Main Privacy Policy/Fair Processing Notice

1. Introduction

1.1. This Fair Processing Notice ("Notice") sets out the basis on which we will collect and process your personal data, and that of any third party whose personal data you supply to us, in the course of providing our services to you. It applies to (i) the persons exercising control over, the persons holiday executive functions and the ultimate beneficial owners of our customers; (ii) Fleet Managers; and (iii) Nominated Drivers. By using our services, you acknowledge that you have carefully read, understood and accepted the terms set out in this notice. Further notices relating to our processing of your personal data may be provided to you at the point of collection, in the event that additional information is required or processing is undertaken for new purposes.

1.2. This Notice is intended to explain our privacy practices and covers the following areas:

2. About us;

3. How we use your personal data:

4. Customer owners, persons exercising control and holders of executive functions;

5. Customer contacts;

6. Nominated drivers;

7. Who we may share your personal data with;

8. Processing of Special Categories of Personal Data and Criminal Conduct Data;

9. Export of personal data outside of the EEA;

10. How we may contact you;

11. Your rights;

12. Security and data storage;

13. Cookies Policy;

14. Links to other websites;

15. Storage limitation;

16. Changes to this Notice; and

17. How to contact us.

2.              About us

2.1. ALD Automotive Limited ("ALD", "we", "us" or "our") is a registered data controller. Details of our notification to the data protection regulator may be found in the Information Commissioner's Office Public Register of Data Controllers at www.ico.org.uk under registration number Z5755978. Our registered office address is Oakwood Drive, Emersons Green, Bristol BS16 7LB.

2.2 This Notice only relates to processing undertaken by or on behalf of ALD. Whilst our websites may contain links to other third party websites, we do not accept any responsibility or liability for those third parties' policies in relation to any personal data or their collection or processing of any personal data.

3.              How we use your personal data

3.1 The personal data that we collect and process will vary, depending on the relationship we have with you, as we only collect what we need to provide our services. We collect personal data relating to three groups of individuals:

  • Persons exercising control over, holders of executive functions and ultimate beneficial owners of our customers, as detailed at paragraph 4 of this Notice;
  • Customer personnel responsible for managing the customer relationship, as detailed at paragraph 5 of this Notice; and
  • Nominated drivers, as detailed at paragraph 6 of this Notice.

4.              Customer owners

Personal data we may collect from you

4.1 We collect the following personal data relating to the persons exercising control over, persons holiday executive functions and ultimate beneficial owners of each of our customers:

  • Name, Address and DOB.

Purposes for processing personal data


4.2 We collect this data in order that we can undertake credit references and screening checks to ensure our customers' creditworthiness and good standing, as set out below.

4.2.1       Anti-sanctions or politically exposed persons searches

We conduct anti-sanctions and politically exposed persons searches against commercial and publicly available databases.

4.2.2.     Credit reference checks


When credit reference agencies receive a search from us they may:

  • (if you are a director of the Customer or act as guarantor) place a search "footprint" on your credit file whether or not this application proceeds. If the search was for a credit application the record of that search (but not the name of the organisation that carried it out) may be seen by other organisations when you apply for credit in the future; and
  • link together the records of you and anyone that you have advised is your financial associate including previous and subsequent names of parties to the account. Links between financial associates will remain on your and their files until such time as you or your spouse/partner, or other persons with whom you are linked financially, successfully files for a disassociation with the credit reference agencies.

The credit reference agency will also supply to us:

  • credit information such as previous applications and the conduct of the accounts in your name and of your associate(s);
  • public information such as county court judgments and bankruptcies;
  • electoral register information; and
  • fraud prevention information.
     

If you are a director of the Customer or act as guarantor, if you are provided with a finance facility and do not repay in full and on time, we may tell credit reference agencies who will record the outstanding debt. These records may be used and shared by us and them to:

  • consider applications for credit and credit related services or other facilities, for you and any associated person;
  • to check details of job applicants and employees; and
  • trace debtors, recover debts, prevent or detect money laundering and fraud and to manage your account(s).

4.2.3.             Fraud prevention checks
We may conduct fraud prevention checks against databases held by fraud prevention agencies. These records may be used and shared by us and them to:

help make decisions on motor, household, credit, life and other insurance proposals and insurance claims, for you and members of your household; and
to manage credit and credit related accounts or facilities.

4.3  You have a legal right to obtain details of those credit reference and fraud prevention agencies from whom we obtain and to whom we pass information about you. You also have a right to further details explaining how the information held by fraud prevention agencies may be used. For further information about the use of your personal data by credit reference and fraud prevention agencies, please see here: https://www.experian.co.uk/crain/index.html and https://www.refinitiv.com/en/products/world-check-kyc-screening/privacy-statement


Lawful bases (detailed at Appendix 1)

4.4 We may also use your personal data to analyse our processes and procedures to identify and implement ways to improve and streamline our services.

4.5 We will rely on the following lawful bases in relation to this processing: Contract Performance, Legal Obligation, Legitimate Interests (establishing your credit worthiness and prevention of fraud, anti-sanctions and politically exposed persons searches) and, in limited instances, Legal Claims.

 

5.              Customer contacts

Personal data we may collect from you

5.1. We collect the following personal data relating to customer personnel responsible for managing the customer relationship with us:

  • Name; and
  • Work contact details.

Purposes for processing personal data

5.2. We collect this information for the purposes of correspondence in relation to the provision of our services to you. We may also use this information to analyse our processes and procedures to identify and implement ways to improve and streamline our services.

Lawful bases (detailed at Appendix 1)

5.3. We will rely on the following lawful bases in relation to this processing: Contract Performance, Legitimate Interests (communicating with you in the course of providing our services) and, in limited instances, Legal Claims.

6.     Nominated drivers

Personal data we may collect about you

6.1. We collect the following personal data relating to our customer's nominated drivers (whether from the customer, the nominated drivers themselves or from any third party):

  • Name;
  • Address;
  • Date of birth;
  • Your driving licence details;
  • Criminal offences or convictions;
  • Information about accidents;
  • Your marketing preferences (as to whether you wish to receive communication about the opportunity to purchase the vehicle at the end of the lease);
  • Employee identification number;
  • Email address;
  • Survey responses relating to your feedback on our service (should you choose to provide it);
  • Health information such as details of existing and previous physical or mental health conditions, health status, test results, medical diagnoses and treatment  where necessary for  providing our response to an accident or Vehicle damage/loss or for regulatory requirements, or insurance purposes as set out further in paragraph 7.2 below;

Additionally, where telematics services are used, we may also process:

  • GPS derived location data; and
  • Vehicle behavioural data, e.g. revving, idling, speeding (including any traffic or speeding offences or driver related convictions).  

Personal data we may collect from third parties

6.2.    In some instances, we may collect personal data about you from third party sources including the following:

  • Third parties who provide you with services relating to your vehicle such as roadside assistance providers;
  • Third parties who provide us, or a third party insurer relevant to your product or claim, with services e.g. loss adjusters, claims handlers, legal advisers, assistance providers, experts and, in limited circumstances, private investigators;
  • Third parties involved in your product or claim on your vehicle, e.g. other insurers, brokers, claimants, defendants and witnesses to an incident[, or checking no claims discounts];
  • Telematics providers;
  • Vehicle recovery tracing agents;
  • Financial crime, fraud or uninsured detection agencies, databases;
  • Government agencies and regulatory bodies including the police, the courts, the Driver and Vehicle Licensing Agency (DVLA), Driver and Vehicle Standards Agency (DVSA), the Department for Work and Pensions (DWP), Companies House and HM Revenue & Customs (HMRC); 

How and why we process your personal data

6.3. A summary is set out below of the purposes of processing of your personal data, the third parties it may be shared with, and the lawful bases we may rely on in order to process it. More information about lawful bases can be found at Appendix 1:

6.3.1. Correspondence relating to the Vehicle or use of the Vehicle

Lawful bases: Contract Performance; Legitimate Interests (communicating with you in the course of providing our services) and, in limited instances, Legal Claims;

Personal data may be shared for this purpose with your employer (our customer), the Vehicle manufacturer and/or any relevant dealer.

6.3.2. Driver feedback (as part of 6.2.1)

Lawful basis: Contract Performance; Legitimate interests (driving continuous improvement in our service)

Personal data may be shared for this purpose with your employer (our customer) and any relevant dealer.   

6.3.3. Managing Vehicle tax, registration and MOT

Lawful bases: Contract Performance; Legal Obligation, Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services) and, in limited instances, Legal Claims;

Personal data may be shared for this purpose with your employer (our customer) and/or the DVLA.

6.3.4. Handling traffic or parking infractions (e.g. fines)

Lawful bases: Legal Obligation, Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services) and Legal Claims;

Personal data may be shared for this purpose with relevant public or private bodies responsible for managing parking arrangements or traffic infractions your employer (our customer) to communicate to you, and/or fines management services, in the event that a fine has been levied.

6.3.5. Reporting in the event of potential criminal activity

Lawful bases: Contract Performance; Legal Obligation; Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services); where necessary to enable our customer to exercise its rights or fulfil its obligations as an employer; for reasons of substantial public interest for the purposes of administration of justice, preventing or detecting unlawful acts, safeguarding individuals at risk, regulatory requirements or insurance) and Legal Claims;

Personal data may be shared for this purpose with insurance providers, law enforcement agencies, your employer (our customer) to advise that a Vehicle leased to it may be involved, and the DVLA. This may include the processing of Criminal Conduct Data.

6.3.6. Providing services in response to an accident or Vehicle damage/loss

Lawful bases: Contract Performance; Legal Obligation;  Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services; In relation to health information or information relating to any activity that amounts, or may amount, to a criminal offence, our legal basis will be: where necessary to enable our customer to exercise its rights or fulfil its obligations as an employer; or for reasons of substantial public interest for the purposes of administration of justice, preventing or detecting unlawful acts, regulatory requirements, insurance, for safeguarding of individuals at risk)) and Legal Claims;

Personal data may be shared for this purpose with law enforcement agencies, insurers or impacted parties, your employer (our customer) to advise that a Vehicle leased to it may be involved, in the event of an accident or a potential claim. This may include the processing of special categories of personal data (health information), Criminal Conduct Data and/or information about any damage caused to the vehicle.

6.3.7. Delivery and collection of Vehicles

Lawful bases: Contract Performance; Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services) and, in limited instances, Legal Claims;

Personal data may be shared for this purpose with your employer (our customer), delivery and collection agents, dealers and replacement Vehicle providers.

6.3.8. Recovery of the Vehicle in the event that the Vehicle is not returned when appropriate

Lawful bases: Contract Performance; Legal Obligation, Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services) and Legal Claims;

Personal data may be shared for this purpose with recoveries agents, law enforcement agencies, legal advisors, your employer (our customer) and debt/tracing agencies.

6.3.9. Driver sales communications

Lawful bases: your explicit consent, where we have asked for such consent and you have chosen to provide it. Otherwise, we may rely on Legitimate Interests (to enable us to promote our products and services).

Nominated drivers who have provided explicit consent (via their employer) may be contacted once, at the end of the lease, to establish whether they would like to purchase the Vehicle. This information may be shared with your employer (our customer) or our disposal agent.

6.3.10. (Where applicable) providing Vehicle maintenance, repairs or replacement

Lawful bases: Contract Performance; Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services) and, in limited instances, Legal Claims.

In cases where your employer (our customer) has requested this optional service, we may share personal data for this purpose with repairs service providers, dealers, manufacturers, replacement Vehicle providers or your employer (our customer). This may include information about any damage caused to the vehicle.

6.3.11. (Where applicable) In relation to connected Vehicle services

Lawful bases: Contract Performance; Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services).  

In the event that you ask us to activate any manufacturer provided connected vehicle service, your personal data may be shared with both us and the vehicle manufacturer. The vehicle manufacturer's privacy notice will set out how the vehicle manufacturer uses your personal data as a data controller for the purpose of providing connected vehicle services. You remain responsible for the deletion of any personal data from any of the vehicle systems and for terminating your access to any manufacturer provided connected vehicle service prior to returning the vehicle to us. Please also note that we will not receive diagnostic information from such services in all cases, so it remains the Nominated Driver's responsibility to tell us if there is anything wrong with one of our vehicles.

 

6.3.12. (Where applicable) Delivering telematics services

Lawful bases: Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services) and, in limited instances, Legal Claims;

Personal data (incidental to telematics information) may be shared for this purpose with the customer, third party service providers for the purposes of arranging vehicle maintenance and servicing, third party telematics providers and their appointed sub-contractors, law enforcement agencies (which may include data relating to criminal offences in the event of a potentially criminal traffic infraction).


6.3.13 (Where applicable) Provision of Electric Vehicles

Lawful bases: Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services) and, in limited instances, Legal Claims.

Performance of a contract. Personal data will be passed to the vehicle manufacturer in order for them to secure any relevant grants related to the purchase of the vehicle and to activate and configure the vehicle for use in accordance with the vehicle's purchase order, subsequent use of the vehicle and services provided by the manufacturer in respect of the vehicle to our customers or nominated drivers.

Manufacturers will also pass to ALD, vehicle data including (but not limited to) odometer readings; service, maintenance and repair history and battery usage in order for ALD to maintain its asset and establish that maintenance is performed at the correct intervals.

 

6.2.14 (Where applicable) Funding of Electric Vehicle Home Chargers


Lawful bases: Performance of a contract. Personal data will be passed to the charger manufacturer and/or supplier in order to arrange installation of a charger funded by ALD and to secure any relevant grant related to the purchase of the charger.

Legitimate Interests (communicating with you in the course of providing our services) personal data may be shared for this purpose with your employer and the charging provider.


6.2.15 (Where applicable) Electric Vehicle Charging Reimbursement Service

Lawful bases: Performance of a Contract. Personal data will be passed to the charging provider through which ALD provides home and public electric vehicle charging reimbursement services to its customers. This is to enable the provider to contact you (the customer's nominated driver) and request them to set up an account with the provider, as required to supply the service.

The charging provider will pass to ALD personal data contained in invoicing and charging session records relating to reimbursed charging costs repaid by ALD on behalf of ALD's customer. This data may also be supplied by ALD to its customer (your employer). Legitimate Interests (communicating with you in the course of providing our services) personal data may be shared for this purpose with your employer and the charging provider.

6.3.16.    Analysis and improvement of our services

Lawful bases: Legitimate Interests (to enable us to review how we have provided services to you and improve performance of our services)

We may also use your personal data to analyse our processes and procedures to identify and implement ways to improve and streamline our services.

7.              Processing of Special Categories of Personal Data and Criminal Conduct Data

7.1. Some types of personal data are considered to be sensitive and are accorded greater protection under data protection legislation. These include:

7.1.1. "Special Categories of Personal Data" which include personal data that reveals racial or ethnic origin, political opinion, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data in order to uniquely identify a person or data concerning health, sex life and sexual orientation. Data concerning health covers Personal Data relating to the physical or mental health of an individual which reveals information about the individual's health status; and

7.1.2. "Criminal Conduct Data" which is Personal Data relating to criminal convictions or offences or related security measures.

 7.2. As a general rule, we do not process Special Categories of Personal Data or Criminal Conduct Data. However, in order to perform our obligations as the registered keeper of the vehicle and provide our services effectively, we are required to process sensitive information about nominated drivers in the following limited circumstances:

7.2.1. Health/medical information: As detailed at paragraph 6.2.6 above, we may process health information in the course of providing services in response to an accident or Vehicle damage/loss. This is due to the fact that we may receive accident reports in our capacity as the registered keeper of the vehicle and these sometimes contain a small amount of health/medical information. We may also process this data for regulatory requirements (for example informing the DVLA of any notifiable health conditions such as diabetes), where the processing may be necessary to protect the individual from physical, mental or emotional harm, and for insurance purposes (including to ensure reasonable adjustments are made to the vehicles to take account of medical or health conditions). We do not collect this information by any other means or for any other purpose.

7.2.2. This health information may be shared with law enforcement agencies or the DVLA, insurers or impacted parties, as well as your employer (our customer) in the event of an accident or a potential legal claim.

7.2.3. Criminal Conduct Data: As detailed at paragraphs 4.2.1, 6.3.5, 6.3.6, and, where applicable, 6.3.12 and 6.3.13 above, we may process information relating to criminal offences or potential criminal offences. We may also receive information relating to criminal convictions from law enforcement agencies or the DVLA, which may arise in correspondence that is incidental to our role as the registered keeper of the vehicle.

7.2.4. This Criminal Conduct Data may be shared for this purposes set out in the paragraphs 4.2.1, 6.3.5, 6.3.6, 6.3.12, 7.4.2 and 7.4.3 with our group companies, advisers, law enforcement agencies, your employer (our customer) to advise that a Vehicle leased to it may be involved, and the DVLA.

7.3. In addition to the usual appropriate technical and organisational measures we implement to ensure the security and integrity of the personal data processed by us, we may implement additional measures in relation to Special Categories of personal data and Criminal Conduct Data, as appropriate. These may include segregation, pseudonymisation or restriction of access to the data.

7.4. Our lawful basis for processing the personal data outlined at paragraph 7.2 above is Vital Interests (protecting individuals at risk of harm), Legal Claims, where necessary to enable our customer to exercise the rights or perform the obligations of an employer and reasons of substantial public interest, including the administration of justice, preventing or dtecting unlawful acts, regulatory requirements, safeguarding individuals at risk, and insurance requirements, in all cases where it is absolutely necessary and proportionate for us to do so. We rely on these bases for the following reasons:

7.4.1. In our capacity as the registered keeper of the vehicle, we need to be able to receive reports relating to any accident or damage caused to the vehicle. We are not in control of the content of these reports, which will in some cases also be used for insurance purposes. Given the relevance of health information to establishing and quantifying insurance claims, it is highly likely that these reports will contain health information. 

7.4.2. There is a presumption of liability on the part of the registered keeper of a vehicle in relation to most motoring offences. Where such offences amount to a criminal offence, we rely on the lawful bases listed above (including Legal Claims or Substantial Public Interest to process your personal data in relation to the offence to transfer liability accordingly. 

7.4.3.    In compliance with anti-money laundering regulations and the provisions contained in global sanctions and embargoes, we conduct due diligence database checks of persons exercising control over, holders of executive functions and ultimate beneficial owners of customer entities as part of our underwriting processes. Such checks may contain criminal convictions data, which we would only process as and if required to make and maintain credit decisions and terminate agreements and services.
 
7.5.    Further details of our processing of Special Category and Criminal Conviction data can be found in our Appropriate Policy Document, a copy of which is available on request from our Data Protection Officer at uk-dpo@aldautomotive.com.

8.              Who we may share your personal data with

8.1. Personal data of customer owners, persons exercising control and holders of executive functions may be shared with credit referencing agencies and anti-sanctions service providers, and in the event of a default, debt collection and tracing companies where we have been unable to collect a vehicle through our standard processes.

8.2. Special Category and Criminal Conviction data is shared on a restricted basis as set out in paragraph 7.2 above, otherwise all other personal data of customers and nominated drivers may be shared with the following third parties where necessary to achieve the purposes identified at 5.2 (in relation to customers) and 6.3 (in relation to nominated drivers):

8.2.1. Our group companies, which includes our subsidiaries, our ultimate holding company and its subsidiaries (as defined in section 1159 of the UK Companies Act 2006), in order to refine, perform and audit the services and as part of our general data stability analysis and their respective agents and contractors;

8.2.2. Our Service providers who process and store personal data on our behalf:

8.2.3. Maintenance and breakdown service providers

8.2.4. Insurance companies

8.2.5. Telematics providers

8.2.6. Vehicle recovery tracing agents;

8.2.7. Delivery and collection agents

8.2.8. Investigators and

8.2.9. Mailing agencies;

8.2.10. Our third party partners who process and store data on our behalf, where our agreement with you was completed through a dealer, broker  or a banking channel;

8.2.11. Third parties who provide maintenance and servicing of any vehicles you hire as part of the service;

8.2.12. The manufacturer/supplier of your electric vehicle charger or other electric charging provider supplying charging costs reimbursement funded by ALD;

8.2.13. Our professional advisers;

8.2.14. Our insurers;

8.2.15. Individuals who you nominate as referees to verify certain information;

8.2.16. Police and law enforcement agencies;

8.2.17. Your employer (our customer) and any relevant dealer, in connection with driver surveys; 

8.2.18. Any person to whom we assign our rights under your Agreement.

Other third parties:

8.2.19. in the event that our business, either whole or in part, is acquired by a third party (in which case personal data about customers will be one of the transferred assets);

8.2.20. we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce any contract with you; and

8.2.21. in order to protect our rights, property, or the safety of our employees, customers or others. This includes exchanging information with other companies and organisations for the purpose of fraud prevention and credit risk reduction.  We may search records which may be linked to your spouse/partner, or other persons whom you are financially linked, such as a fellow director if you are a company, a member of a partnership, or director of a company.

9.              Export of personal data outside of the EEA

9.1 We may transfer your personal data from the UK to countries within or outside the European Economic Area ("EEA"). The EEA has been approved by the UK Government as having adequate data protection legislation in place. The countries outside of the EEA may not provide the same level of protection as is available in the EEA. If we transfer your personal data outside the EEA, we will ensure that adequate levels of protection are in place in relation to the processing of your personal data.

9.2. Certain countries outside the EEA have been approved by the UK Government as providing essentially equivalent protections to EEA data protection laws and therefore no additional safeguards are required to export personal data to these jurisdictions. These countries are listed online at:

 

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/#adequacy 

 

9.3. Before transferring personal data to any non-EEA jurisdiction that is not subject to an adequacy decision, we will transfer it subject to the relevant clauses approved for UK transfer under UK data protection law, unless we are permitted under applicable data protection law to make such transfers without such formalities.

9.4. Please contact us using the details shown at paragraph 17 below if you would like to know whether any export of your personal data has been made or to see a copy of the specific safeguards applied to any export of your personal data.

10.              How we may contact you

10.1. If you are a fleet contact or nominated driver, we may send you alerts, important messages and other communications about our services by email, SMS or post.

10.2. We may offer you web based live chat services so that you can communicate with us about the products and services we provide. Please note that we will record and store the information and content from these communications, for the purposes as set out in this Notice.

10.3. All telephone calls both inbound to and outbound from ALD are recorded for the purposes set out in this Notice

11.              Your rights

11.1. Data Subjects have a number of rights relating to how their personal data is used. Please be aware that certain exceptions apply to the exercise of these rights and so you will not be able to exercise them in all situations. If you wish to exercise any of these rights we will check your entitlement and respond within a reasonable timescale. Where applicable, you will have the following rights relating to your personal data:

11.1.1. Access to your personal data: you may request access to a copy of your personal data. This information will generally be provided within one month of us confirming your identity and understanding the scope of your request.

11.1.2. Right to withdraw: You may also withdraw any consent provided in relation to driver sales communications, as detailed at paragraph 6.3.9 above.

11.1.3. Rectification: you may ask us to rectify inaccurate or out of date information held about you.

11.1.4. Erasure: you may ask us to delete your personal data and we will do so, subject to our legal and regulatory obligations to retain information. If the personal data has been made public, reasonable steps will be taken to inform other controllers that are processing the data that you have requested the erasure of any links to, copies or replication of it.

11.1.5. Portability: you may ask us to provide you with the personal data that we hold about you in a structured, commonly used, machine readable form, or ask for us to send such personal data to another data controller.

11.1.6. Restriction: you may require certain personal data to be marked as restricted in some circumstances, for example, whilst we resolve any complaint we may have received. Restriction means that whilst we still store the data, we will not process it until such time as the restriction may be lifted.

11.1.7. Right to object: you may ask us to stop any processing based on the legitimate interests ground unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights.

11.1.8. Right to object to direct marketing: you may ask us to stop any processing for the purposes of direct marketing (however, we will only ever do this for the purposes identified at 6.3.9).

11.1.9. Make a complaint: you may make a complaint about our data processing to us directly, by contacting us using the details supplied at paragraph 17 below. You are also entitled to make a complaint to a supervisory authority. In the UK this is the Information Commissioner's Office, at https://ico.org.uk/.

11.2. In the event that you would like to exercise your rights, ask us a question about our processing of your personal data or make a complaint, please contact us using the details supplied at paragraph 17 below.

12.     Security and data storage

12.1. No data transmission over the Internet or through a website can be guaranteed to be secure from intrusion. However, In order to ensure fair and transparent processing, we will, taking into account our processing activities, adopt appropriate procedures for the processing of personal data, which shall include implementing technical and organisational measures which take into account the harm that may be suffered, and correct inaccuracies identified in personal data processed, so that risk of errors are minimised and your Personal data is processed in a fair and secure manner.

12.2. All information you provide to us is stored on our secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

12.3. We will treat all of your information in strict confidence and will endeavour to take all reasonable steps to keep your personal data secure once it has been transferred to our systems. We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction of your personal data, and data stored on our website and associated databases.

12.4. All information you provide to us is stored on our, or our suppliers,' secure servers and accessed and used subject to our security policies and standards. We ask that you:

12.4.1. Refrain from sharing any password providing access to any part of our website with any other person; and

12.4.2. Comply with any other security procedures that we may notify you of from time to time.

13.              Cookies policy

13.1. Our Cookies Policies are unique to each of websites and can be found by following the relevant link on each site.

14.              Links to Other Websites

14.1. Our site may, from time to time, contain links to and from the websites of our partner networks and affiliates.  If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies.  Please check these policies before you submit any personal data to these websites.

15.     Storage limitation

15.1. We will retain personal data for as long as is necessary for the processing purpose(s) for which it was collected and any other permitted linked purpose (for example, certain transaction details and correspondence may be retained until the time limit for legal claims in respect of the transaction has expired, or in order to comply with regulatory requirements regarding the retention of such data). So if personal data is used for two purposes we will retain it until the purpose with the latest period expires; but we will stop using it for the purpose with a shorter period one that period expires. We restrict access to personal data to those persons who need to use it for the relevant purpose(s).

15.2 Our retention periods are based on business needs and relevant laws. Records that are no longer needed are either destroyed or irreversibly anonymised (and the anonymised information may be retained).

16.           Changes to this Notice

16.1 We may modify this Notice from time to time, so please review it regularly. If we change this Notice, we shall notify you by means of providing a notice on our website homepage. This Notice was last amended on 4 May 2023.

17.           How to contact us

If you have any queries relating to this Notice or use of your personal data, please contact our Data Protection Officer at dpo@aldautomotive.com

 

APPENDIX 1: LAWFUL BASES FOR PROCESSING

 

Use of personal data under UK data protection laws must be justified under one of a number of lawful bases. We have explained which lawful bases we rely upon at paragraphs 4-6 above, as applicable. A further description of those lawful bases is set out below.

Lawful bases relied upon for the processing of personal data generally:

Consent: If you have given your consent to the processing of those personal data for one or more specified purposes. You are free to withdraw your consent by contacting us using the details provided at paragraph 17. Where you do so, we may be unable to provide a service that requires the use of such data.


Contract performance: where use of your information is necessary to enter into or perform a contract you are party to.


Legal obligation: where we need to use your information to comply with our legal obligations.


Legitimate interests: where we use your information to achieve a legitimate interest pursued by us or a third party, and our or their reasons for using it outweigh any prejudice to your data protection rights.


Legal claims: where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party.

Lawful bases relied upon for the processing of Special Categories of your personal data or Criminal Conduct Data, in the limited circumstances where it is necessary to do so (see paragraph 7 for more information):

For vital interests: Processing is necessary to protect the vital interests of the data subject, where the data subject is physically or legally incapable of giving consent. This condition is very limited in its scope, and generally only applies to matters of life and death.

To exercise the rights / obligations of an employer: In certain circumstances, we need to carry out certain tasks that are driven by our corporate customer's obligations and the driver's rights (such as making adjustments to the vehicle to accommodate a disability).

For legal claims: Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

In the substantial public interest: Processing is necessary for reasons of substantial public interest, on the basis of UK or local law, in line with the following conditions:

  • Administration of justice
  • Preventing or detecting unlawful acts  
  • Regulatory requirements
  • Safeguarding of individuals at risk
  • Insurance