Data protection declaration
Hordaland County Authority, represented by Skyss, is responsible for storing and using your personal data in the application Skyss Ticket (the controller).
Personal data is all information that can be used to identify you. Below, you will find more information about how Skyss processes personal data and about your rights in relation to Skyss.
The purpose of Skyss’s processing of personal data in the Skyss Ticket app is to offer you as a customer an easy and secure way of buying ticket products, to create the correct conditions for efficient customer follow-up and to ensure that our inspectors can verify that you have a valid ticket.
Grounds for processing personal data
Skyss’s processing of your personal data requires a legal basis for the processing.
Processing of your personal data is necessary to meet the service agreement entered into between you and Skyss when you use the Skyss Ticket app and accept the terms and conditions of use, cf. the General Data Protection Regulation Article 6. 1b).
Using the Skyss Ticket app is voluntary. Skyss also offers anonymous ticket alternatives. You can find more information about anonymous ticket alternatives here.
What personal data does Skyss process?
When you use the Skyss Ticket app, the following personal data will be processed:
Mobile phone number
To use the Skyss Ticket app, you are required to set up a user profile. In this context, you are required to register your mobile phone number and enter a password. This is done so that Skyss can provide the service with secure and verified login. A mobile phone number is also necessary to ensure that you can have access to active season tickets or receipts for previous purchases if you lose your phone. The mobile phone number constitutes the unique user identification for the app and is the only personal data required in the user profile.
Name and sub-users
Entering names in the Skyss Ticket app is optional. This is a service for those who wish to enter sub-users in their Skyss Ticket account. Sub-users are also able to pay for their ticket using the funds placed in your Mobile Account. This only requires that you submit the mobile phone number to link relevant sub-users to your Mobile Account. You may also enter a name or nickname for these sub-users so that it is easier to distinguish different sub-users from each other. The names of any sub-users will also show up in the online portal for the Mobile Account.
Entering an email address in the Skyss Ticket app is optional. Email addresses are only necessary if you wish to receive receipts for your purchases by email. A complete overview of all your purchases over the past 20 months can also be obtained by logging into the online portal for the Mobile Account here.
Documentation of sale
All sales documentation is kept in accordance with the Bookkeeping Act. Travel information contained in your ticket purchase is only retrieved as personal data when initiated by you, for example in the event of a complaint or other enquiries that make it necessary to examine a specific purchase in more detail.
Information on method of payment
Bank cards: In order to pay with a bank card, there is an interface linked to a payment service that enables you to register a bank card via the Skyss Ticket app without storing your full bank account details in the app. If you choose to save one or more payment cards in your profile, it is nonetheless only the payment service that will have your full bank card details. The app only saves the first six and last four digits of the card number and the expiry date. This is required in order for customers to recognise the cards they have entered and to generate the necessary details that should be included on a receipt, as well as to efficiently maintain any right a customer may have to a refund.
Phone number: If you wish to pay via your telephone bill, your phone number is transferred to the mobile phone operators’ payment company, Strex.
Mobile Account: With Mobile Account, you can deposit a selected amount that you or any sub-users can use to pay for tickets. The system processes information on your balance and transactions linked to your Mobile Account, including your top-up, purchase, refund and credit history.
When you use the Skyss Ticket app or the online portal for your Mobile Account, your IP address, the time of the enquiry, information on the browser or mobile phone and the version number and mobile platform for the app, including choice of language, are logged in the application log. This information is required for the solution to work on the given platform and mobile phone, and is logged to ensure that the service functions as it should. This provides us with the necessary information to resolve issues if any errors occur.
No forms of analysis tools are used (e.g. Google Analytics) that map and log the usage patterns of identifiable users. The only related functionality is crash reporting via HockeyApp that provides fully anonymised crash reports and is an aid for ensuring quick rectification of errors if the application crashes.
When you accept that the Skyss Ticket app has access to the phone’s GPS, positional data is only used locally on the phone. No positional data is logged in the application that is forwarded to backend. The only travel information processed is the information on the chosen place/zone of departure and place/zone of arrival, which is necessary to document the purchase and calculate the correct price. The travel information linked to your purchase is stored and anonymised along with the other data in the sales documentation.
Data used in statistics and analyses are in de-identified form and thereby cannot be linked to you. Skyss is obliged to submit traffic figures to the central and municipal authorities, cf. the Statistics Act Section 2-2 and the Local Government Act Section 49. Statistics are also used to improve and further develop the services we offer our customers. Examples of what statistics tell us are how many people travel between which zones, the number of purchases per ticket category and how many people purchase tickets via which mobile platform (Android or iOS). Skyss collects information from the ticket purchases carried out via Skyss Ticket. Travel information contained in your ticket purchase is not used together with personal data to produce statistics.
Sources of personal data
All personal data processed in connection with Skyss Ticket are entered or generated by you. Skyss does not obtain personal data from third parties.
Skyss Ticket is provided by WTW AS (the processor). WTW processes your personal data on behalf of Skyss and this is regulated in a separate data processing agreement. The data processing agreement ensures that WTW processes all personal data in accordance with this data protection declaration.
Ticket inspections are conducted by Securitas on behalf of Skyss. A separate data processing agreement has been entered into with Securitas.
Disclosure to third parties
The personal information that is required to register and carry out the payment, may be disclosed to the provider of the chosen payment alternative. Skyss does not disclose your personal data to any third parties, other than those mentioned in this declaration, unless there are legal grounds for such disclosure, for example a ruling or written order from the prosecuting authorities.
Anonymised travel history can be used for statistical purposes. Anonymised data is not considered personal data, and can therefore be submitted to third parties.
Access to personal data
The personal data processed will only be available to authorised personnel with an official need at Skyss and our sub-contractors, including Securitas, payment services, WTW AS and operating contractors.
Storage and erasure
All data are stored in Norway in WTW’s server centre. The servers are operated by personnel in Norway. All data stored in the back-end system are stored in accordance with applicable legislation. Your personal data will not be stored for longer than necessary to achieve the communication purpose for which the application is used.
Both Skyss and WTW AS have implemented data security measures and internal procedures to verify that no personal data fall into the wrong hands or are used for other purposes than those described in this data protection declaration.
Your profile information is stored as long as you as a customer have an active contractual relationship with Skyss. You have the right at all times to request that your user account be deleted from the Skyss Ticket app. You will then have to register again if you wish to use the application at a later date. Your mobile phone number is verified the first time you log in from a new device. If you have entered other personal data in Skyss Ticket, you can edit these data at all times in your profile under ‘Settings’.
Transaction history and sales documentation
All sales documentation is stored for five years after the end of the accounting year, cf. the Bookkeeping Act Section 13 with pertaining regulations. The receipts for your last purchases will be available at all times in the Skyss Ticket app. In accordance with the requirements of the payment services, Skyss is obliged to give you access to sales documentation for all purchases made via the app or Mobile Account over the past 20 months. You can retrieve this information yourself by logging in to the online portal for the Mobile Account. After 20 months, the sales documentation is archived and anonymised.
Technical information and the application log
Different parts of the application log are stored for a sufficient period to ensure that the service works as it should and that you as a customer receive the service you are entitled to. For example, in the event of complaints based on faults in the service, the storage period for relevant application logs can be extended to allow the necessary period for considering the complaint.
All communication between the solution and applications that run on your mobile phone is encrypted. All access to the system via the internet is encrypted. All internal data transfer between different components in the system is encrypted. Access to retrieve data can only take place via API, which is encrypted and secured by access keys. Access to data via Skyss’s interface is role-controlled and personal with an incident log for traceability. The administration interface for the solution is designed with different levels of access so that only persons with a prescribed need at Skyss or WTW are given access to the amount of data relevant to their needs.
Your rights in relation to Skyss
You can access, correct and erase all personal data that you yourself have entered in your user profile for Skyss Ticket via the settings in the application.
Right of access
You may request access to the personal data that Skyss processes about you.
Right to correct
You may request that incorrect or incomplete personal data be corrected or supplemented.
Right of erasure
You may request that Skyss erases your personal data if the terms for this are met, for instance if Skyss has processed your personal data in an unlawful way or for longer than necessary.
Right of limited processing
You may request that the processing of your personal data be limited if you contest the accuracy of the personal data, the legality or necessity of the processing or if you have objected to the processing and Skyss has accepted your objection.
The processing will be limited from the time the objection is submitted and during the period of time it takes Skyss to assess the objection. If the processing shall be limited, Skyss is only allowed to store the limited personal data, and any other processing can only happen with your consent. This applies unless Skyss is required to process personal data in connection with judicial matters, to protect the rights of others, or if the processing is of public interest.
Right to object
You may object to the processing of your personal data if you believe Skyss does not have the right to process your personal data. In such cases, Skyss may only continue processing the data if Skyss can substantiate a justifiable interest that carries more weight than your interests, rights or liberties. The personal data may in any case be processed if Skyss is legally obligated to do so or if processing is necessary in order to establish, assert or defend a legal claim.
Right of data portability
You may request that the personal data you have submitted to Skyss for processing based on your consent or to meet a contract to which you are bound be sent to you in a structured, ordinary or machine readable format. You also have the right to request that Skyss transfer such information to another controller.
Right to complain to the Norwegian Data Protection Authority
You can complain to the Norwegian Data Protection Authority if you are dissatisfied with Skyss’s reply or believe that Skyss is processing your personal data in breach of the applicable data protection regulations. Information on the complaint procedure is available here.
If you have any questions relating to Skyss’s processing of your personal data or you would like to access, correct, erase or request limited processing or data portability, please use the contact form here.