NS Safety & Security Assistants
NS employs Safety & Security Assistants to keep the peace in and around public transport. As the employer of these SSAs, NS is responsible for the processing of data. Some of these data are processed pursuant to the Police Data Act instead of the GDPR.
What personal data do we use?
One of the duties of our Safety & Security Assistants is to check whether passengers have a valid ticket at stations and in trains. SSAs also keep the peace and monitor compliance with legal requirements and NS’s house rules and T’s & C’s. SSAs can also enforce the rules if they are violated, as well as supporting the police in their investigative duties. If an SSA processes personal data as part of their investigative duties, the Police Data Act ("Wpg") applies and not the GDPR.
For the SSAs to perform their duties properly, NS may have to process personal data, such as your contact data. If you are stopped and/or given a ticket (combo ticket, formal warning or a ticket for violating a travel or area ban), SSAs will collect your contact details, date and place of birth, a description of the offence, along with the time and place, your citizen service number, ID type and ID number. NS also collects financial data when processing and collecting on tickets for fare evasion and other offences. You can submit a complaint to NS about a ticket. In addition to the information you provide in your request, NS will collect contact data, data of birth, a copy of your OV chipkaart (if necessary) and the ticket number. If NS or an SSA reports an offence to the police, we will collect, as far as possible, contact information, place and date of birth, time, place and type of offence.
What do we use your personal data for?
The basis for the processing is: the execution of a legal obligation
Police Data Act
Daily policing duties (art. 8 Police Data Act): police data can be processed with a view to carrying out the daily policing duties: enforcing laws and regulations, providing assistance, surveillance, traffic matters and simple investigations.
Our information systems make use of key registers of government agencies with public duties, such as the Key Register of Persons (BRP) of the National Office for Identity Information (RvIG). We can also collect personal data from this key register.
We collect some (personal) data on the basis of another law:
Code of Criminal Procedure
According to the Code of Criminal Procedure, SSAs are obliged to establish the identity of a suspect. The Identification of Suspects, Convicts and Witnesses Act - and the accompanying decree - specify the data we must use for this purpose.
Safety & Security Assistant Decision
Safety & Security Assistants can also collect personal data for their investigative duties. For example, when giving a ticket or writing an official report in the event of a criminal offence and in the processing and (financial) settlement of these offences.
Finally, SSAs also have various supervisory duties. In the performance of these supervisory duties, personal data are processed pursuant to the provisions of the following regulations:
- Passenger Transport Act and Decree 2000
- General conditions of carriage of passengers and hand luggage of Nederlandse Spoorwegen (AVR-NS)
- General conditions of public urban and regional transport
- General terms and conditions NS International
- NS House rules
- House rules Intercity direct
With whom do we share this data?
We contract third parties to provide IT services. These third parties process our information solely for our own internal use, and for no other purpose. We have made agreements with these parties pertaining to the processing of personal information.
In some cases, NS will share your personal data with third parties, such as BOS Incasso, the Central Judicial Collection Agency - if you fail to pay your fine on time -, or the Public Prosecutor's office. We are required to provide your information to investigative agencies, such as the police, in the context of investigation and prevention of criminal activities.
We will not provide your personal information to persons or legal entities outside the European Economic Community unless we are legally obliged to do so.
How long do we store your data?
The Police Data Act sets retention terms for police data. We store police data processed in the context of performing daily policing duties for up to 5 years after the original processing data. After this term, the data are only retained for another 5-year term if needed for compliant resolution and accountability under article 14 of the Police Data Act. Formal warnings have a retention term of 6 months.
Data subject rights pursuant to the Police Data Act
The rights of data subjects in the Wpg are different from GDPR rights. The person to whom the personal or police data apply is called the data subject. The data subject has a right to:
- access;
- rectification;
- data erasure;
- limit data processing;
- object.
In the context of our policing duties, we are obliged to inform you of any data that are processed. We will also let you know when we have complied with your request for rectification, erasure, or limitation of data processing.
If you want more information about how your personal data are processed, you can submit a written request. If you believe that your data are not correct, you can submit a written request to us, specifying what must be changed.
We have the right to deny your request if:
- This would obstruct legal investigations or procedures;
- This would have negative consequences for our ability to prevent criminal behaviour, to track offenders, to investigate criminal actions, to prosecute suspects, or to punish offenders;
- This would jeopardise public safety
- This would violate the rights and freedoms of third parties;
- This would jeopardise national security. A request may also be denied if it is clearly an ungrounded or excessive request.
The NS Data Protection Officer monitors compliance with its obligations pursuant to the GDPR and Public Health Act. The contact details of the Data Protection Officer can be found at the start of this privacy statement.