Skip to main content
Powered by Transport for Greater Manchester

Who we are

Transport for Greater Manchester is committed to making sure that we tell you about the ways in which we use your personal information and that we have the right controls in place to make sure it is used responsibly and kept safe from inappropriate access, theft, or misuse.

This notice explains how we use your information and tells you about your privacy rights and how to law protects you.

What is personal information?

Personal information can be anything that identifies and relates to a living person. This can include information that can identify somebody when it is linked with other information. For example, this could be your name and contact details, or it could be a unique identifier such as a travel card number.

The law treats some information as ‘special’ because the information is more sensitive, and may need more protection. This information includes:

  • Racial or ethnic origin;
  • Sexuality and sexual life;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Political opinions;
  • Genetic and biometric data;
  • Physical or mental health; and
  • Criminal convictions or offences.


Your personal information may be collected and used for one or more of TfGM’s services or activities depending on your relationship with us.

Generally, we may need to use some information about you:

• to deliver services and provide support to you;
• to plan future services;
• to administer grants;
• to manage and check the quality of our services;
• to keep track of spending on services;
• if you apply for a job or become employed by us;
• to ensure the health and safety of our staff and members of the public using our services;
• to investigate any concerns or complaints you have about our services;
• to answer requests for information;
• to improve the experience of visitors to our websites;
• to manage your online and marketing preferences;
• in the event of civil disasters or emergencies; and
• for archiving, research or statistical purposes. This includes research and evaluation undertaken by us or in combination with other organisations to inform future service planning where it is not possible to use anonymised data.

Legal basis for processing

Generally, we collect personal information where:

• you, or your legal representative, have given consent;
• you have entered into a contract with us for a service;
• it is required by law (such as an Act of law or under a court order);
• it is necessary to perform statutory functions (including law enforcement);
• it is necessary for employment related purposes;
• it is necessary to protect you or others from harm;
• it is necessary for exercising or defending legal rights;
• you have made your information publicly available;
• it is necessary for archiving, research, or statistical purposes;
• it is necessary in the substantial public interest for wider benefits to society and is allowed by law;
• it is necessary to prevent fraud and protect public funds; and/or
• where it is in our legitimate interests (or those of a third party) provided your interests and rights do not override our interests.

Your personal information may also be shared with other organisations, including those who help us provide our services and those who provide technical help like data storage and hosting for us.

These arrangements and the laws about the sharing and disclosure of personal information are different for every service we offer.

For this reason, each of our key service areas have provide extra information about how they collect and use your information. These notices explain:

• why we need your information;
• who else we get your information from;
• the legal basis for collecting or using your information and the choices you may have;
• who we share it with and why;
• whether decisions which legally affect you are made solely using machine based technology;
• how long we keep your information; and
• how to exercise your rights.

These service specific privacy notices may be accessed here.

Data transfers beyond the UK

We will only send data outside the UK:

  • with your consent; or
  • to comply with a lawful and legitimate request; or
  • if we use service providers outside of the UK.

If we do transfer your information beyond the UK, we will make sure it is protected in the same way as it would within the UK. We will use one of these protections:

  • Transfer to an organisation within an EEA country who is legally obliged to comply by the General Data Protection Regulations and with who the UK has adequacy arrangements.
  • Transfer to an organisation in a non-EEA country with privacy laws which give the same protection as laws within the UK.
  • Put in place an appropriate contract with the organisation that means they must protect it to the same standards as the UK. Where appropriate an International Transfer Risk Assessment must also have been undertaken.

If we plan to make a transfer in response to a lawful and legitimate request we will normally tell you in advance, unless there is a reason for us not to, like law enforcement, or reasons of safety which justify not telling you.

Automated decisions

If we make a decision which legally affects you by using a computerised process that does not involve a human being, our service specific privacy notices will explain this. Our Guide to Exercising your Rights Guide to exercising your rights explains how you can ask us for an automated decision to be reviewed by a person.

Emergency Planning and Service Delivery - COVID-19 Update

This updated section to our privacy notice is to provide you with additional information about how TfGM may need to hold and disclose information about you in relation to the unprecedented challenges we are all facing during the Coronavirus pandemic (COVID-19).

We may need to collect, process and share information your personal data which is above and beyond what would ordinarily be done so about our staff and their dependants, and our customers.

Such information will be limited to what is proportionate and necessary, taking into account the latest guidance issued by the Government and health professionals. This is to effectively to fulfil our functions whilst keeping people safe, to allow us to put contingency plans into place to safeguard staff and customers, to aid business continuity, to assist in providing support to those most vulnerable and in need, and to assist in managing and controlling the virus.

Any information processed will only be kept for as long as it necessary, taking into account of Government advice and the on-going risk presented by Coronavirus. When the information is no longer needed for this purpose, it will be securely deleted. Further information is available in the data retention section below.

Our lawful basis for processing your personal data

The General Data Protection Regulation requires specific conditions to be met to ensure that the processing of personal data is lawful. A lot of what we will do with your personal data will be covered by existing powers in current laws and how we process your information and is outlined in the rest of this privacy notice and associated service specific privacy notices.

However the relevant conditions which apply in this situation are:

  • Article 6(1)(c) Legal Obligation - Processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Article 6(1)(d) – is necessary in order to protect the vital interests of the data subject or another natural person.
  • Recital 46 adds that “some processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread”.
  • Article 6(1)(e) – is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. and the task or function has a clear basis in law.

For special category data:

  • Article 9 (2) (b) It is necessary to share sensitive information for the purposes of carrying out the obligations and exercising specific rights in the field of employment, social security and social protection law, as long as it has a clear basis in law.
  • Article 9 (2) (g) it is necessary for reasons of substantial public interest where there is a clear basis in law.
  • Article 9 (2) (j) GDPR Public health processing- it is necessary for reasons of public interest in the area of public health.

Data sharing
Any request for personal information will be considered on a case by case basis and will be managed in confidential manner. All information will be held securely and processed on a ‘need to know’ basis by only a limited number of people and the minimal amount of personal data will be used.

Where the information is to be used to make organisational decisions, steps will be taken to anonymise the data and general statistics/numbers used, wherever possible.

Data retention

We will only keep your information for as long as we need to for legal reasons, or for the length of time that we need to for our business needs.

Our Retention schedule tells you how long we keep certain types of information.

How we keep your information safe

We are committed to keeping your information safe and protected from accidental loss or alteration, inappropriate access, misuse or theft.

As well as technical, physical and organisational controls, we recognise that a well-trained, informed, and security alert workforce minimises privacy risks from human error and/or threats from malicious actors.

We require our service providers to implement appropriate industry standard security measures, and only allow them to process your personal information for specified purposes as written in our contracts with them.

Rights of Individuals

You may exercise the rights listed below in relation to TfGM’s use of your personal information.

Some rights only apply in certain situations. To find out more, please refer to our Guide to exercising your rights or alternatively visit the Information Commissioner’s website.

To exercise these rights, please contact TfGM’s Data Protection Officer (DPO). Contact details for the DPO are below.

Complaints to the Information Commissioner

If you are not satisfied with the way in which we have answered a request or concern, or how we have handled your information, you have the right to make a complaint to the Information Commissioner. Their contact details can be found on their website.

You do not need to complain to us first, but we would encourage you to contact our Data Protection Officer so we can consider your concerns as quickly as possible.

Data Protection Officer contact information

Whether you are exercising your rights or raising a concern, you will normally need to include documents that prove your identity as well as a clear and precise description of your request or concern.

We will process requests as the law tells us to, and within the times allowed by the law, and we will let you know if an extension of time will be needed.

To contact the Data Protection Officer:

By email:

By post: Data Protection Officer, Transport for Greater Manchester, 2 Piccadilly Place, Manchester, M1 3BG


To find out how we use cookies, and to manage your cookie settings, please use the cookies link at the bottom of the page.


We may update or revise this Privacy Notice at any time so please refer to the version published on our website for the most up to date details.

Service specific privacy notices

Each department within TfGM processes personal data for different purposes and under different legal bases. For more information on how we process your personal data please view the below service specific privacy notices:

Active travel
Audit and assurance
Bee Network Cycle Hire scheme
Bus Reform TUPE
Bus services
Clean Bus Fund survey
Commercial Services
Competitions and Prize Draws
Corporate Affairs
Customer Relations
Cycle and Stride Evaluation and Monitoring
Cycle hire scheme
DDRG filming and photography
Destination Bee Network Consultation(Dogs on trams)
Facilities management
Information Services
Intervention for Blind and Partially Sighted People at Bus Stop Bypasses
Logistics and environment
Projects group
Recruitment and Employment
Stockport Mixed Use Ramp Consultation Exercise
Surveys and Consultations
Transport Strategy
Visitors and Professional Contacts
White Ribbon engagement feedback survey
Voice of Customer survey (phase two)

Research specific privacy notices

As part of research activity that TfGM undertake, we may need to collect and process personal data. For further information on a certain research activity please see the individual privacy notices below:

Active Travel survey
Active Neighborhoods survey
Adapt and Build Back Better (ABBB)
Network principles
Sales funnel
Side Road Zebra Crossings
TfGM confidence survey
Metrolink customer confidence qualitative research
TfGM brand research focus groups
Big Active Conversation Feedback Survey
Bus reform
Bus reform - further consultation
Bus fare survey

Clean Air Plan Consultation
Concessionary pass survey
Destination Bee Network Consultation
Disruption Research
Further Clean Air Plan Consultation
Electric Vehicles Survey
Minimum Licensing Standards Consultation
Bee Network crossings consultation
Tram-Train Customer Research
Our Pass Evaluation
Fares and Ticketing
Town and City Centre Survey
Travel information and ticketing research
Travel Diary Survey Privacy Notice
Vantage bus features survey
HGV financial support scheme survey
School Streets Monitoring and Evaluation Research Privacy Policy
Mancunian Way junction survey privacy notice
Rochdale Oldham Ashton bus survey
Walking, wheeling and cycling survey
GM cycle hire survey
Voice of customer survey
Leigh Salford Manchester Busway Stakeholder discussions
Rochdale Oldham Ashton Quality Bus Transit Resident Survey privacy notice
Trafford Park Link Surveys privacy notice
A555 Resident and Business Surveys
Oxford Road survey privacy notice

If you’re unsure what the research was called then please feel free to get in touch with us at