Privacy

Transdev is the point of contact for all processing of personal data that Transdev processes of you. Under the General Data Protection Regulation (GDPR) and the Police Data Act [Wet politiegegevens], Transdev is the data controller. When paying for your travel using a public transport smart card [OV-chipkaart], debit card, or credit card, Transdev and Translink are the joint data controllers with respect to the processing of personal data.
 
Transdev operates various companies and brands, providing transport services under brand names such as Connexxion, Breng, OV Regio IJsselmond, and Bravo. We also provide transport services under our own name, Transdev. Transdev, Hermes (a Transdev subsidiary), and a third-party carrier provide bus services in Brabant province under the Bravo brand name.
 
The names of the companies and brands are subject to change over time as public transport contracts expire and new public procurement procedures for these contracts are initiated. Transport services are also provided under brand names owned by regional transport authorities, such as Breng in the Arnhem-Nijmegen region. The transport provider’s name will then not be visible on the vehicles and rolling stock, and not feature in the timetable or prominently on the website either.
 
If you are not sure whether you travelled on a Transdev (subsidiary) service, you can always check with our customer service.

Transdev operates the following and other entities and brands:

• Connexxion Openbaar Vervoer N.V.
• Connexxion Taxi Services B.V.
• Breng
• Hermes Openbaar Vervoer B.V.
• Bravo
• Overal
• Texelhopper
• OV Regio IJsselmond
• ParkShuttle
• Wij zijn Transdev
• Witte Kruis.

 
If you have any questions about personal data processing by Transdev, please send them to our Customer Service, stating ‘privacy statement’.
 
Contact details:
Transdev
Stationsplein 13
Postbus 224
1200 AE Hilversum, Netherlands
Tel: +31 (0)88 6251600
Listed in the trade register (Chamber of Commerce ) under number 30065787.
 
Witte Kruis has its own privacy statement, which is available here: https://wittekruis.nl/privacy-policy
 
Personal data processing by Translink and Dutch public transport operators jointly for the purposes of providing the OVpay service is governed by the EMV (Europay, Mastercard, Visa) privacy statement. For more information, see OVpay Privacy Statement.

Tickets
You need a valid ticket to travel by bus or train. Depending on the type of ticket, we process personal data. Personal data on you will be processed when you purchase a Transdev subscription and in a number of cases also when you purchase bar codes. When you pay for your travel using a personal public transport smart card [OV-chipkaart] or OVpay, personal data will have to be processed for you to be able to travel.
 
When checking in and out on public transport, transaction data are generated that are read electronically. We use these data to settle your travel transactions.
 
Data for public transport smart card or OVpay transactions are processed by Trans Link Systems B.V. You can check the transaction data for your public transport smart card in your transaction overview. On ovpay.nl/reisoverzicht, you can see for each day where you checked in and out with your debit card or credit card.
 
Special transport services
In various regions of the Netherlands, Connexxion Taxi Services provides special transport services for people with special needs. There are various forms of special transport. It is the responsibility of a local authority or the national government to make sure special transport services are available.

The following forms of special transport come under the local authority’s responsibility:

• Transport provided under the Social Support Act [Wet maatschappelijke ondersteuning]: The 2015 Social Support Act provides citizens with access to mobility-related resources and facilities. When it comes to transport facilities, this legislation distinguishes between individual facilities, such as a wheelchair and mobility scooter, and collective transport facilities, such as the regional taxi. Transport provided under the Social Support Act is available only to people with special needs. Whether someone has special needs is established by the local authority.
• Travel to and from someone’s place of supported employment (previously provided under the Exceptional Medical Expenses Act [Algemene wet bijzondere ziektekosten], currently provided under the Social Support Act).
• School transport: School transport is transport to and from educational institutions for primary and secondary education. The target group for this form of transport is made up of pupils and students in special education or pupils and students who cannot go to regular educational institutions near where they live.
• Transport provided under the Youth Act [Jeugdwet]: Provided under the Youth Act since 2015, transport as part of youth services concerns transport for young people to and from supported employment or facilities for short-term stays.
• Transport provided under the Participation Act [Participatiewet]: On 1 January 2015, the Supported Employment Act [Wet sociale werkvoorziening] became the Participation Act. It covers transport for people with an occupational disability from and to their work.

 
There are, furthermore, forms of special transport that are operated by other authorities and funded by the state:

• Valys: Valys is a taxi service created for interregional transport of a social and recreational nature.  While transport provided under the Social Support Act is capped to five zones, Valys provides transport over five zones or more. We do not operate a Valys service.
• Travel to and from work provided under the Work and Income according to Labour Capacity Act [Wet werk en inkomen naar arbeidsvermogen]
• Travel to and from vocational courses (WOOS).
• Transport provided under the Long-Term Care Act [Wet langdurige zorg] to supported employment or day treatment.

 
Finally, there is seated patient transport. This is transport by car (the patient’s own car or a taxi) or on public transport to institutions or practitioners for treatment. This transport is covered by the health insurance of the person concerned.
 
Police Data Act
Want to find out where you can catch your bus? Have a question about tickets? Our colleagues at Service and Security are on hand to assist our passengers day and night. All these colleagues are also certified special investigating officers and have special training to also maintain peace and security on and around our vehicles.
When a special investigating officer processes personal data in the performance of their investigative duties, such personal data processing is governed by the Police Data Act instead of by the General Data Protection Regulation (GDPR). We will treat personal data processing by special investigating officers under the Police Data Act separately from all other personal data processing.
 

We process personal data for the provision of our services. Please find below a list of the kinds of data we may process. Bear in mind that this does not mean that we need all these data for all our services. We process only those data that we need for the service in question. The data in question include:
 
General personal data

• Contact details: Name, address, town/city, telephone number, email address
• Date of birth
• Gender
• Respondent number
• Customer number, card number, form number
• Type of subscription/product, start date, purchase channel, duplicate history, public transport smart card chip number
• Complaint details, refund, lost & found
• Transaction details, including check-in and check-out details
• Data on current/past transactions and additional data, such as navigation data, publications/brochures requested
• Data from direct contact to be able to check
  • What the contact was about (such as a product, advice, offer, service call, message, complaint, information)
  • When the contact was, with whom, and via what medium (such as phone, post, chat, our website, email, newsletter, etc.)
• Financial data, bank/giro account number, payment method, payments made
• Employer contact details (if you have a subscription through your employer)
• Account number, payment method, and accounts receivable data
• Data on the use of one of the apps of Connexxion and its sub-brands
• Phone calls recorded for quality assurance and training purposes
• Audiovisual data; if applicable and to the extent permitted by law, we record inside vehicles and depots using surveillance cameras and we record phone calls, video calls, and chat conversations with our customers. We may use such recordings in, for example, investigations into facts of incidents or for training purposes.

 
Special category data

• Data concerning health

Personal data on children
We will only collect data on children if they use a Transdev service or when parents/guardians submit information on children in relation to their child’s travel product. We always ask parents/guardians for consent for such processing when we are required to by law.
 
Other personal data

• Citizen service number [Burgerservicenummer (BSN)], only if we have a legitimate ground for it
• Data on an offence in the context of an investigation by a special investigating officer.

We collect your personal data in the following ways:

• You share your personal data with us when you become a customer of ours, fill in a form online, sign a contract with Transdev, use our services, contact us using one of our communication channels, or visit our websites. 
• Your organisation or company becomes a customer or ours or is already a customer, and your personal data were submitted to us to enable us to contact your organisation or company and provide our services.
• Transdev uses apps to provide some of its services. To ensure the proper functioning of an app, Transdev may ask for consent to access and process certain personal data when the app is installed. Collecting and processing these personal data through apps is also governed by this privacy statement.

a). Provision of our servicesWe use information on you, such as your name and contact details, when you enter into a contract (of carriage) with us or when we have to contact you. We also use your data in keeping (financial) records, such as to send an invoice for services provided.
 
b). Risk reduction and securitySpecial investigating officer
In order to enforce public safety in and around public transport facilities, Transdev employs special investigating officers. Being the employer of these special investigating officers, Transdev is responsible for any personal data processing operations performed by these special investigating officers. Some of the personal data processed by special investigating officers are governed by the Police Data Act instead of the General Data Protection Regulation. If so, the lawful basis for processing is the performance of a legal obligation, namely day-to-day police task (Section 8 of the Police Data Act).
 
Special investigating officers check at stations and on buses and trains whether passengers hold a valid ticket. In addition, special investigating officers also maintain order and security, and ensure compliance with legal provisions. Special investigating officers respond to violations. They can also assist the police in their investigative duties. Instances where a special investigating officer processes personal data as part of their investigative duties are governed by the Police Data Act. All other cases of personal data processing are governed by the General Data Protection Regulation (GDPR).
 
Video surveillance
Transdev uses cameras on its vehicles, in buildings, and on sites, as well as for surveillance by humans and enforcement by special investigating officers. Recordings by these cameras are used to protect your and our property and staff. If necessary, we use these recordings for investigative purposes or as evidence in case of damage and associated claims. Recordings will be retained for a brief period only.
 
In the event of an incident, Transdev may, within the boundaries of the law, share video surveillance footage with the police and judicial authorities as evidence when reporting a criminal offence.
 
c). Performance of marketing activitiesWe regularly check in with you to get your opinion on our services. Any feedback you provide may be shared with employees to improve our offering or to better cater our services to your needs. We do this to build a good relationship with you and/or to maintain and expand our relationship with you, as well as for statistical and scientific purposes.
 
We can also send you newsletters with information about our services. Needless to say, you can object or withdraw your consent if you no longer wish to receive these special offers.
 
d). Product and service improvementWe process your personal data in the context of continuous improvement of our mobility services and to help our management in making decisions on our activities and services. By analysing how you use our mobility services, we gain insight into your travel behaviour and are able to find out how and where we can improve. For example: when a bus on a certain route gets very crowded with people at certain times, this may be reason for us to use a bus with greater capacity on that route.

e). Compliance with legal obligationsWe process your personal data to meet various legal obligations and requirements. When we want to process your personal data for a purpose other than the ones described above, we will seek your specific consent first. You are free to withhold consent or withdraw your consent later.
 

Transdev may be required under laws and regulations to transfer personal data to bodies designated by the law. The Dutch Tax and Customs Administration is one such body, which must receive data for subscription holders’ income tax return or in the context of audits and accountability.
 
In addition, Transdev is under an obligation to cooperate and provide personal data when requested by investigative authorities, such as the police and the Fiscal Intelligence and Investigation Service. Before sharing the data, we carefully assess whether the investigative authority in question is indeed authorised to receive the data.
 
Transdev may also provide personal data to the police or judicial authorities of its own accord, such as to protect our rights and property. We may also use personal data in legal proceedings or procedures before the Public Transport Disputes Committee [Geschillencommissie Openbaar Vervoer] to support our case. For research into traffic safety under the Local Rail Act [Wet lokaal spoor], the Human Environment and Transport Inspectorate [Inspectie Leefomgeving en Transport] (i.e. the industry regulator) receives research analyses sometimes that may contain personal data.
 
Processors
Whenever Transdev engages a third party to have personal data processed, we enter into a separate data processing agreement with such a processor. A data processing agreement stipulates what that processor can and cannot do with the personal data and what happens to the personal data when the processing operation has been completed. In these cases, Transdev will still be the party with ultimate responsibility for the personal data. We engage a research firm, for example, to process the customer surveys we conduct. We have, therefore, signed a data processing agreement with this firm.
 
Transparent Information Processes
All public transport operators in the Netherlands and the government aim for transparent, supply-oriented information provision in public transport. For an overall view of all public transport information, travel and transaction data collection has been centralised to the greatest degree possible. This is what we refer to as Transparent Information Processes. This data is collected and stored by Trans Link Systems BV (Translink). Since 1 January 2016, all public transport operators have been members of the Cooperative of Public Transport Operators [Coöperatie Openbaar Vervoerbedrijven]. Together, these operators own Translink, while all public transport operators and Translink are jointly designated as the data controllers for the processing of personal data for the Information Processes.
 
Transparent Information Processes identify travel patterns to support policy development and decision making. The aim is to optimise the mobility system in the Netherlands. Within overall mobility, the focus is on promoting efficient and effective public transport and optimised services to passengers, for which information about public transport is used to make statistics. This information consists exclusively of transaction data; it does not contain customer data such as your name or date of birth.
 
Transaction data are generated when you check in and out on public transport using your public transport smart card [OV-chipkaart] or debit card. You can check your transaction details in the transaction overview for your public transport smart card (on Mijn OV-chip on the OV-chipkaart.nl website), in the OVpay app, or on the OVpay website.
 
Transaction data used for statistical analysis are pseudonymised. When we pseudonymise data, we encrypt any identifiers, so that transaction data cannot be traced back to a person without additional information. After data have been pseudonymised, Translink converts the data into analysis files. These are sets of statistical data that do not contain personal data. These aggregated, statistical analysis files can be used to create information products that, for example, identify trends in passenger flows. This allows us to, for example, determine where new public transport links are needed. Pseudonymised transaction data are retained for a maximum of 18 months after the trip in question.
 
We may transfer such information products to government agencies and third parties with a remit or activities relating to (public) transport and improving services to passengers. The information products do, therefore, not contain personal data and are exclusively shared:

1. with public transport providers and government bodies, based on performance of the agreement with the passenger;
2. with scientific institutions, based on a legitimate interest;
3. with knowledge institutions, based on a legitimate interest;
4. with parties with a commercial purpose, based on a legitimate interest;
5. publicly, based on a legitimate interest.

 
A single point of contact has been set up to handle questions about the processing of your personal data for the purposes of compiling analysis files and information products. The single point of contact, Translink, can be contacted on privacy@ov-chipkaart.nl or privacy@ovpay.nl. Translink is also the body to turn to if you want to exercise your rights.

You can in some cases exercise your rights through your Mijn Transdev account if not, submit a request by email to: privacy@transdev.nl or by letter to:
 
Transdev
Attn The Data Protection Officer
Privacy Department
Postbus 224
1200 AE Hilversum, Netherlands
 
Your email or letter must provide the following information:

• State the legislation you are invoking, i.e. the GDPR or the Police Data Act [Wet politiegegevens].
• Describe the personal data you want to access, rectify, or erase. Or describe the personal data that you do not want to be processed.
• Your name, address, telephone number, email address, date of birth, and signature.
• A copy of the front and back of valid proof of identity. If you prefer, you can black out the photo and your citizen service number (Burgerservicenummer (BSN)). Check the central government website to see how to make a secure copy of your proof of ID. The copy of your proof of identity is needed only to verify your identity and will be deleted after your identity has been verified.
• You can also have someone else submit the request on your behalf, albeit that you will be required to authorise this person first. The parents or legal guardians of children aged under 12 do not need authorisation to submit requests on their child’s behalf. When acting on behalf of children aged between 12 and 16, authorisation from the child is required. Those aged 16 or over decide independently on the exercise of their rights. When submitting the request, include a copy of the passport of the authorised person. And a signed authorisation; state which data protection and privacy right you want to exercise.

 
Transdev will assess your request and send you a response within one month of receiving your request. In our response to you, we will let you know how we will grant your request. If we reject your request, you will receive a notice explaining the reason for rejection. If the request turns out to be a complex one or concerns a large number of requests submitted all at once, we may extend the processing time from one month to two months. If so, we will notify you of that within one month of receiving your request.
 
In handling your request, we will process your contact details and additional data relating to your request. The details of your complaint or request to exercise your data protection and privacy rights and the data required to handle your complaint or request will be retained for a maximum of one year after the calendar year during which it was handled. After that, they will be deleted.
 
Description of the data protection and privacy rights
Right of access
This is the right to access the personal data on you that Transdev holds. Transdev reserves the right to (partly) refuse to grant you access if such access harms someone else’s privacy. Family members do not have a right to access the personal data of a deceased next of kin.
 
Right to rectification
If you think your personal data are not or no longer accurate or complete, you can submit a written request to Transdev asking to have your personal data updated. If we do not proceed to rectify the data after receiving such a request, we will give you a clear explanation of why not. Certain data are easy to rectify or supplement yourself on your Mijn Transdev account. For data that is not available in your account, you can submit a rectification request. We will make sure third parties to whom we have transferred your personal data also rectify your personal data.
 
Right to erasure
You can ask Transdev to erase (some of) your personal data. If we do not proceed to erase the data in question, because we are required by law to retain certain personal data for a certain period of time, for example, we will provide a detailed explanation of why we are not allowed to erase the data.

This privacy statement governs the personal data we receive from you via these channels. The use of social media is your own responsibility. This privacy statement does not apply to the way social media platforms handle the personal data you provide to them. For more information about how these social media channels process your personal data, we recommend that you consult their respective privacy statements.