Privacy Statement
Privacy Statement | Metro (wymetro.com)
For the purposes of the Data Protection Act 2018 and the General Data Protection
Regulation, GDPR, the ‘controller’ of the personal data which you provide is West Yorkshire
Combined Authority (‘the Combined Authority’, ‘we’, ‘us'). The Combined Authority is
registered with the Information Commissioner’s Office with registration number ZA051694.
Tel: 0113 251 7272 Email: DPO@westyorks-ca.gov.uk.
The Combined Authority is collecting this data and will process it for the purpose of
delivering the M-Card and Concessionary Travel Schemes, statistical monitoring and to
comply with government mandated obligations such as the National Fraud Initiative.
We would also like to keep you informed of offers relating to the above schemes. We will
only send you this information if you consent to receive it.
The data will be processed by the following organisations:
• Card printers (for the printing and posting of cards)
• Database management support (to ensure integrity, security and data recovery)
• West Yorkshire Ticketing Company (owner of the M-Card brand)
• Your employer (for the processing of the Corporate Annual M-Card only)
The Combined Authority will not share your personal information with any other organisation
or third party other than those named above, except in certain circumstances, which are:
- if we have a legal obligation to do so or if we are required or requested to do so by a
competent authority such as the police or a court - if we need to use or disclose your information to obtain legal advice or in connection with
legal proceedings - if we need to share your information to protect your vital interests if you are unable to give us consent or it is unreasonable for us to ask for your consent in the circumstances (e.g. if you are injured).
We will retain your account information (name, address, date of birth etc.) for 366 days after
either the expiry of the last registered card or, the date of the last transaction on an account
whichever is shorter. Pink M-Cards customer information will remain on the system unless the
customer requests that their information be deleted. Any incomplete customer records will be
removed after six months. Any medical information will be kept for three months after the
application decision, or three months after an appeal decision. After this time has passed, we
will safely delete your information.
Information provided to the Combined Authority for the purpose of administering a travel
pass under a National Concessionary Travel Scheme will be processed under Article 6(1)(e)
of the UK GDPR which states that processing is necessary for the purposes of a task carried
out in the public interest or in the exercise of official authority vested in the controller.
Information processed for all other travel passes will be on the basis of Article 6(1)(b) of the
UK GDPR, which states that processing is necessary for the performance of a contract with
individuals, to deliver goods and services requested.
We do not require consent to use personal data for these purposes. Your consent is needed
however if you wish to receive marketing communications.
the accuracy of their details as well as adherence to all associated terms and conditions.
Data subjects have a number of rights under the UK GDPR. These include the right to
access the information which we hold about you. In some cases you may have a right to
have your personal data rectified, erased or restricted, and to object to certain use of your
data. You have an absolute right to demand that you stop receiving marketing information.
This would not affect the legality of what we do with your personal data before you withdraw
consent and would not stop us from continuing to use your data to the extent that we do not
require your consent. It would stop us from further using data for purposes which require
your consent (e.g. marketing).
If you are unsatisfied with the manner in which we collect or handle your personal data, you
have a right to make a complaint to the Information Commissioner’s Office. Information
about how to make complaints can be found on the ICO’s website at ico.org.uk
We act in accordance with our corporate privacy notice, which provides further information
on personal data processing and how to contact us to make a request: