Unicard & Ecebs Privacy Notice

Who we are

Unicard Limited is a private limited company with a wholly owned subsidiary organisation known as Ecebs, both registered in England and Wales under registration number 04817824, with a registered office at Peartree Business Centre, Cobham Road, Ferndown Industrial Estate, Wimborne, Dorset, BH21 7PT. Unicard and Ecebs are both the “Controller” and the “Processor” of the personal information we collect, depending on the nature of the data collected.

What is personal data?

The term “Personal Data” means any information relating to you that identifies you, or through which you can be identified, directly or indirectly – in particular, by reference to an identifier such as a name, an identification number, location data, or an online identifier, or one or more factors specific to your physical, physiological, genetic, mental, economic, cultural, or social identity.

What is a Data Controller and a Data Processor?

Controllers make decisions about processing activities. They exercise overall control of the personal data being processed and are ultimately in charge of and responsible for the processing.

A controller can be a company or other legal entity (such as an incorporated partnership, incorporated association, or public authority) or an individual (such as a sole trader, partner in an unincorporated partnership, or self-employed professional, e.g. a barrister).

Processors act on behalf of the relevant controller and under their authority. In doing so, they serve the controller’s interests rather than their own.

Although a processor may make its own day-to-day operational decisions, Article 29 says it should only process personal data in line with a controller’s instructions, unless it is required to do otherwise by law.

The purpose of this Privacy Notice

The purpose of this Privacy Notice is to let you know how we process Personal Data.

This Privacy Notice therefore explains what Personal Data we collect from you and how we collect, use, store, and disclose it when you use one of the software systems we supply to our clients. This Privacy Notice also contains information about your rights under applicable data protection legislation.

We are committed to compliance with data protection laws. We believe that ensuring data protection compliance is the foundation of trustworthy business relationships.

It is important that you read this Privacy Notice together with any other Privacy Notice we provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your data. This Privacy Notice supplements the other notices and is not intended to override them.

The data we collect

Unicard are a leading provider of software solutions for public and private sector transport management and smart ticketing.

In regard to the data we collect, this will mainly be sourced from an application into a smart ticketing travel scheme provided by one of our clients. We may also collect personal data from you when you visit our website and send us an enquiry from our “contact us” page. If you are a member of the public making an application into one of our clients’ smart travel schemes, we are acting as a data processor on behalf of our client acting as a data controller.

Unicard must process personal data (this may at times also include sensitive personal data) so that we can provide our services. Where Unicard is acting as the Data Controller, we will only use your Personal Data for the purpose we collected it and in accordance with the law. We will not use your Personal Data for any other purpose without your prior consent. The only exception to this is if it is required or permitted by law, such as where it is necessary for the prevention, investigation, detection or prosecution of criminal offences or the enforcement of civil law matters.

Unicard will process personal information in accordance with all applicable laws, including the UK and EU General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA 2018).

How do we use your personal data?

We collect, store, transfer, and therefore process your personal data in order to fulfil your request to use one of the travel or ticketing services provided by our clients.

We collect your Personal Data for the purpose of providing you with a smart travel card, travel ticket, or digital ticket under the travel scheme you have applied with. We will collect data about you – both personal data (such as your name and contact details) and sensitive personal data – if applicable.

Sensitive personal data, also referred to as Special Category Personal Data, is defined as data that needs more protection due to its sensitive nature. Additional obligations are placed on the Data Controller and/or Processor for them to process special category personal data lawfully, which comes under Article 9 of the UK and/or EU GDPR.

We will only use your Personal Data for the purpose we collected it and in accordance with the law. We will not use your Personal Data for any other purpose without your prior consent. The only exception to this is if it is required or permitted by law, such as where it is necessary for the prevention, investigation, detection, or prosecution of criminal offences or the enforcement of civil law matters.

In some jurisdictions, we are restricted from processing some of the data outlined above. In such circumstances, we will not process the data in those jurisdictions.

How we collect your personal data

We will collect your Personal Data directly from you in the following ways.

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • When you submit an application via one of the portals or websites that we have developed and provided to our clients.
  • When you submit an enquiry via our “contact us” page on our website.
  • When you contact the local authority or travel operator directly and this requires your data to be submitted to one of our provided software platforms directly via one of their representatives.

We may share this information with:

  • Microsoft (for email storage, should you contact us)
  • Euclid (production of physical card media)
  • Zendesk (Support desk software)
  • Paragon ID (production of physical card media)
  • Experian (used for identity verification in concessionary applications)
  • NMi (Network Merchants – our payment provider, if your local authority utilises payment for replacement cards)
  • SICE (Itchen Bridge)
  • Heycentric (payment provider)
  • Breezeuk.app
  • Trafi (Mobility-as-a-Service - MaaS)

Our legal basis for processing your data

The UK and EU GDPR (our global standard of compliance) requires that a Controller and a Processor must have a legal basis for processing Personal Data. Our legal basis for processing your personal information is:

(a) Your consent. We will obtain your consent when you submit an application via the associated website or portal you have applied on, and you are able to withdraw your consent at any time. You can do this by contacting the local authority or travel operator you have made your application with, or directly with us via one of the contact methods provided within this policy.

(b) We have a contractual obligation.

(c) We have a legal obligation.

(d) We have a vital interest.

(e) We need it to perform a public task.

(f) We have a legitimate interest.

In some cases, we may process special category data. This is afforded some extra protection due to its sensitive nature, and therefore, under UK and EU GDPR we are required to provide a lawful basis for processing, and a secondary condition under Article 9. More details can be found within our Record of Processing Activities, but the conditions we may rely on are:

(a) Explicit consent

(b) Employment, social security, and social protection (if authorised by law)

(c) Vital interests

(d) Not-for-profit bodies

(e) Made public by the data subject

(f) Legal claims or judicial acts

(g) Reasons of substantial public interest (with a basis in law)

(h) Health or social care (with a basis in law)

(i) Public health (with a basis in law)

(j) Archiving, research, and statistics (with a basis in law).

Marketing

With your consent we may contact you via email and/or phone to promote or inform you about our services. If you have provided consent, we may also contact you to promote services provided by third parties. Where we are legally required to obtain your consent to provide you with marketing materials, we will only provide you with such marketing materials if you have provided consent for us to do so.

Where we contact you for direct marketing purposes, we will comply with the requirements set out in the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

To start or stop receiving marketing information from us, simply contact us by emailing: support@unicard-uk.com and / or dpo@unicard-uk.com

How long we will keep your personal data

We will only keep your Personal Data for as long as is necessary to fulfil the purposes we collected it for, which may include satisfying any legal, accounting, or reporting requirements. This will be context-dependent on our relationship with you and why we are processing your data. We may have legal (i.e. financial obligation) reasons to keep your data beyond its immediate use, but this will never be for longer than industry standard. The retention period depends on the type of Personal Data and the reason we are processing it. The retention period will also be defined by the data controller and the contract we hold with them for the provision of any ticketing services.

When calculating the appropriate retention period for your data, we consider the nature and sensitivity of the data, the purposes for which we are processing the data, and any applicable statutory retention periods. Using this criteria, we regularly review the Personal Data which we hold and the purposes for which it is held and processed.

Where not already stated in this policy, you can view our retention schedule by contacting us directly.

When we determine that Personal Data can no longer be retained (or where we must comply with your request to us to delete your data in accordance with your right to do so) we ensure that this data is securely deleted or destroyed.

Security of your personal data

To protect your Personal Data, we put in place appropriate organisational and technical security measures. These measures include ensuring our internal IT systems are suitably secure and implementing procedures to deal with any suspected data breach.

In the unlikely event of a data breach, we will take steps to mitigate any loss or destruction of data and, if required, will notify you and any applicable authority of such a breach.

Although we use appropriate security measures once we have received your Personal Data, you will appreciate that the transmission of data over the internet (including by email) is never completely secure. We endeavour to protect Personal Data, but we cannot guarantee the security of data transmitted to or by us.

Transferring your personal data outside the EEA

To provide our services, we may need to share your Personal Data with third parties and suppliers outside the European Economic Area (the “EEA”). If we do this, we will ensure your Personal Data receives the same protection as if it were being processed inside the EEA. For example, our contracts with our suppliers stipulate the standards they must follow to process Personal Data.

We currently implement the following safeguards to protect your personal data:

  • Encrypting data when in transit.
  • Implementing additional transfer mechanisms, as provided for by the applicable data privacy laws and the UK supervisory authority.
  • We only allow personal data to be processed in countries which the European Commission have confirmed have adequate protection for personal data (see European Commission - Adequacy decisions)

Your rights

You have rights under the data protection legislation and, subject to certain legal exemptions, we must comply when you inform us that you wish to exercise these rights. There is no charge, unless your requests are manifestly unfounded or excessive. In such circumstances, we may make a reasonable charge or decline to act on your request.

Before we action your request, we may ask you for proof of your identity. Once in receipt of this, we will process the request without undue delay and within one calendar month. In order to exercise your rights, please contact the Data Protection Officer at dpo@unicard-uk.com.

You can contact us if you wish to complain about how we collect, store, and use your Personal Data. It is our goal to provide the best possible remedy regarding your complaints.

However, if you are not satisfied with our answer, you can also contact the relevant competent supervisory authority. In the UK, the relevant supervisory authority is the ICO, contact details of which can be found below.

Your rights in connection with personal information are set out below:

Subject Access Request – You have a right to receive a copy of all the Personal Data we hold about you.

Rectification – If any of the Personal Data we hold about you is incomplete or inaccurate, you have a right to have it corrected.

Erasure – This is also known as the “right to be forgotten”. You have a right to ask us to delete your Personal Data where there is no good reason for us continuing to process it. However, certain criteria apply and if we have a legitimate reason to continue processing your personal data, we will not be legally required to delete it.

Objection – You have a right to object where we are relying on legitimate interests as our legal basis for processing your Personal Data, but in certain circumstances we may be able to continue with the processing. For example, if we have compelling legitimate grounds which override your interests, rights and freedoms, or your personal information is needed for the establishment, exercise or defence of legal claims. However, you have an absolute right to object to us processing your Personal Data for direct marketing purposes.

Restriction – You have a right to ask us to restrict the processing of your Personal Data in certain circumstances. For example, you may require us to suspend processing information about you whilst checks are made to ensure it is accurate.

Portability – You have the right to ask us to transfer any Personal Data you have provided to us to another party, subject to certain criteria being satisfied. We will provide this Personal Data in a structured, commonly used, and machine-readable format.

Right to withdraw consent – If you have given us your consent for the processing of your Personal Data, you can withdraw this at any time. Please note, the withdrawal has no effect on the legality of the data processing carried out in the past on the basis of your consent. To exercise your right to withdraw consent, contact us at: support@unicard-uk.com and/or dpo@unicard-uk.com

Right to complain – If you are unhappy with the way in which your personal information has been or is being processed, you have the right to make a complaint about it to the Information Commissioner’s Office (ICO). They can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

www.ico.org.uk

Your obligations

If any of your Personal Data changes whilst you are a user of our services, it is important that you update the information within your account to ensure that the data we hold about you is accurate and up to date.

How to contact our Data Protection Officer

We have appointed a Data Protection Officer (DPO) to handle data protection matters. If you wish to contact us to exercise any of your rights referred to above or any other data protection matter, please contact our DPO via email: dpo@unicard-uk.com

Data protection principles

We will comply with the EU GDPR, UK GDPR, and the DPA 2018. Article 5 of the UK and EU GDPR contains the data protection principles, which require that Personal Data shall be:

  • Processed lawfully, fairly, and in a transparent way.
  • Collected for specified, explicit, and legitimate purposes and not used in any way that is incompatible with those purposes.
  • Adequate, relevant, and limited to what is necessary.
  • Accurate and, where necessary, kept up to date.
  • Kept for no longer than is necessary for the purposes we have told you about.
  • Kept securely.

We operate according to the principles of the UK and/or EU GDPR, and PECR, regardless of the location of the data subject.

Cookies

Our website uses cookies. A cookie is a small file of letters and numbers that we put on your computer if you agree. These cookies allow us to distinguish you from other users of our website, which helps us to provide you with a good experience when you browse our website and allows us to improve our site. The cookies we use are "analytical" cookies. They allow us to recognise and count the number of visitors and to see how visitors move around the site when they are using it. This helps us to improve the way our website works, for example by ensuring that users are finding what they are looking for easily. Where using our website, you can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.

Return home