Alerts 65 Bus

Privacy Statement

For the purposes of the Data Protection Act 2018 and the General Data Protection Regulation, GDPR, the ‘controller’ of the personal data which you provide is West Yorkshire Combined Authority (‘the Combined Authority’, ‘we’, ‘us'). The Combined Authority is registered with the Information Commissioner’s Office with registration number ZA051694. Tel: 0113 251 7272 Email:

The Combined Authority is collecting this data and will process it for the purpose of delivering the M-Card and Concessionary Travel Schemes, statistical monitoring and to comply with government mandated obligations such as the National Fraud Initiative.

We would also like to keep you informed of updates and offers relating to the above schemes. We will only send you this information if you consent to receive it.

The data will be processed by the following organisations:

- Local Councils (for the processing of Blind and Disabled Person’s travel passes only)
- Card printers (for the printing and posting of cards)
- Database management support (to ensure integrity, security and data recovery)
- West Yorkshire Ticketing Company (owner of the M-Card brand)
- Your employer (for the processing of the Corporate Annual M-Card only)

The Combined Authority will not share your personal information with any other organisation or third party other than those named above, except in certain circumstances, which are:

1. if we have a legal obligation to do so or if we are required or requested to do so by a competent authority such as the police or a court

2. if we need to use or disclose your information to obtain legal advice or in connection with legal proceedings

3. if we need to share your information to protect your vital interests if you are unable to give us consent or it is unreasonable for us to ask for your consent in the circumstances (e.g. if you are injured).

We will retain your account information (name, address, date of birth etc.) for 366 days after either the expiry of the last registered card or, the date of the last transaction on an account whichever is shorter. Pink M-Cards customer information will remain on the system unless the customer requests that their information be deleted. Any incomplete customer records will be removed after 3 months. Any medical information will be kept for three months after the application decision, or three months after an appeal decision. After this time has passed, we will safely delete your information.

Information provided to the Combined Authority for the purpose of administering a travel pass under a National Concessionary Travel Scheme will be processed under Article 6(1)(e) of the UK GDPR which states that processing is necessary for the purposes of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Information processed for all other travel passes will be on the basis of Article 6(1)(b) of the UK GDPR, which states that processing is necessary for the performance of a contract with individuals, to deliver goods and services requested.

We do not require consent to use personal data for these purposes. Your consent is needed however if you wish to receive marketing communications.

Please be aware that by registering a dependant’s details, you are responsible for ensuring the accuracy of their details as well as adherence to all associated terms and conditions.

Data subjects have a number of rights under the UK GDPR. These include the right to access the information which we hold about you. In some cases you may have a right to have your personal data rectified, erased or restricted, and to object to certain use of your data. You have an absolute right to demand that you stop receiving marketing information. This would not affect the legality of what we do with your personal data before you withdraw consent and would not stop us from continuing to use your data to the extent that we do not require your consent. It would stop us from further using data for purposes which require your consent (e.g. marketing).

If you are unsatisfied with the manner in which we collect or handle your personal data, you have a right to make a complaint to the Information Commissioner’s Office. Information about how to make complaints can be found on the ICO’s website at

We act in accordance with our corporate privacy notice, which provides further information on personal data processing and how to contact us to make a request: