Data Controller and Processor

Duration of the trial

The Flowly trial on the LUAS network will be held from December 2020 to February 2021.

Legal basis

The legal basis for this processing is the legitimate interest of the controller, which consists of testing a device for measuring the flow of passengers by developing aggregated and anonymous statistics to optimize public transport services.

Data Collection

As a part of this trail we are collecting and retaining the following personal data for below purposes :

Data	Purpose	Retention period
Media Access Control (MAC) address	Flowly Wi-Fi Data Collection trial	3 hours
Log data	Flowly Wi-Fi Data Collection trial	24 hours
Opposed MAC address	to allow exercise of Art. 21 GDPR rights	duration of the trial
Cookies	to allow exercise of Art. 15 - 22 GDPR rights through dedicated Flowly website	session duration
IP address	to allow Opposed MAC address execution	3 months
Data relating to customer queries and opposition requests received via email	to allow exercise of Art. 15 - 22 GDPR rights through dedicated Flowly email	12 months

Data Subjects are not subject to automated processing as defined in GDPR.

Data Storage and Transfer

All our data is stored in France (EU) by OVH (data sub-processor) and secured using current technical means.

Cookies.

A cookie is a text file that can be saved in a dedicated space on your terminal * when consulting an online service using your browser. A cookie file allows its issuer to identify the terminal in which it is registered, during the period of validity or registration of the said cookie.

* the terminal designates the hardware equipment (computer, tablet, smartphone ...) that you use to consult a site.

The site https://luas.flowly.re/ uses a technical cookie in order to maintain session state. This cookie is stored for the duration of the navigation and a maximum of 20 minutes after the end of it.

The site https://luas.flowly.re/ does not use cookies from third parties, either for traffic analysis or advertising purposes.

Most browsers accept cookies by default. However, you can decide to block these cookies or request to be notified when a site tries to implement a cookie on your device.

The help menu of your browser will allow you to know how to modify your preferences in terms of cookies (external links):

• Chrome
• FireFox
• Internet Explorer
• Opera
• Safari

IP Addresses

While browsing this site, your IP address is collected anonymously in logs.

Data Retention

Flowly SAS will retain any data collected in line with our data protection policies. This means that we will not hold information for longer than is necessary for the purposes we obtained it for. Depersonalised Wi-Fi data will be held for 24 hours. When this retention period is over, only aggregated data will be held.

Data Security

We take the privacy of our customers very seriously : a range technical and organisational measures are in place to control and safeguard access to, and use of, Wi-Fi data.

Each MAC address is automatically depersonalised (pseudonymised) and encrypted to prevent the identification of the original MAC address and associated device within first 3 minutes. The MAC address is then anonymised within 3 hours from detection on the Wi-Fi sensor.

The database is stored on a secure dedicated infrastructure within OVH tier three data centre in Paris, France. Collected data is stored in a restricted area of secure location with physical access to data centre governed through industry standard authentication methods.

Access is limited to a restricted group of users - ie only those whose access to the data is necessary for their role.

For more information, please see : OVH Infrastructure and Software.

Encryption keys are held securely in an industry standard computer program for secrets and key management. Data is protected using an industry standard one-way hashing algorithm. All data is encrypted at rest and when in transit.

Data Sharing

Processed and aggregated data will be shared by Flowly with Transdev Dublin Light Rail Ltd. (data controller) and Transport Infrastructure Ireland (government agency).

Data Protection Rights

Under certain circumstances, by law you have the right to:

• access personal data **
• request rectification of personal data **
• request erasure of personal data **
• request restriction of processing ** of personal data concerning data subjects
• object to such processing **

** prior to anonymization of the data - up to 3 hours after collection of MAC address, however post data anonymisation the data and associated GDPR rights are no longer available.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the personal information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request in order to speed up our response.

We try to respond to all legitimate requests within one month of receiving them. Occasionally, it may take us longer than a month if your request is particularly complex or if you have made a number of requests. In this case, we will notify you and keep you updated about our timing for response.

Data Protection Officer consider and coordinate responses to any requests that relate to an individual's rights under the GDPR and complaints from people whose personal data is processed as part of this trail. You can contact the Data Protection Officer by email: contact@flowly.re.

If you have any issues about our handling of your personal information or about our data protection compliance, you have the right to make a complaint at any time to the Data Protection Commission (DPC), which is the Irish supervisory authority for data protection legislation (including under the GDPR).