Privacy policy

The RET considers it important to act in accordance with the rights and obligations outlined in the General Data Protection Regulation (GDPR) and the Police Data Act (Wpg). Therefore, it is important for the RET to be transparent with its customers about the processing of personal data. The RET also emphasizes the careful processing and security of customers' personal data. You can read about how we process data from our passengers and for what purposes in our privacy statement.

You can also find more information about the processing of personal data related to the new payment methods mentioned below. For more information on OVpay and the associated processing of personal data, you can also consult the privacy statement for OVpay.nl, use of OVpay, and the OVpay app here.

Frequently asked questions

  • What is personal data according to RET?

    At RET, we believe that privacy is a fundamental right that must be protected at all times. For this reason, RET treats any information related to an identified or identifiable person, or that can be linked to that person by RET, as “personal data.” This includes data that directly identifies you (e.g., your name) as well as data that does not directly identify you but can reasonably be used to identify you (e.g., the ID number of your public transport card).

  • What personal data does RET collect about you?

    RET processes various types of personal data. The most common types include:

    • Contact details, date of birth, payment information, debtor details, travel product information, and card details of your public transport card.

    In addition to these common types of data, RET processes other types of information. A comprehensive list of personal data processed for specific purposes can be found in Chapter 3 of RET's full privacy statement.

  • How does RET protect my personal data?

    RET handles personal data with care. It has implemented appropriate security measures to protect personal data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access. These measures include:

    • Physical security measures: Such as burglary alarms and access control.
    • Organizational and technical ICT security measures: Regular evaluation ensures that these measures remain appropriate.

  • With whom does RET share my personal data?

    RET does not sell personal data to other parties. However, it may share your data with third parties when necessary. Examples include:

    • Insurance companies: For handling claims.
    • Government agencies like the Tax Authority: Based on legal requirements.
    • Legal or arbitration proceedings: For asserting RET's position.

    These third parties are independently responsible for the use and processing of the data provided. RET shares only the minimum information necessary.

    For the efficient operation of the public transport card system, RET shares your transaction and product information with the card issuer, Translink Systems B.V. (Translink). 

    More information is available at www.ov-chipkaart.nl. In certain processes within the public transport card system, the transport operators and Translink act as joint controllers.

    RET also engages other parties (processors) to perform specific services. These processors may process personal data on RET’s behalf and under its instructions. Examples include:

    • Payment service providers, debt collection agencies, cloud and hosting providers, IT service providers, survey and campaign agencies, or research and consultancy firms.

    RET ensures that these processors adhere to strict agreements about data security, confidentiality, and proper use. They are not allowed to use or share the data independently.

  • Where can I ask questions about privacy?

    If you have questions about RET's privacy policy or its implementation, you can contact the privacy team. This team includes the Data Protection Officer and Privacy Officer. Contact them if you have a question.

    You can reach the privacy team via:

    Email: privacy(at)ret.nl

    Mail:
    RET NV
    Attn: Data Protection Officer
    PO Box 112
    3000 AC Rotterdam

Police Data Act

  • What is the Police Data Act (Wet politiegegevens)?

    The Police Data Act (Wpg) regulates how the special investigative officers (BOAs) of RET must handle police data processed during their enforcement tasks. It aims to safeguard citizens' privacy while enabling the BOAs to perform their duties effectively.

  • Where do the special investigative officers derive their powers from?

    A special investigative officer limits their investigative actions to what is necessary for the proper performance of the duties for which they have been appointed and sworn in. They refrain from any actions they are not authorized to perform. The BOAs of RET are tasked with investigating criminal offenses within domain IV: “public transportation.”

  • Where are your police data stored?

    Your police data are stored in RET's Social Safety System (SVS). This system was specifically developed by RET for the secure storage of police data.

  • Why are my police data being processed?

    The BOAs of RET process your data only when necessary to perform their enforcement tasks, such as maintaining public order and investigating criminal offenses within public transportation.

  • What types of police data are processed?

    The BOAs of RET process various types of data, including:

    • Name, date of birth, address, and identification documents;
    • Information about criminal offenses (offense codes).

  • How long do we retain your police data?

    The Police Data Act (Wpg) outlines three regimes for the retention periods of Article 8 police data:

    1. Broad access: Under this regime, police data are retained for one year. During this period, investigative officers have wide access to the data.
    2. Restricted access: Under this regime, police data are retained for four years. Access to the data is limited and can only be granted through a targeted search using a case number by authorized officers.
    3. For accountability to the AP, audit, and complaint handling: Police data are retained for five years under this regime before being destroyed. During this period, the data are no longer accessible unless required for accountability to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP), internal audits, or complaint handling.