Keeping your data safe
Who are we?
RIA is the UK’s trade association for rail suppliers.
We are funded primarily by member company subscriptions and we do not aim to make a profit.
Our member companies fund us in return for their employees’ access to free or low cost information and events.
When you log in or create a new account with RIA, we ask you to share some of your personal data with us such as your first name and last name, and we collect information about your organisation including company address and your interests, so that we can personalise the service for you and show you relevant and useful content.
1 Who's in control?
1.1 We are responsible for deciding how and why your data is used and for ensuring that your data is handled legally and safely.
2 What data do we collect and where from?
2.1 We collect some data directly from you when you create a new account with RIA (Account Data). This data includes the following:
2.1.1 your full name, surname;
2.1.2 your work-related email address;
2.1.3 the password you set up (encrypted) to access your account;
2.1.5 your company name, postcode and address; and
2.1.6 your communication preferences.
2.2 We also collect information that you voluntarily provide to us when you contact us with preferences, queries, complaints, comments or praise, or information that you voluntarily post about yourself on public areas of our platform (Voluntary Data).
2.3 We collect information about how you use our services; in particular, which RIA events you have attended, and which emails you have received and opened.
2.4 We collect information about how you use our website, using cookies like Google Analytics. This includes your viewing history, IP addresses, device identifiers and information about how long you have stayed on certain pages or what pages you have clicked on (Behavioural Data).
2.5 We collect information about your company including size, nature of business and rail related activities.
2.6 We collect information from research surveys such as our regular ‘Pulse surveys’. You can choose to respond to surveys and polls and these help us to understand our members’ and stakeholders’ opinions. In conducting our surveys, we will collect information about your company eg your companies’ interests, priorities and capabilities.
2.7 We also collect publicly available information from social networking sites such as LinkedIn, Instagram and Twitter, for example likes, shares, tweets on posts about RIA. This information is provided to us by a third parties, so we may from time to time share these posts with colleagues and/or members.
3 What do we use your data for?
3.1 This section sets out the different purposes for which we process personal data and which types of personal data we need for each purpose.
3.1.1 We use your Account Data and Behavioural Data to set up (mentioned above) to manage and administer your account, to log you into your account and to provide you with services that you request from us.
3.1.2 We use your Account Data to contact you regularly in order to deliver the information and events services you have subscribed to. As part of this we will also provide you with password resets, and account status messages if needed.
3.1.3 We use Account Data, Behavioural Data, Voluntary Data and Survey Data to help us monitor, analyse, deliver and improve our services.
3.1.4 We use the data collected to:
(a) facilitate networking opportunities
(b) enable us to assess our performance as trade association and to improve our products and services
(c) inform our marketing and promotional activities
4 How we use anonymised data
4.1 We use aggregated and anonymised data to help us understand what type of content users like. When used for these purposes, this data does not enable you or any other individual user to be identified.
4.2 We also promote our own content and features via third party platforms, such as social media sites.
4.3 You may see our material featured on social media; this usually works by using a hashtag to the third-party platform which is then tagged to records in order to identify and notify the tagged persons.
4.4 If you want to opt out of receiving such notifications, you need to do this through your profile or device settings.
5 What is our basis for using your data?
5.1 Data protection law says that we must tell you the basis that we rely on to process your personal data for the purposes and that we have notified to you.
5.2 In respect of the use of your email address for email marketing purposes, member companies pay for their employees to receive our services and information, and therefore any member company or employee of member company has consented to digital engagement with RIA.
5.3 You can withdraw your consent at any time by following the instructions to "unsubscribe" in any email communications.
5.4 We process other personal data on the basis that we have a legitimate business interest in ensuring that we communicate effectively with members and stakeholders. This ensures that we can continue to meet our remit as trade association.
5.5 You have the right to stop us from processing your personal data for the purposes set out above. Unless we can show that we have a compelling legitimate reason to continue processing your personal data, we will stop processing it. Remember that you can unsubscribe from mail you receive and change your preferences at any time.
6. Who do we share your data with?
6.1 We sometimes need to share minimal personal data such as your name and work email address with third parties. The third-party suppliers we share your personal data with are as follows:
6.2 third party service providers who help us to manage our customer database and registration process;
6.3 third party service providers who help us to manage our feedback process;
6.4 other service providers such as information security service providers who help us to manage our IT systems and ensure that they are secure.
6.5 where you have specifically consented to us sharing your data with a particular third party; and
6.6 where we are required or permitted to do so by law or to protect or enforce our rights or the rights of any third party.
6.7 We sometimes transfer or store specific personal data outside the European Economic Area (EEA). If we do carry out any further transfers of your data outside the EEA, we will inform you and we will ensure that the recipient provides an adequate level of protection of your name and company addressees and other data we may have collected.
7 How long do we keep your data for?
7.1 We will keep all your personal data for as long as we believe there is a legitimate interest for us to do so and for as long as your company account remains open. You can choose to unsubscribe and remove your data at any time in the ‘My Participation’ tab in 'My Account' section of your profile.
7.2 If your individual profile account is inactive for a period of four years, we may from time to time send you a reminder email to remind you to use your account. If you still do not use your company account, we will send a further reminder email before deleting your account.
7.3 We may need to keep your data after account closure for limited purposes, for example if we need your data in order to respond to any complaints or claims that you make. If this is the case, we will only keep the data for as long as we need to in order to fulfil those purposes.
8 What rights do you have?
8.1 You have a number of rights under data protection law. These rights and how you can exercise them are set out in this section. We will normally need to ask you for proof of your identity before we can respond to a request to exercise any of the rights in this section and we may need to ask you for more company information, for example to help us to locate the personal data that your request relates to.
8.2 We will respond to any requests to exercise your rights as soon as we can and in any event within one month of receiving your request and any necessary proof of identity or further information. If your request is particularly difficult or complex, or if you have made a large volume of requests, we may take up to three months to respond. If this is the case, we will let you know as soon as we can and explain why we need to take longer to respond.
8.3 A right to access your information
8.3.1 You can access all of your online Account Data through the 'About Me' section of your Account.
8.3.2 You also have a right to ask us to send all data that we hold about you, which is typically information you have provided to us or added by you in your profile or committees you are registered to. A request to exercise this right is called a "subject access request" and must be made in writing to: firstname.lastname@example.org or to: Railway Industry Association, 22 Headfort Place, London, SW1X 7RY.
8.4 A right to object to us processing your information
8.4.2 If we have compelling legitimate grounds to carry on processing your personal data, we will be able to continue to do so. Otherwise, we will cease processing your personal data.
8.4.3 You can exercise this right by emailing email@example.com.
8.4.4 Remember that you can always amend and/ or erase all or some of your data at any time by emailing us on firstname.lastname@example.org or in writing to Railway Industry Association, 22 Headfort Place, London, SW1X 7RY.
8.5 A right to ask us not to market to you
8.5.1 You can unsubscribe from mailing lists and ask us not to send you direct marketing. You can do this at the ‘My Preferences’ tab if you no longer want to receive information. In relation to email marketing, you can also opt out by using the "unsubscribe" option in any of our email marketing communications.
8.6 A right to have inaccurate data corrected
8.6.1 You have a right to ask us to correct inaccurate data that we hold about you. If we are satisfied that the new data you have provided is accurate, we will correct your personal data as soon as possible.
8.6.2 You can update your own personal data at any time through your ‘My Account’.
8.7 A right to have your data erased
8.7.2 You can exercise this right by emailing email@example.com.
8.8 A right to have processing of your data restricted
8.8.1 You can ask us to restrict processing of your profile data in some circumstances, for example if you think the profile data is inaccurate and we need to verify its accuracy, or if we no longer need the data but you require us to keep it so that you can exercise your own legal rights.
8.8.2 Restricting your personal data means that we only store your profile data and don't carry out any further processing on it unless you consent or we need to process the data to exercise a legal claim or to protect your company.
9 How can you contact us?
10 What if you have a complaint?
10.1 You have a right to complain to the Information Commissioner's Office (ICO), which regulates data protection compliance in the UK, if you are unhappy with how we have processed your personal data.
10.2 You can find out how to do this by visiting www.ico.org.uk.
11 What if this policy changes?
Policy updated on 01 September 2018