the relevant legal or regulatory requirements for transferring data to them and keeping it secure.

We may transfer your personal information to countries which are located outside the European Economic Area (EEA) or UK as follows:

• When using outsourced IT or other administrative support services
• When you are located outside of the EEA

Such countries do not always have the same data protection laws as the United Kingdom and EEA but will ensure that where information is transferred to a country or international organisation outside of the UK/EAA, we will comply with the relevant legal rules governing such transfers that are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information.

Do we use cookies?

Cookies are small routines which enable the location and type of your computer or device, and browsing behaviour, to be identified. The only cookies we use are for Google Analytics, which report to Google how our web pages and Adword advertisements have been used. This information is available to us only in aggregated form, so that we can never identify a particular user. Responsibility for safeguarding this data rests with Google. You can set preferences in your own browser, for each machine you use.

What are your rights concerning our use of your personal information?

Under GDPR your rights include:

• Right of access. You may request to see what data we hold about you
• Right to rectification and data quality. You may require us to correct data which are inaccurate or incomplete
• Right to erasure including retention and disposal. The right to be ‘forgotten’. If you have had no contract with us, this can be done immediately. If you have had a contract, we must retain relevant data for seven years. Data older than this can be deleted, though we need to retain your name in our archives as a marker for past transactions
• Right to restrict processing. In this case we can retain the data but not use it
• Right of data portability. This does not apply as we do not process data by automatic means.
• Right to object, or to withdraw consent. You can ask us to stop sending you direct marketing communications (e.g. brochures or email newsletters). Note that an ‘unsubscribe’ request will stop future mailings, but that if you require your data to be deleted you must specifically notify us.

If you wish to exercise any of these rights, please email or write to us, and we will respond appropriately as quickly as possible. Furthermore, if you would like to discuss this policy, ask how we use your personal information, provide feedback or make a complaint please email or write to us.

Contact information

The Festiniog Railway Company

The General Manager
The Festiniog Railway Company
Harbour Station
Porthmadog
Gwynedd
LL49 9NF

Telephone: 01766 516062
Email: enquiries@ffwhr.com

The Trust

The Secretary to the Trustees
The Ffestiniog and Welsh Highland Railway Trust
Harbour Station
Porthmadog
Gwynedd
LL49 9NF

Email: jalexander@ffwhr.com

The Trust is registered as a charity in England and Wales, number 239904

You can also contact the Information Commissioner’s Office via https://ico.org.uk for information, advice or to make a complaint.

Changes to this privacy notice

This privacy notice was last updated in May 2018

We may change this privacy notice from time to time as our business and internal practices and/or applicable laws change. We will not make any use of your personal information that is inconsistent with the original purposes(s) for which it was collected or obtained (if we intend to do so ,we will notify you in advance wherever possible via our website and/or otherwise contacting you by post or email) or otherwise than is permitted by applicable law.