1. Who are we?
HCT Group (“we”, “us”, “our”) is a social enterprise in the transport industry, safely providing over 23 million passenger trips on our buses every year. We deliver a range of transport services – from London red buses to social services transport, from school transport to whole bus networks, from community transport to education and training. We reinvest the profits from our commercial work into further transport services or projects in the communities we serve.
HCT Group is registered in England and Wales as a company limited by guarantee and as a registered charity, with company no. 01747483 and charity no. 1091318. Our registered address is 1st Floor, 141 Curtain Road, London, EC2A 3AR. HCT Group comprises of HCT Group and its trading subsidiaries.
2. How do we collect your personal information?
(a) When you give it to us directly
For example, personal information that you submit through our website by booking a trip, registering as a driver, signing up for some training or to receive one of our newsletters.
(b) When we obtain it indirectly
For example, your personal information may be shared with us by third parties including, for example, our business partners; our customers such as local authorities or other public entities operating transport, sub-contractors in technical, payment and delivery services or search information providers. To the extent we have not done so already, we will notify you when we receive personal information about you from them and tell you how and why we intend to use that personal information.
(c) When it is available publicly
Your personal information may be available to us from external publicly available services. For example, depending on your privacy settings for social media services, we may access information from those accounts or services, or we may access your personal information for credit risk purposes.
(d) When you visit our website
When you visit our website, we automatically collect the following types of personal information:
(a) Technical information, including the internet protocol (IP) address used to connect your device to the internet, browser type and version, time zone setting, browser plug-in types and versions and operating systems and platforms.
(b) Information about your visit to the website, including the uniform resource locator (URL) clickstream to, through and from the website (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, referral sources, page interaction information (such as scrolling and clicks) and methods used to browse away from the page.
In general, we may combine your personal information from these different sources for the purposes set out in this Policy.
3. What type of personal information do we use?
We may collect, store and otherwise use the following kinds of personal information:
(a) your name and contact details, including postal address and email address;
(b) your social media identity
(c) your date of birth and gender;
(d) your financial information, such as bank details and/or credit/debit card details, account holder name, sort code and account number;
(e) information about your computer/mobile device and your visits to and use of this website, including, for example, your IP address and geographical location;
(f) details of your qualifications/experience;
(g) identification documents such as driving licenses;
(h) details of your right to work in the UK;
(i) information about our services which you use/which we consider may be of interest to you; and/or
(j) any other personal information which we obtain as per section 2 of this Policy.
Do we process special categories of your personal information?
The EU General Data Protection Regulation (“GDPR”) recognises certain categories of personal information as sensitive and therefore requiring more protection, for example information about your health, ethnicity and religious beliefs.
In certain situations, HCT Group may collect and/or use these special categories of your personal information (for example, to make reasonable adjustments based on any medical requirements when providing training). We will only process these special categories of your personal information if there is a valid reason for doing so and where the GDPR allows us to do so.
4. How and why will we use your personal information?
Your personal information, however provided to us, will be used for the purposes specified in this Policy. In particular, we may use your personal information to:
- process orders that you have submitted;
- provide you with services or information which you have requested;
- carry out our obligations arising from any contracts entered into by you and us;
- seek your views or comments on the services we provide;
- provide further information about our work, services, activities or products (where necessary, only where you have provided your consent to receive such information);
- notify you of changes to our services;
- answer your questions/communicate with you in general;
- analyse and improve our work, services, activities, products and/or information (including our website), and to measure our social impact;
- report on the impact or effectiveness of our work;
- run/administer our website, keep it safe and secure and ensure that content is presented in the most effective manner for you and for your device;
- promote our associated companies’ goods and services (where necessary, only where you have provided your consent to receive such information);
- process a grant or job application;
- audit and/or administer our accounts;
- satisfy legal obligations which are binding on us, for example in relation to regulatory, government and/or law enforcement bodies with whom we may work (for example, requirements relating to the payment of tax or anti-money laundering initiatives);
- for the prevention of fraud or misuse of services; and/or
- for the establishment, defence and/or enforcement of legal claims.
5. Lawful basesThe GDPR requires us to rely on one or more lawful bases to use your personal information. We consider the grounds listed below to be relevant:
- Where you have provided your consent for us to use your personal information in a certain way (for example, we may ask for your consent to use your personal information to send you our email newsletter, and we may ask for your explicit consent to collect special categories of your personal information).
- Where necessary so that we can comply with a legal obligation to which we are subject (for example, where we are obliged to share your personal information with regulatory bodies which govern our work and services).
- Where necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering a contract (for example, if you apply to work for us).
- Where it is in your/ someone else’s vital interests (for example, in case of medical emergency suffered by a beneficiary).
- Where there is a legitimate interest in us doing so.
The GDPR allows us to collect and process your personal information if it is reasonably necessary to achieve our or others’ legitimate interests (as long as that processing is fair, balanced and does not unduly impact your rights).
In broad terms, our “legitimate interests” means the interests of running HCT Group as a charitable and commercial entity (for example, carrying out our community projects).
When we process your personal information to achieve such legitimate interests, we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. We will not use your personal information for activities where our interests are overridden by the impact on you, for example where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).
6. Communications for marketing
We may use your contact details to provide you with information about our work, events, services and/or products which we consider may be of interest to you (for example, updates about services and products you previously used).
We may analyse your personal information to create a profile of your interests and preferences so that we can contact you with information relevant to you. We may make use of additional information about you when it is available from external sources to help us do this effectively.
We will not contact you for marketing purposes by email, phone or text message or carry out profiling activities unless you have given your prior consent (unless we are allowed to do so by applicable law). We will not contact you for marketing purposes by post if you have indicated that you do not wish to be contacted. You can change your marketing preferences at any time by contacting us by email: email@example.com or telephone on 020 7275 2400.
You have a choice about whether or not you wish to receive information from us. If you do not want to receive direct marketing communications from us about the vital work we do on training and transport with our exciting products, programs and services, then you can select your choices by ticking the relevant boxes situated on the form on which we collect your information.
7. Who has access to your personal information?
We will not sell or rent your information to third parties.
We will not share your information with third parties for marketing purposes.
However, in general we may disclose your personal information to selected third parties in order to achieve the purposes set out in this Policy. Those parties include, but are not limited to:
(a) Third Party Service Providers working on our behalf: we may pass your information to our third party service providers, agents subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf (for example to process payments and send you mailings). However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure and not to use it for their own direct marketing purposes, and to comply with the obligations under data protection law. Please be reassured that we will not release your information to third parties beyond the HCT Group companies and subsidiaries for them to use for their own direct marketing purposes, unless you have requested us to do so, or we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.
When you are using our secure online donation pages, your donation is processed by a third party payment processor, who specialises in the secure online capture and processing of credit/debit card transactions. If you have any questions regarding secure transactions, please contact us.
(d) Professional service providers such as accountants and lawyers.
(e) Regulatory authorities, such as tax authorities.
(f) Analytics and search engine providers.
In particular, we reserve the right to disclose your personal information to third parties:
- in the event that we sell or buy any business or assets, in which case we will disclose your personal information to the (prospective) seller or buyer of such business or assets;
- if substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets;
- if we are under any legal or regulatory duty to do so; and/or
- to protect the rights, property or safety of HCT Group, its personnel, users, visitors or others.
8. How long will we keep your personal information?
In general, unless still required in connection with the purpose(s) for which it was collected and/or processed, we remove your personal information from our records six years after the date it was collected. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure (please see section 9 below), we will remove it from our records at the relevant time.
If you request to receive no further contact from us, we will keep some basic information about you on our suppression list in order to comply with your request and avoid sending you unwanted materials in the future.
9. Your rights and how to exercise them
Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time. This includes the right to ask us to stop using your personal information for marketing purposes or to unsubscribe from our email list at any time. You also have the following rights:
- Right of access – you can write to us to ask for confirmation of what personal information we hold on you and to request a copy of that personal information. Provided we are satisfied that you are entitled to see the personal information requested and we have successfully confirmed your identity, we will provide you with your personal information subject to any exemptions that apply. We may need to charge an administration fee in certain circumstances, such as where your requests are repetitive or very large in nature (but only where the GDPR allows us to do so).
- Right of erasure – at your request we will delete your personal information from our records as far as we are required to do so. In many cases we would propose to suppress further communications with you, rather than delete it.
- Right of rectification – if you believe our records of your personal information are inaccurate, you have the right to ask for those records to be updated. You can also ask us to check the personal information we hold about you if you are unsure whether it is accurate/up to date.
- Right to restrict processing – you have the right to ask for processing of your personal information to be restricted if there is disagreement about its accuracy or legitimate usage.
- Right to object – you have the right to object to processing where we are (i) processing your personal information on the basis of the legitimate interests ground, (ii) using your personal information for direct marketing or (iii) using your information for statistical purposes.
- Right to data portability – to the extent required by the GDPR, where we are processing your personal information (that you have provided to us) either (i) by relying on your consent or (ii) because such processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contact, and in either case we are processing using automated means (i.e. with no human involvement), you may ask us to provide the personal information to you – or another service provider – in a machine-readable format.
- Rights related to automated decision-making – you have the right not to be subject to a decision based solely on automated processing of your personal information which produces legal or similarly significant effects on you, unless such a decision (i) is necessary to enter into/perform a contract between you and us/another organisation; (ii) is authorised by EU or Member State law to which HCT Group is subject (as long as that law offers you sufficient protection); or (iii) is based on your explicit consent.
We may ask you for additional information to confirm your identity and for security purposes, before disclosing personal information requested to you.
Please note that some of these rights only apply in limited circumstances. For more information, we suggest that you contact us using the details in section 16below.
You are further entitled to make a complaint about us or the way we have processed your personal information to the data protection supervisory authority in your home country. In the UK, the data protection authority is the Information Commissioner’s Office – www.ico.org.uk. For further information on how to exercise this right, please contact us using the details in section 16 below.
10. Security/storage of and access to your personal information
HCT Group is committed to keeping your personal information safe and secure and we have appropriate and proportionate security policies and organisational and technical measures in place to help protect your information.
Your personal information is only accessible by appropriately trained staff, volunteers and contractors, and stored on secure servers with features enacted to prevent unauthorised access.
11. Links and third parties
In addition, if you linked to our website from a third party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of that third party site.
12. 18 or Under
We are concerned to protect the privacy of children aged 18 or under. If you are aged 18 or under‚ please get your parent/guardian's permission beforehand whenever you provide us with personal information.
13. Transferring your personal information outside of European Economic Area
Given that we are an organisation based in the UK, we will normally only transfer your personal information within the European Economic Area (“EEA”), where all countries have the same level of data protection law as under the GDPR.
However, because we may sometimes use agencies and/or suppliers to process personal information on our behalf, it is possible that personal information we collect from you will be transferred to and stored in a location outside the EEA, for example the United States.
Please note that some countries outside of the EEA have a lower standard of protection for personal information, including lower security requirements and fewer rights for individuals. Where your personal information is transferred, stored and/or otherwise processed outside the EEA in a country that does not offer an equivalent standard of protection to the EEA, we will take all reasonable steps necessary to ensure that the recipient implements appropriate safeguards (such as by entering into standard contractual clauses which have been approved by the European Commission) designed to protect your personal information and to ensure that your personal information is treated securely and in accordance with this Policy. If you have any questions about the transfer of your personal information, please contact us using the details below.
Unfortunately, no transmission of your personal information over the internet can be guaranteed to be 100% secure – however, once we have received your personal information, we will use strict procedures and security features to try and prevent unauthorised access.
14. Updates to this Policy
We may update this Policy from time to time. We will notify you of significant changes by contacting you directly where reasonably possible for us to do so and by placing an update notice on our website. This Notice was last updated on 25th May 2018.
15. Data Protection Officer
Our Data Protection Officer (“DPO”) can be contacted directly at firstname.lastname@example.org, Alternatively, please use the details in Section 16 below and mark the email/ letter for the attention of the DPO or ask for the DPO
16. How to contact us
Any questions regarding this Policy and our privacy practices should be sent by email to email@example.com or by writing to HCT Group, CAN Mezzanine, 7-14 Great Dover Street, London, SE1 4YR. Alternatively, you can telephone 020 7275 2400.
At HCT Group, we are committed to protecting and respecting your privacy