Keeping your data safe
RIA is committed to keeping your personal data safe and secure, and handling it in accordance with our legal obligations. This Privacy Policy sets out the purposes for which we process your personal data, who we share it with, and what rights you have in relation to that data.
Who are we?
RIA is the UK’s trade association for rail suppliers.
We are funded primarily by member company subscriptions and we do not aim to make a profit.
Our member companies fund us in return for their employees’ access to free or low cost information and events.
When you log in or create a new account with RIA, we ask you to share some of your personal data with us such as your first name and last name, and we collect information about your organisation including company address and your interests, so that we can personalise the service for you and show you relevant and useful content.
1 Who's in control?
1.1 We are responsible for deciding how and why your data is used and for ensuring that your data is handled legally and safely.
1.2 We have appointed a Data Protection Officer (DPO) who has ultimate responsibility within RIA for making sure your data is treated in accordance with this Privacy Policy and the rule of law. Our DPO can be contacted by emailing
[email protected].
2 What data do we collect and where from?
2.1 We collect some data directly from you when you create a new account with RIA (Account Data). This data includes the following:
2.1.1 your full name, surname;
2.1.2 your work-related email address;
2.1.3 the password you set up (encrypted) to access your account;
2.1.5 your company name, postcode and address; and
2.1.6 your communication preferences.
2.2 We also collect information that you voluntarily provide to us when you contact us with preferences, queries, complaints, comments or praise, or information that you voluntarily post about yourself on public areas of our platform (Voluntary Data).
2.3 We collect information about how you use our services; in particular, which RIA events you have attended, and which emails you have received and opened.
2.4 We collect information about how you use our website, using cookies like Google Analytics. This includes your viewing history, IP addresses, device identifiers and information about how long you have stayed on certain pages or what pages you have clicked on (Behavioural Data).
2.5 We collect information about your company including size, nature of business and rail related activities.
2.6 We collect information from research surveys such as our regular ‘Pulse surveys’. You can choose to respond to surveys and polls and these help us to understand our members’ and stakeholders’ opinions. In conducting our surveys, we will collect information about your company eg your companies’ interests, priorities and capabilities.
2.7 We also collect publicly available information from social networking sites such as LinkedIn, Instagram and Twitter, for example likes, shares, tweets on posts about RIA. This information is provided to us by a third parties, so we may from time to time share these posts with colleagues and/or members.
3 What do we use your data for?
3.1 This section sets out the different purposes for which we process personal data and which types of personal data we need for each purpose.
3.1.1 We use your Account Data and Behavioural Data to set up (mentioned above) to manage and administer your account, to log you into your account and to provide you with services that you request from us.
3.1.2 We use your Account Data to contact you regularly in order to deliver the information and events services you have subscribed to. As part of this we will also provide you with password resets, and account status messages if needed.
3.1.3 We use Account Data, Behavioural Data, Voluntary Data and Survey Data to help us monitor, analyse, deliver and improve our services.
3.1.4 We use the data collected to:
(a) facilitate networking opportunities
(b) enable us to assess our performance as trade association and to improve our products and services
(c) inform our marketing and promotional activities
4 How we use anonymised data
4.1 We use aggregated and anonymised data to help us understand what type of content users like. When used for these purposes, this data does not enable you or any other individual user to be identified.
4.2 We also promote our own content and features via third party platforms, such as social media sites.
4.3 You may see our material featured on social media; this usually works by using a hashtag to the third-party platform which is then tagged to records in order to identify and notify the tagged persons.
4.4 If you want to opt out of receiving such notifications, you need to do this through your profile or device settings.
5 What is our basis for using your data?
5.1 Data protection law says that we must tell you the basis that we rely on to process your personal data for the purposes and that we have notified to you.
5.2 In respect of the use of your email address for email marketing purposes, member companies pay for their employees to receive our services and information, and therefore any member company or employee of member company has consented to digital engagement with RIA.
5.3 You can withdraw your consent at any time by following the instructions to "unsubscribe" in any email communications.
5.4 We process other personal data on the basis that we have a legitimate business interest in ensuring that we communicate effectively with members and stakeholders. This ensures that we can continue to meet our remit as trade association.
5.5 You have the right to stop us from processing your personal data for the purposes set out above. Unless we can show that we have a compelling legitimate reason to continue processing your personal data, we will stop processing it. Remember that you can unsubscribe from mail you receive and change your preferences at any time.
6. Who do we share your data with?
6.1 We sometimes need to share minimal personal data such as your name and work email address with third parties. The third-party suppliers we share your personal data with are as follows:
6.2 third party service providers who help us to manage our customer database and registration process;
6.3 third party service providers who help us to manage our feedback process;
6.4 other service providers such as information security service providers who help us to manage our IT systems and ensure that they are secure.
6.5 where you have specifically consented to us sharing your data with a particular third party; and
6.6 where we are required or permitted to do so by law or to protect or enforce our rights or the rights of any third party.
6.7 We sometimes transfer or store specific personal data outside the European Economic Area (EEA). If we do carry out any further transfers of your data outside the EEA, we will inform you and we will ensure that the recipient provides an adequate level of protection of your name and company addressees and other data we may have collected.
6.8 You should also be aware that if you choose to share riagb.org.uk content on social media via "share" buttons on riagb.org.uk, the relevant social media platform will know what page you are on in order to share that page. The use of that information will be governed by the social media platform's own privacy policy and clicking the "share" buttons does not result in any other personal data being shared between RIA and the platform.
7 How long do we keep your data for?
7.1 We will keep all your personal data for as long as we believe there is a legitimate interest for us to do so and for as long as your company account remains open. You can choose to unsubscribe and remove your data at any time in the ‘My Participation’ tab in 'My Account' section of your profile.
7.2 If your individual profile account is inactive for a period of four years, we may from time to time send you a reminder email to remind you to use your account. If you still do not use your company account, we will send a further reminder email before deleting your account.
7.3 We may need to keep your data after account closure for limited purposes, for example if we need your data in order to respond to any complaints or claims that you make. If this is the case, we will only keep the data for as long as we need to in order to fulfil those purposes.
8 What rights do you have?
8.1 You have a number of rights under data protection law. These rights and how you can exercise them are set out in this section. We will normally need to ask you for proof of your identity before we can respond to a request to exercise any of the rights in this section and we may need to ask you for more company information, for example to help us to locate the personal data that your request relates to.
8.2 We will respond to any requests to exercise your rights as soon as we can and in any event within one month of receiving your request and any necessary proof of identity or further information. If your request is particularly difficult or complex, or if you have made a large volume of requests, we may take up to three months to respond. If this is the case, we will let you know as soon as we can and explain why we need to take longer to respond.
8.3 A right to access your information
8.3.1 You can access all of your online Account Data through the 'About Me' section of your Account.
8.3.2 You also have a right to ask us to send all data that we hold about you, which is typically information you have provided to us or added by you in your profile or committees you are registered to. A request to exercise this right is called a "subject access request" and must be made in writing to: [email protected] or to: Railway Industry Association, 22 Headfort Place, London, SW1X 7RY.
8.4 A right to object to us processing your information
8.4.1 You have a right to object to us processing any account data that we process where we are relying on legitimate interests as the basis of our processing. This includes all of your ‘About Me’ data that we process for all of the purposes set out in this Privacy Policy, with no exceptions (you can withdraw your consent to this at any time).
8.4.2 If we have compelling legitimate grounds to carry on processing your personal data, we will be able to continue to do so. Otherwise, we will cease processing your personal data.
8.4.3 You can exercise this right by emailing [email protected].
8.4.4 Remember that you can always amend and/ or erase all or some of your data at any time by emailing us on [email protected] or in writing to Railway Industry Association, 22 Headfort Place, London, SW1X 7RY.
8.5 A right to ask us not to market to you
8.5.1 You can unsubscribe from mailing lists and ask us not to send you direct marketing. You can do this at the ‘My Preferences’ tab if you no longer want to receive information. In relation to email marketing, you can also opt out by using the "unsubscribe" option in any of our email marketing communications.
8.6 A right to have inaccurate data corrected
8.6.1 You have a right to ask us to correct inaccurate data that we hold about you. If we are satisfied that the new data you have provided is accurate, we will correct your personal data as soon as possible.
8.6.2 You can update your own personal data at any time through your ‘My Account’.
8.7 A right to have your data erased
8.7.1 You have a right to ask us to delete your personal data in certain circumstances, for example if we have left the member company or if processed your data unlawfully and if we believe we no longer need the data for the purposes set out in this Privacy Policy.
8.7.2 You can exercise this right by emailing [email protected].
8.8 A right to have processing of your data restricted
8.8.1 You can ask us to restrict processing of your profile data in some circumstances, for example if you think the profile data is inaccurate and we need to verify its accuracy, or if we no longer need the data but you require us to keep it so that you can exercise your own legal rights.
8.8.2 Restricting your personal data means that we only store your profile data and don't carry out any further processing on it unless you consent or we need to process the data to exercise a legal claim or to protect your company.
9 How can you contact us?
9.1 If you have any questions or concerns about this Privacy Policy and/or our processing of your personal data, you can get in touch with us using:
[email protected].
10 What if you have a complaint?
10.1 You have a right to complain to the Information Commissioner's Office (ICO), which regulates data protection compliance in the UK, if you are unhappy with how we have processed your personal data.
10.2 You can find out how to do this by visiting www.ico.org.uk.
11 What if this policy changes?
11.1 We may make changes to this Privacy Policy from time to time. Any changes we make will be posted on this page. We may also notify you by email if significant changes are made.
Policy updated on 01 September 2018