People who visit our website Expand When someone visits this website, we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to various parts of our website. This information is only processed in a way which does not identify anyone. This data is kept indefinitely. Here is a link to the relevant part of Google’s privacy policy. We use RaisingIT to help maintain the security and performance of our website. Here is a link to RaisingIT's Privacy Policy.
Other websites Expand We may, from time to time, employ the services of selected third parties for dealing with matters such as search engine facilities, advertising and marketing. The providers of such services may have access to personal data provided by users of our Site. Any data used by such parties is used only to the extent required by them to perform the services that we request, for example to provide you with information which we feel may interest you. Any use for other purposes is strictly prohibited. Furthermore, any personal data processed by third parties must be processed in accordance with the GDPR. Our site may, from time to time, contain links to and from the websites of third parties. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Cookies Expand When you visit our site, we may set and access cookies on your computer. A cookie is a small file that resides on your computer’s hard drive and often contains an anonymous unique identifier and is accessible only by the website that placed it there, not any other sites. Tracking technologies may record information such as Internet domain and host names; Internet protocol (IP) addresses; browser software and operating system types; clickstream patterns; and dates and times that our site is accessed. Our use of cookies and other tracking technologies allows us to improve our site and your web experience. We may also analyse information that does not contain personal information for trends and statistics. You can choose to enable or disable cookies in your web browser. By default, your browser will accept cookies, however this can be altered. You may delete Cookies, but you may lose information that enables you to access our site more quickly. For further details please consult the help menu in your browser.
People who subscribe to our newsletter Expand As part of the registration process for our e-newsletters, we collect personal information. We use that information for a couple of reasons: to tell you about products and services you’ve asked us to tell you about; to contact you if we need to obtain or provide additional information; to check our records are right. We don't rent or trade email lists with other organisations and businesses. We use a third-party provider, sendinblue, to deliver our newsletters. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletters. For more information, please see sendinblue’s privacy notice. You can unsubscribe to general mailings at any time of the day or night by clicking the unsubscribe link at the bottom of any of our emails or by emailing our unsubscribe address NYMR Unsubscribe.
People who make a donation or support us Expand How we use personal information collected • to process donations or payments we have received from you; • to provide you with information you have requested or which we feel may interest you where you have consented to being contacted; • to provide further information about the impact of our work, activities or ways to deepen our relationship that you have agreed to receive; • to further our charitable aims, including for fundraising activities and donor or supporter research; • to fulfil donations or pledges made; • to invite voluntary participation in research or surveys; • for administration purposes; for example to manage your participation in events for which you have registered (e.g. contact about an event you have registered for); • for internal record keeping, including the management of any feedback or complaints; • to analyse and improve our work, services, activities, products or information (including our website) to make it as user friendly as possible; • to use IP addresses and monitor website use, to record website traffic or to personalise the way information is presented to you.
People who make a booking or become a member Expand We provide many services, such as ticket bookings and membership both online and in person at NYMR, as well as group bookings, education bookings, diner bookings and other ad hoc events and services. We also have an online shop. Some parts of our booking and membership services may require personal information, such as name, contact details, food allergies and/or payment details for us to be able to provide the service to you. We only ask for relevant information and never store any payment details. Your information is not used, stored or shared with any third parties. For those visitors and members who voluntarily Gift Aid, the donor’s name and address are submitted securely to HMRC and need to be retained in line with HMRC’s requirements. Our sales and booking system is provided by K3 MStore. You may, of course, purchase a ticket (or tickets) for certain services in person without supplying the aforementioned personal data.
People who telephone or email us Expand We do not record our telephone calls, however we may use some information you provide to us to carry out any requested service such as completing a booking, answering a query or resolving an issue. We monitor all emails sent to us, including file attachments, for viruses or malicious software. We may use some information you provide to us to carry out any requested service, completing a booking, answering a query or resolving an issue.
People who contact us via social media Expand We may use some information you provide to us to carry out any requested service, such as answering queries or providing you with a competition prize. Please be aware that when you post online in public forums on third party social media sites such as Facebook, Twitter, Instagram and TripAdvisor, you should know that others may use, tag and/or re-publish your information. Links to privacy policies of sites we use: Facebook Twitter Instagram TripAdvisor
Accidents, complaints & feedback Expand If during your visit you have an accident, we will keep a record of this to comply with our Health & Safety practices. We may also need to keep the records for legal reasons and may need to share this information with our insurers, the health & safety executive or any other relevant authority. We take all complaints very seriously. We will only use the personal information we collect to process and resolve the complaint, which may involve communicating with you the outcome. We also use this information to check on the level of service we provide. Customer comment cards are provided to passengers for feedback. This information is used to reply to queries and we would opt you into any marketing updates you have requested.
CCTV, Webcams & Public WIFI Expand CCTV systems are in place in some areas of NYMR for public safety. Signs notifying you that CCTV is in operation are displayed in these areas. Images captured by CCTV are not kept for longer than is necessary but may be shared with relevant legal authorities if required. Webcam/s systems are in place in some areas of the railway for public viewing. The webcam/s are transmitting live feeds which are not recorded. The webcam/s positioned at the railway do not transmit high levels of detail and only pick up ambient noise therefore because we are not holding data, no notices are required. When you use NYMR-FreeWiFi we may collect data about: your device; the volume of data which you use; the websites and applications which you access; and your usage by access time, frequency and location. We use Purple WiFi to provide this service. Here is a link to their end user privacy policy.
Lost Property Expand Your lost property may contain personal data (such as a lost wallet containing identification cards) so we keep these in a locked safe and destroy after 3 months.
Volunteers & work placements Expand We use your personal data to manage your time with us and to make sure we are complying with all of our legal and health & safety responsibilities and obligations to you. This could include contacting you about a placement you’ve applied for or we think you might be interested in, aspects of your placement, providing you with a reference or to recognise your contribution.
Job applications Expand As part of any recruitment process, we collect and process personal information, or personal data, relating to job applicants. This personal information may be held on paper or in electronic format and applies to all job applicants, whether they apply for a role directly or indirectly through an employment agency. It is non-contractual. NYMR, uses and processes a range of personal information about you during the recruitment process. This includes: your contact details, including your name, address, telephone number and personal e-mail address personal information included in a CV, any application form, cover letter or interview notes references information about your right to work in the UK and copies of proof of right to work documentation copies of qualification certificates copy of any Identification provided other background check documentation details of your skills, qualifications, experience and work history with previous employers information about your current salary level, including benefits and pension entitlements your professional memberships We may also collect, use and process the following special categories of your personal information during the recruitment process: whether or not you have a disability for which NYMR needs to make reasonable adjustments during the recruitment process, information about your racial or ethnic origin, religious or philosophical beliefs and sexual orientation How do we collect personal information regarding job applicants? We collect personal information about you during the recruitment process either directly from you or sometimes from a third party such as an employment agency. We may also collect personal information from other external third parties, such as references from current and former employers, information from background check providers, information from credit reference agencies and criminal record checks from the Disclosure and Barring Service (DBS). Other than employment agencies, we will only seek personal information from third parties during the recruitment process once an offer of employment or engagement has been made to you and we will inform you that we are doing so, or at another time with your agreement. You are under no statutory or contractual obligation to provide personal information to NYMR during the recruitment process. Your personal information may be stored in different places, including on your application record or in IT systems, such as the e-mail system. Why and how do we use the personal information of job applicants? We will only use your personal information when the law allows us to. These are known as the legal bases for processing. We will use your personal information in one or more of the following circumstances: where we need to do so to take steps at your request prior to entering into a contract with you, or to enter into a contract with you (1) where we need to comply with a legal obligation (2) where it is necessary for our legitimate interests (or those of a third party), and your interests or your fundamental rights and freedoms do not override our interests (3). We need all the types of personal information listed under ‘What types of personal information do we collect about job applicants?’ primarily to enable us to take steps at your request to enter into a contract with you, or to enter into a contract with you (1), and to enable us to comply with our legal obligations (2). In some cases, we may also use your personal information where it is necessary to pursue our legitimate interests (or those of a third party), provided that your interests or your fundamental rights and freedoms do not override our interests (3). Our legitimate interests include: pursuing our business by employing employees, workers and contractors; managing the recruitment process; conducting due diligence on prospective staff and performing effective internal administration. We have indicated, by using (1), (2) or (3) next to each type of personal information listed above, what lawful basis we are relying on to process that particular type of personal information. The purposes for which we are processing, or will process, your personal information are to: manage the recruitment process and assess your suitability for employment or engagement decide to whom to offer a job comply with statutory and/or regulatory requirements and obligations, e.g. checking your right to work in the UK comply with the duty to make reasonable adjustments for disabled job applicants and with other disability discrimination obligations ensure compliance with your statutory rights ensure effective HR, personnel management and business administration monitor equal opportunities enable us to establish, exercise or defend possible legal claims Please note that we may process your personal information without your consent, in compliance with these rules, where this is required or permitted by law. What if you fail to provide personal information as part of the job application process? If you fail to provide certain personal information when requested, we may not be able to process your job application properly or at all, we may not be able to enter into a contract with you, or we may be prevented from complying with our legal obligations. You may also be unable to exercise your statutory rights. Why and how do we use the sensitive personal information of job applicants? We will only collect and use your sensitive personal information, which includes special categories of personal information and information about criminal convictions and offences, when the law additionally allows us to. Some special categories of personal information, i.e. information about your health, and information about criminal convictions and offences, is also processed so that we can perform or exercise our obligations or rights under employment law and in line with our data protection policy. We may also process information about your health and information about any criminal convictions and offences where we have your explicit written consent. In this case, we will first provide you with full details of the personal information we would like and the reason we need it, so that you can properly consider whether you wish to consent or not. It is entirely your choice whether to consent. Your consent can be withdrawn at any time. The purposes for which we are processing, or will process, health information and information about any criminal convictions and offences, are to: assess your suitability for employment or engagement comply with statutory and/or regulatory requirements and obligations, e.g. carrying out criminal record checks comply with the duty to make reasonable adjustments for disabled job applicants and with other disability discrimination obligations ensure compliance with your statutory rights ascertain your fitness to work ensure effective HR, personnel management and business administration monitor equal opportunities We will only use your personal information for the purposes for which we collected it, i.e. for the recruitment exercise for which you have applied. However, if your job application is unsuccessful, we may wish to keep your personal information on file in case there are future suitable employment opportunities with us. We will ask for your consent before we keep your personal information on file for this purpose. Your consent can be withdrawn at any time. Where NYMR processes other special categories of personal information, i.e. information about your racial or ethnic origin, religious or philosophical beliefs and sexual orientation, this is done only for the purpose of equal opportunities monitoring in recruitment and in line with our data protection policy. It is entirely your choice whether to provide such personal information. We may also occasionally use your special categories of personal information, and information about any criminal convictions and offences, where it is needed for the establishment, exercise or defence of legal claims. Who has access to the personal information of job applicants? Your personal information may be shared internally within NYMR for the purposes of the recruitment exercise, including with members of the HR department, members of the recruitment team, managers in the department which has the vacancy and IT staff if access to your personal information is necessary for the performance of their roles. We will not share your personal information with third parties during the recruitment process unless your job application is successful and we make you an offer of employment or engagement. At that stage, we may also share your personal information with third parties (and their designated agents), including: external organisations for the purposes of conducting pre-employment reference and employment background checks the DBS, to obtain a criminal record check former employers, to obtain references professional advisors, such as lawyers We may also need to share your personal information with a regulator or to otherwise comply with the law. We may share your personal information with third parties where it is necessary to take steps at your request to enter into a contract with you, or to enter into a contract with you, where we need to comply with a legal obligation, or where it is necessary for our legitimate interests (or those of a third party). How long does NYMR keep the personal information of job applicants? We will only retain your personal information for as long as is necessary to fulfil the purposes for which it was collected and processed. If your application for employment or engagement is unsuccessful, we will generally hold your personal information for one year after the end of the relevant recruitment exercise but this is subject to: (a) any minimum statutory or other legal, tax, health and safety, reporting or accounting requirements for particular data or records, and (b) the retention of some types of personal information for up to six years to protect against legal risk, e.g. if they could be relevant to a possible legal claim in a tribunal, County Court or High Court. If you have consented to us keeping your personal information on file for in case there are future suitable employment opportunities with us, we will hold your personal information for a further six months after the end of the relevant recruitment exercise, or until you withdraw your consent if earlier. If your application for employment or engagement is successful, personal information gathered during the recruitment process will be retained for the duration of your employment or engagement and in accordance with the privacy notice for employees, workers and contractors. Personal information which is no longer to be retained will be securely and effectively destroyed or permanently erased from our IT systems and we will also require third parties to destroy or erase such personal information where applicable.
Accessing your own data Expand As a data subject, you have a number of statutory rights. Subject to certain conditions, and in certain circumstances, you have the right to: request access to your personal information - this is usually known as making a data subject access request and it enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it request rectification of your personal information - this enables you to have any inaccurate or incomplete personal information we hold about you corrected request the erasure of your personal information - this enables you to ask us to delete or remove your personal information where there’s no compelling reason for its continued processing, e.g. it’s no longer necessary in relation to the purpose for which it was originally collected restrict the processing of your personal information - this enables you to ask us to suspend the processing of your personal information, e.g. if you contest its accuracy and so want us to verify its accuracy object to the processing of your personal information - this enables you to ask us to stop processing your personal information where we are relying on the legitimate interests of the business as our legal basis for processing and there is something relating to your particular situation which makes you decide to object to processing on this ground data portability - this gives you the right to request the transfer of your personal information to another party so that you can reuse it across different services for your own purposes. If you wish to exercise any of these rights, we may need to request specific information from you in order to verify your identity. We may request for you to complete a Subject Access Request Form. You are not obliged to complete this form but this is a security measure to ensure that your personal information is not disclosed to any person who has no right to receive it. In the limited circumstances where you have provided your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. This will not, however, affect the lawfulness of processing based on your consent before its withdrawal. Once we have received notification that you have withdrawn your consent, we will no longer process your personal information for the purpose you originally agreed to, unless we have another legal basis for processing. If you believe that NYMR has not complied with your data protection rights, you have the right to make a complaint to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data protection issues.
How does NYMR protect your personal information? Expand NYMR has put in place measures to protect the security of your personal information. It has internal policies, procedures and controls in place to try and prevent your personal information from being accidentally lost or destroyed, altered, disclosed or used or accessed in an unauthorised way. In addition, we limit access to your personal information to those employees, workers, agents, contractors and other third parties who have a business need to know in order to perform their job duties and responsibilities. Where your personal information is shared with third parties, we require all third parties to take appropriate technical and organisational security measures to protect your personal information and to treat it subject to a duty of confidentiality and in accordance with data protection law. We only allow them to process your personal information for specified purposes and in accordance with our written instructions and we do not allow them to use your personal information for their own purposes. We will notify the Information Commissioner’s Office (or any other applicable supervisory authority or regulator such as the Charity Commission) and you of a suspected breach where we are legally required to do so.
How long will NYMR keep your personal information? Expand We will only retain your personal data for as long as necessary to fulfil the purpose we collected it for, including for the purpose of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purpose for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you. When your information is no longer required under our retention policies, we will ensure it is disposed of in a secure manner.
How to amend your information Expand Under the General Data Protection Regulations (GDPR), you have rights as an individual which you can exercise in relation to the information we hold about you. You can read more about these rights here. To correct, amend, update or ask about any information you have given us, or to withdraw consent you have previously given, please contact us [email protected] or write to us at the address below: Data Protection North Yorkshire Moors Railway12 Park Street, Pickering, North Yorkshire, YO18 7AJ We may need to verify your identity before actioning your request. This privacy policy was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of NYMR’s collection and use of personal information, however we are happy to provide any additional information or explanation needed. Any requests for this should be sent to [email protected] or please write to us at the postal address given above. NYMR reserves the right to update or amend this privacy policy at any time. We will issue a new privacy policy when we make significant updates or amendments. We are registered with ICO under the name North Yorkshire Moors Railway Enterprises PLC (number – Z6618600).