top of page


Railway Support Services Ltd. is a Registered Member of the GDPR Check & Verify Register.

See our Accreditation Below.

RSS CV 23.png
  • Policy Updated June 2023.


1.         Overview


1.1 We are committed to protecting the privacy and security of your Personal data. We have robust 
information security management systems in place to protect your personal data. We take the 
security of your information seriously and have implemented appropriate technical and 
organisational security measures to protect it against any unauthorised or unlawful processing and 
against any accidental loss, destruction, or damage.


1.2 This Privacy Notice applies to Personal Data we process when you visit or use our website. 
Further Privacy Policy statements and documents may apply Offline and these are available, if 
relevant, on request.


1.3        This site is owned by Railway Support Services Ltd whose Registered office is situated 
181-183 Summer Road, Summer Road, Erdington, Birmingham, B23 6DX


1.4 Our company registration number is 06723982. We are the ‘data controller’ of any personal 
information you provide to us.


1.5 We are registered as a Data controller with the Information Commissioners Office our 
registration number is: ZA 562081


1.6       We have appointed a Data Contact for the business who is Ms Tina Hines.


1.7 You can contact our Data Contact at our postal address given above or via email at if you have any queries regarding this policy.


1.8  As a Data Controller, we will take all the necessary steps to comply with the GDPR and Data 
Protection Act 2018 and relevant legislation when handling any personal data which you may provide t
o us. We are responsible for ensuring that data is processed:

  • 1.8.1    Fairly and lawfully processed

  • 1.8.2    Processed for limited purposes

  • 1.8.3    Adequate, relevant and not excessive

  • 1.8.4    Accurate and Secure

  • 1.8.5    Not kept longer than necessary

  • 1.8.6    Processed in accordance with your rights

  • 1.8.7    Not transferred to countries outside the UK without safeguards

  • 1.8.8    Processed in a manner that ensures appropriate security of the personal data


1.9 We are committed to protecting and respecting your data privacy when visiting our website and 
providing us with your personal information. This privacy policy statement summarises what personal 
details we may collect from you before, during or after you use our site and what we will do with 


1.10 Please Note: This Online Privacy information is a precis of our detailed written policies 
which are held at our business premises. Please contact our Data Contact if you require further 

information regarding our data protection compliance procedures.


2.          Our Privacy Notice and Data Protection policies.


2.1 We are committed to protecting your personal data privacy and, in accordance with relevant data 
protection laws, we uphold strict security procedures for the collection, storage, use and 
disclosure of your personal information.


2.2 We have described below the personal information we may gather about you, the purposes we will 
hold it for and the limited categories of people to whom we may disclose it.


3.          What information do we collect and how may we use it?


3.1       During your visit to our site, we will only collect personal information that you choose 
to provide. If, for example, you contact us with an enquiry or request us to provide you with 
further information.


3.2 If you share other people’s data with us, for example if you refer business to us on behalf of 
another, you will need to check you have lawful authority to do so. E.G. The other party has 
consented to you providing us with their information. In such a case you are responsible for 
ensuring the transmission to us of the information is lawful and we may ask you for documentary 
evidence of this.


3.3        The other types and categories of data we may collect from you includes the following:


  • 3.3.1 Identity data: name, username, title, date of birth. Contact data: billing and delivery 

  • address, email address, phone number

  • 3.3.2 Financial data: payment card details (processed by a third-party  payment services provider and not stored by us).

  • 3.3.3    Transaction data: details of products purchased, amounts, dates etc.

  • 3.3.4 Technical data: IP address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform based on your Cookiepreference choices.

  • 3.3.5    Profile data: username and password, purchases or orders made by users.

  • 3.3.6 Usage data: information about how users use our website, products  and services.

  • 3.3.7 Marketing and communications data: record of Website users preferences in receiving marketing from us about the products we sell


3.4        Consequences of failing to provide Personal Data


  • 3.4.1 In general if you fail or refuse to provide us with your Personal Data we will not be able to deal with your enquiry or do business with you. The following explains the consequences for each Lawful Basis of processing.

  • 3.4.2 Consent: It is your decision to provide your information by consent. We protect your data as described in this document but we cannot proceed with an enquiry without, for example your contact details to receive a reply.

  • 3.4.3 Contract: We cannot contract with you for goods or services in business unless you provide us with, at least some of your details. We adhere to the principle of Data Minimisation and only collect enough data to complete the task at hand.

  • 3.4.4 Legal Obligation: If we have a legal obligation to process your data, failure to provide the necessary information may have adverse consequences for you. If this is the case we will tell you.are required to process your personal data in the public interest or the 3.4.5 Public Task: If weexercise of official authority we will inform you. Failure to provide data under these circumstances will mean we cannot include you in the processing activity.

  • 3.4.6 Vital Interests: If data processing is required to protect the vital interests of a natural person then it is likely we will be in possession of the data before the need arises. If you have not provided us with your data this situation cannot apply to you.

  • 3.4.7   Legitimate Interests: Where data processing occurs and has been deemed to be in our legitimate interests this will be based on a written assessment of need. There is usually no need for the data subject to provide their data for this purpose, although you  do have the right to  object to its use under certain circumstances but you usually must provide some identification data to make such an objection.

4.          We may use the information you provide us with in the following ways:


4.1       To administer any account you have with us.


4.2       To perform our contractual obligations to you.


4.3       To respond to your queries and requests.


4.4       To communicate with you.


4.5        To ensure that the content of our site is presented in the most effective manner.


4.6        To provide you with any information, products and/or services requested from us.


4.7        To provide you with helpful information about our products or services.


4.8       To make improvements to the service we provide you.

4.9       We also reserve the right to disclose your personal information where we are required to 
do so by law, such as to assist in any disputes, claims or investigations relating to your account 
or contracts with us and to detect and prevent fraudulent transactions.


4.10    E-mail correspondence with us via our website and email addresses accessible through or 
obtained from this site may be recorded and/or mon


5.         How do we store and protect your data?


5.1 We have robust information security management systems in place to protect your personal data. 
We take the security of your information seriously and have implemented appropriate technical and 
organisational security measures to protect it against any unauthorised or unlawful processing and 
against any accidental loss, destruction, or damage.


5.2        Data we receive and process is held by us in secure electronic devices and separate back 
up devices and servers.


5.3        Personal Data may also be held in encrypted 3rd party ‘Cloud’ Servers.


5.4   Further encrypted back ups of data may be held securely in offsite locations which are also 
subject to physical security at their location.


5.5 We will not sell, rent or otherwise disclose the personal information you provide to us through 
the site to third parties (other than as listed below) unless we are required to do so by law.


5.6 The Main Establishment for all of our Data Processing is the UK. We do not generally operate or 
transfer Personal Data outside of the United Kingdom.


5.7 Due to the operation of the Internet and other computer based applications Personal Data under 
our control may transit countries outside of the UK.


5.8 We will only transfer data outside the UK if adequate safeguards are in place in the 
destination country.


5.9    Where Personal Data is transferred to a third country or an international organisation we 
will ensure that an adequacy decision or similar authority exists between the UK and the r
country or area.


5.10 Where no adequacy decision exists and we rely on the provisions of Standard Contractual 
Clauses or Binding Corporate Rules evidence of the safeguards provided thereby will be available 
upon request.


6.         Sharing Your Data


6.1       We may share your personal information with certain third parties who provide services to 
us or work on our behalf.

6.2 Such 3rd Parties only have access to the personal information they need to perform those 
services or work.


6.3   Such 3rd  parties are bound by contractual arrangements with Ourselves in accordance with 
Data Protection legislation and are required to keep your personal information secure and 
confidential. They may only use it as permitted by us in accordance with our Privacy Policies.


6.4 If you have contracted with us we will share data only to the extent necessary for the 
performance of the contract, otherwise we will obtain specific additional consent from you before 
sharing your data.


6.5        The third parties who provide services on our behalf fall into the following categories:


6.5.1    Our partners providing logistics and external service support.


6.5.2    Our business partners or advisors for the purposes of completing a contract with you.


6.5.3    Marketing agencies appointed to provide services to us.


6.5.4    The service providers operating this site on our behalf.


6.5.5    Accountants, auditors, law firms, payment processors, information technology support 


6.5.6    Advertising services, analytics services, Computer Application and Software providers.


7.         How long do we store your data?


7.1    We will not keep your data for longer than is necessary for the relevant purposes set out in 
this Privacy Notice and our Company Compliance Policies.


7.2 Where you have purchased a product or service from us, we will hold your relevant personal 
details to enable us to administer the contract and provide such after-sales services as may be 


7.3    Speculative enquiries for information, the data will be retained for 12 months, unless the 
Consent is rescinded, in case of a follow up enquiry. E.g. Website enquiries.


7.4 We also store personal data in line with Regulatory and legal  requirements  in accordance with 
the law.


7.5       Contract data will be retained for the duration of the contract plus a further 7 years.



8.         Your Personal Data Rights


8.1 Under the UK General Data Protection Regulation (UK GDPR) and  The  Data Protection Act 2018 
(DPA) you have a number of rights with regard to your personal

data. To exercise any of your rights contact our Data Contact using the details given above.


8.2 You have the right to request from us access to and rectification or erasure of your personal 
data; the right to restrict processing; the right to object to processing as well as in certain 
circumstances the right to data portability as below.


8.3 In the event that you provide your data directly to us for the purpose of a contract, or in 
circumstances where you have provided your data by consent, you have the right to be provided with 
your data in a structured, machine-readable format. This is known as Data Portability.


8.4   Following a request relating to Data Portability we will transmit the relevant personal data 
to the data subject or their nominated data controller where it is possible and technically 
feasible for us to do so.


8.5 Where you have provided your data voluntarily by Consent you have the right  to withdraw your 
Consent at any time. However, withdrawal of Consent does not affect the lawfulness of any 
processing of your data based on your Consent prior to its withdrawal.


8.6 You have the right to complain to the Data Regulator at the Information Commissioners Office on 
0303 123 1113 or through their website

8.7   Where we need to process data for the purposes of entering into a Contract with you, if you 
fail to provide such data it may mean that we cannot establish legal relations between us and the 
contract may not be able to go ahead. We will inform you if this happens.


8.8 Automated decision making and profiling means making decisions  without human intervention, 
usually with the use of a computer program or software. We may use automated decision making about 
you if it is necessary for entering into or performing a Contract with you or where you Consent to 
the actions.


8.9  Please note we will retain and use your personal information as necessary to comply with our 
legal obligations, resolve disputes, and enforce our agreements. If we need to use your data for a 
reason it was not collected and you are not aware of this, we will inform you and in appropriate 
cases obtain your further consent to such use.


8.10  If we process data about you but we have not obtained the data personally from you, we must 
provide you with the information described in this Privacy Notice and some additional information.


8.11 The additional information will be provided to you at least by the time we contact you and in 
any event within the space of one month after we obtain it.


8.12 If the processing is based on Legitimate Interests, you are entitled to know what and whose 
Legitimate Interests they are.


8.13 You are entitled to know the purpose of the processing, whether we or someone else is 
processing it and the categories of Personal Data involved.

8.14 You are entitled to know the source of the information and whether the source is publicly 


8.15 There are some exceptions to this additional information rule.  If  we  obtain  your Personal 
Data from a source other than yourself, the additional information rules will apply unless:-


  • 8.15.1               You already have the information regarding our processing; or

  • 8.15.2               it would take a disproportionate effort or be impossible to provide you with it; or

  • 8.15.3               you are already legally protected under separate provisions; or

  • 8.15.4               we have a legal duty not to disclose it.


8.16 We use the lawful basis of Legitimate Interests for processing data in the following 


  • 8.16.1: When processing data from our CCTV equipment.

  • 8.16.2 When processing data using Video Conferencing software.

  • 8.16.3  When processing data using Dashcam equipment.


8.17     Our Specific Legitimate Interests are:


  • 8.17.1              CCTV

  •            To protect our business premises.

  •            To protect the safety of our employees and visitors to the premises.

  •            To assist lawful authorities in the prevention and detection of crime.

  • 8.17.2               Video Conferencing

  •            To facilitate efficient business video and telecommunications.

  •            To protect the safety of our employees and participants on the call              from unnecessary real world travelling.

  •            To support our primary business objectives.

  • 8.17.3                 Dashcams

  •            To protect our Employees, business assets and our reputation.

  •            To correctly record incidents which occur on the road.

  •            To assist lawful authorities in the prevention and detection of crime.


8.18 Use of Third Party Computer Applications for Video conferencing: Where we engage with you 
Online using a Video Conferencing Application the lawful basis will be our Legitimate Interests and 
the following will apply:


  • 8.18.1  All participants in Video conferencing will be given specific log in details.

  • 8.18.2  We operate in accordance with our Video Conferencing Privacy policy.

  • 8.18.3 As Data Controller we will manage the Personal Data shared by participants and restrict or  control access as necessary for the security of other participants and to prevent cyber security issues such as Phishing.

  • 8.18.4 Password access will be controlled by the Moderator and individual passwords issued where an increased risk is perceived such as large groups or public access.

  • 8.18.5 A Legitimate Interest Assessment Test on Video Conferencing was conducted which concluded  the use of Video Conferencing was in our legitimate interests.


9.          Lawful bases for data processing


9.1        We hold and process your data by lawfully allowed means, these include:


9.1.1 Your Consent: Consent is usually given by yourself when you contact us via this Website or 
personally when we discuss products or advice with you.


9.1.2 Contractual obligations: This occurs when you purchase products or services from us.


9.1.3 Legal Obligation: When the processing is necessary for us to comply with the Law.


9.1.4    Vital Interests: When the processing is necessary to protect someone's life.


9.1.5 Public Task: When the processing is necessary for us to perform a task in the public interest 
or for an official function and the task or function has a clear basis in Law.


9.1.6 Legitimate Interests: When the processing is necessary for our legitimate interests or the 
legitimate interests of a third party unless there is a good reason to protect the individual’s 
personal data which overrides those legitimate interests.

N.B. Legitimate Interests can only be used following the application of the prescribed three part 
Legitimate Interests Assessment Test and then only when a positive outcome is indicated by the 
conclusions of the test. All Legitimate Interests Assessment Tests will be documented, recorded and 

10.       Children’s data


10.1     Our site is not directed at children and should not be accessed by them.


10.2 We will not knowingly collect information from persons under 13 years of age without their 
parent's or guardian's consent.


10.3 If a Parent or Guardian of a person under 13 years of age discovers their child has engaged 
with our Website without their consent, please inform us immediately using the contact email 
provided above.


10.4 We have considered the elements of the AADC (Children’s code) in relation to our Online 
activity and concluded that we are not a relevant Information Society Service which is likely to be 
accessed by children.


10.5 There is nothing on our Website which could be damaging to children who view the pages or the 


10.6 The products and services referenced on our Website are only available and relevant to adults 
over the age of 18 years.


11.       Third Party Websites


  • 11.1   From time to time our site may contain links to and from the websites of our suppliers or 

  • other third party sites.

  • 11.2 If you visit any of these sites you should confirm they have their own privacy policies and you should check these before submitting any personal data on their site. We cannot accept any responsibility or liability for the policies on any other Websites.


12        Data Access


12.1 You have rights of access to the data we hold about you. Should you wish to exercise these 
rights please contact our Data Contact whose details are given above.


12.2    There is usually no charge for the Data Access service. As soon as we are satisfied as to 
your identity, we will send you, without delay and in any case within one Month, the Personal Data 
we hold relating to you, which we are legally obliged t
o provide.


12.3 We may need to request specific information from you to help us confirm your identity and 
ensure your right to access the information (or to exercise any of your other rights).


12.4 This is another appropriate security measure to ensure that your Personal Data is not 
disclosed to anyone who has no right to receive it.


12.5 In the event we need more time to gather the requested information we will let you know 
without delay and in any event within one month.

12.6 A fee may be payable for Data Access services if the request(s) are  manifestly unfounded or 
excessive or repetitive in nature. Alternatively, we may choose to ignore this type of request. In 
these cases we will inform you of our decision and if applicable any fee that may be required.


12.7 Please contact us if you believe that any personal data or information which we hold about you 
is incorrect or incomplete. Any information or data which is found to be incorrect will be 
corrected as soon as practicable.


12.8 Please contact us if you wish to have your personal data removed entirely from our systems. As 
soon as we are satisfied as to your identity and the data is not required to be kept for any other 
lawful reason or purpose it will be removed from our systems forthwith.


12.9 If you so wish, your Data will be provided to you electronically in a commonly used format 
such as email.


12.10   If you are unhappy with any of the responses given to you by us you may complain about us 
to the regulator at the Information Commissioners Office on 0303 123 1113 or through their website


13.       Business Transfer or Sale


13.1 In the event our business, or part of it, is taken over, bought or merged with another 
business we may need to disclose any personal data we are holding about you to the other Company so 
they can continue to provide services to you in accordance with this Privacy Policy.


13.2  It may be necessary to transfer your data to a Company that is negotiating with us for the 
purchase of our business but only where it is necessary to evaluate the business purchase 


13.3  In the case of a pre-sale transfer of personal data, the data would be kept safe during the 
negotiations and destroyed by the third party if the sale or merger did not go ahead.


14.       Other Regulatory Matters


14.1     Overview


14.1.1 We understand the pervasive effect of Data Protection considerations across all aspects of 
business and wish to create a Culture of Compliance by design within our Organisation.


14.1.2 Consequently, we have made assessments regarding certain other Regulatory areas which 
require data protection scrutiny to determine whether they affect our Organisation.


14.2     Anti-Money Laundering


  • 14.2.1 We have assessed our responsibilities under the Money Laundering, Terrorist Financing and 

  • Transfer of Funds Regulations 2017 (The Regulations) as follows:

  • 14.2.2. We are not a Regulated Organisation registered with HMRC or The FCA.

  • 14.2.3. We are not an exempted Organisation under Article 15 of The Regulations.

  • 14.2.4 We are not an Organisation described in Article 8(2)a–8(2)k  of  The Regulations.

  • 14.2.5  We are not required to engage a Money Laundering Reporting Officer (MLRO).

  • 14.2.6 We do not receive payments for goods in cash generally and specifically we will not accept payments in cash in excess of €10,000 either paid directly to us or into a bank account controlled by us.


14.3     Modern Slavery


  • 14.3.1 We have assessed our responsibilities under the Modern Slavery Act 2015 (The Act) as follows:

  • 14.3.2  We fully support the aims and objectives of The Act.

  • 14.3.3 We are not required to publish a Modern Slavery & Human Trafficking statement under Section 54 of The Act.

  • 14.3.4 During recruitment of our staff we ensure adherence to all regulations including the proof of right to work in the UK requirement.

  • 14.3.5 We remain vigilant for evidence of Modern Slavery & Human Trafficking within our organisation and supply chains and maintain a zero tolerance policy towards such activity.


14.4     Staff Training


14.4.1 We have updated our staff training to include reference to the areas of law in this section 
of our documentation.


15        Changes to this policy.


15.1     There may be developments in how we use your data according to changes in the Law.


15.2 We reserve the right to make changes to this Data Protection and Privacy Policy at any time 
without notice and it is your responsibility to revisit this page from time to time to re-read this 
policy including any and each time you visit our website.


15.3     Any revised terms shall take effect as at the date of posting.

15.4     If you don’t find your concern addressed here, feel free to contact us by e-mailing our
Data Contact at the contact details given above.



bottom of page