LAST EDITED DATE: 01-MAY-2018
Automotive Compliance believe that the privacy of your personal information is important. This Statement is therefore designed to provide you with appropriate information, assurance and confidence that we are handling your data in a secure, professional manner, with the respect it deserves. This statement therefore addresses what personal information we collect and how we handle the personal information shared with us. Please read the following carefully to understand our views and internal practices.
For the purposes of the General Data Protection Regulations (GDPR), the data controllers are Automotive Compliance Limited, with the Data Protection contact being Mr Matt Riches.
This statement is subject to regular reviews and may be updated in accordance with changes to legislation or internal processes. The most up-to- date version will always be found on our website.
What personal data do we collect, and why do we do so?
We will not collect any personally identifiable information about you unless you provide it to us voluntarily. If you do not want your personal data collected, please do not submit it to us. Some information provided may be legally or contractually required and therefore, if not provided, will limit the services that Automotive Compliance and its Appointed Representatives are able to provide. Where a business collects your data using one of the Automotive Compliance systems, they do so as a data processor, and Automotive Compliance remains the controller of your data.
We process personal information to enable businesses that use our systems to recommend Financial Products and General Insurance Products that you are qualified to use, and which may help protect your vehicle(s); To maintain our accounts and records; To advertise our services to Automotive Businesses; To ensure that products you buy are safely and correctly registered; To ensure that all businesses that use Automotive Compliance systems are fit and proper and to support and manage our employees. We also have a legal duty to process limited data to ensure that businesses that use our systems comply with current legislation set by the Financial Conduct Authority (FCA), Financial Ombudsman Service (FOS) and the Information Commissioner’s Office (ICO).
We process information only relevant for the above reasons/purposes, which may include;Personal and Family Details
- Financial Details
- Employment Details
- Financial Details
- Employment Details
- Goods/Services Provided
- Sensitive data, which may include physical/mental health, racial/ethnic original, lifestyle/social circumstances.
By providing us with your contact details and providing consent, you are confirming that you are happy to receive correspondence from Automotive Compliance. In being able to manage the ways we contact you, four key methods will be used; Telephone, Post, Email and Text Message.
In certain circumstances we may also obtain information about you from our partners such as Experian, and also from companies that provide current owners’ data. It would be suggested that if you would not like us to obtain your information through third parties, that they are contacted directly in order for them not to supply us with your personal information.A
Automotive Compliance may also to have to utilise Legitimate Interests as a method of contacting you. In GDPR, Legitimate Interest stipulate that there may be scenarios in which we will contact our customers without their consent to do so. This will include areas such as complaints, or a request for further information for a Regulator, as we have legal, contractual or a legitimate reason to advise you of such circumstance. When we process your personal information for our legitimate interest, we make sure to consider and balance any potential impact on you (both positive and negative) and your rights under Data Protection laws.
How might we share your personal data?
Automotive Compliance may share the information it collects about you and your vehicle (or business) with selected third parties for business purposes only. Where necessary or required, we will share information with;
- Business Associates (including Finance or Insurance Providers) Employees and contractors
- Current, past and prospective employers
- Goods/Service providers
- Financial Organisations
- Credit Reference Agencies
- Police Forces
- Suppliers and Central Government
A full listing of companies with whom Automotive Compliance may share your information with is available upon request and on our website. Under GDPR, unless there is a legal, contractual or legitimate interest for us to share your information, you have the opportunity for your information to not be provided to third parties.
Automotive Compliance has carried out specific due diligence vetting on third parties to ensure that they are compliant with GDPR and further ensure that your personal data is handled in a manner required under legislation. Please note that Automotive Compliance will never sell your information on to other organisations.
The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (EEA). It may also be processed by staff operating out of the EEA who work for one of our suppliers on our current list of third parties. By submitting your personal data and agreeing for this to be shared, you agree to this transfer and its associated processing and storing. In some cases, the process will not require your consent as they will be a legally or contractually binding part of your dealings with us. Third parties which share your information outside of the EEA will be vetted accordingly to ensure that your data is being handled appropriately.
How can you be sure that your data is being handled correctly?
Automotive Compliance has carried out stringent checks throughout the organisation to ensure that your data is handled in a secure manner. Some key security measures that the organisation abides by include;
- A strict clear desk policy which ensures that no personal documentation is ever left unattended as well as lockable cabinets throughout the organisation
- Password protected, security encrypted security systems, including firewalls and antivirus protection systems for additional security
- Subject to internal Data Protection audits
- Restricted use of portable IT methods including USBs and laptops
- Information Security Policy and Data Protection Policy for internal staff to abide by Internal Data Retention Policy and shredding for disposal of protected documents.
How does this affect Cookies?
In some cases, we may collect information about your which is not personally identifiable via our website however, under GDPR, if that information can be linked in some way to a living individual this can now be classified as restricted data. Examples include obtaining your IP address, the type of internet browser you are using and the computer operating system that you are using, as well as the search engine you accessed to locate our website. Although all these are used predominantly for statistical purposes, these do have the potential to be linked to an individual and therefore fall within this statement.
As stipulated above, when you view the website, we may store some information regarding your computer and browsing habits. This information is stored in the form of a “cookie” or similar file and helps Automotive Compliance build a picture of where we can improve our customers’ online experience.
Our up-to-date cookie policy is found here Cookie Policy links provided in the Automotive Website may lead to third party websites. Using these links may mean that you leave the Automotive Compliance website. The information presented therein is the sole responsibility of the site owners. Automotive Compliance has no control or responsibility for the content of the independent sites and provides these links for website visitors for their convenience. If you decide to access any of the third-party sites from this website, you do so entirely at your own risk.
What are my Rights?
Under GDPR, individuals have by far greater ownership of the way in which they are able to manage their own personal information. There are now eight areas in which you have rights to, known as the Data Subject Rights and they are broken down as follows:
Right to Access/Subject Access Requests – The Right to Access provides you with the opportunity to obtain all the information Automotive Compliance holds against you as an individual (also known as Subject Access Requests). The GDPR allows Automotive Compliance one month to provide you with all the information we hold against you, your vehicle and your address. This will solely be in relation to the person making the request. We will review all our manual and electronic data and provide you with everything accordingly. If your request specifies what documentation you require, this will assist us in responding to your request quicker.
Right of Rectification – If you believe that the information that Automotive Compliance holds about yourself is incorrect, inaccurate or incomplete, the right of rectification ensures that you can contact us and we will update it accordingly. We will provide you with confirmation once the update has taken place.
Right to Erasure – Under GDPR, you have the option for all records of your personal information held by Automotive Compliance to be erased. There are however a number of exemptions to this right, given that we may have legal or contractual rights to retain your personal information. If, however it is felt that Automotive Compliance holds information about you which is no longer necessary for the initial purpose it was collected, your right to erasure will be granted.
Right to Data Portability – GDPR provides you with the opportunity for your personal information to be provided back to you in a portable format. This means that you can transfer your data to a different provider without the need for you to provide it again to them. Right to Withdraw Consent – Automotive Compliance would like to give you the opportunity to manage the way in which we communicate with you. Under GDPR, this is known as the Right to Withdraw Consent. If for any reason, you would no longer wish for us to contact you, either entirely, or via certain methods, this right can be exercised. This simply means that Automotive Compliance will update your contact preferences within our systems, as well as advising third parties with whom we have supplied your information, of your updated preferences also.
Right to be Informed – This right encompasses the need for transparency over how we use your data and is the intention for this entire document. It ensures that Automotive Compliance supply appropriate notification about our processing activities and ensure that they are concise, transparent, easily accessible, written in clear, plain language and free of charge.
Right to Restrict Processing – This allows you the opportunity to let us hold your data but not process it for marketing purposes. If you request this right to be actioned, Automotive Compliance will place you on a suppression list where it is no longer processed.
Right to Object – Under GDPR you can object to processing based on legitimate interest or a task classified as being in public interest, direct marketing and processing for purposes of scientific/historical research and statistics.
What would happen if my Personal Data was Breached?
As detailed throughout this statement, we will endeavour to ensure that your personal information is retained in accordance to legislation. However, if for any reason we discover that your personal information has been breached in anyway, including lost, stolen or hacked, dependant on the level of its severity, we will ensure that the ICO and you as a customer, are made aware within 72 hours of us understanding that a breach has been made.
Automotive Compliance staff have been trained in being able to understand and appreciate whether personal information has been breached, and have a duty of care to ensure that the Automotive Compliance Data Protection Team is informed as soon as a breach has been identified.
Action will then be taken to minimise the risk to your personal data as seen fit in accordance to the incident including following guidance from the Data Protection Team and the ICO. We will also inform you once we are fully aware that the additional security measures have been put in place to further secure your information.
How do you contact us with regards to your personal data?
If you wish to contact us regarding;
The manner in which your personal data is handled updating your personal preferences utilising your personal rights wishing to complain
email us at GDPR@automotive-compliance.co.uk
OR
Post your enquiry to
The Data Protection Team, Automotive Compliance, The Factory, 44 Alfred Street, Gloucestershire, GL1 4DD
Please note, we may require proof of identity in order to complete some requests. A copy of your driving licence is the most suitable, however other forms of photographic identity are also acceptable.
If you remain unhappy with the manner that your data is being handled in, and/or you feel that the response is not sufficient, please contact the ICO using their website www.ico.org.uk who are the supervisory authority for Data Protection within the UK.
