1.1 This notice was last updated on the 19th June 2019.
1.2 This privacy notice (“notice”) describes what types of personal data Car Shops Limited and The Car People Limited (referred to throughout this notice as “CarShop”, “we”, “us” or “our”) collect from you, when, how and why it is collected, used and disclosed and how it is kept secure when you use our website www.carshop.co.uk and when you purchase goods or services from us.
1.3 It is important that you read this notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This notice supplements the other notices and is not intended to override them.
1.4 This website and our services are not intended for children and we do not knowingly collect personal data relating to children. If you are under 16 please do not provide us with any of your personal data unless you have the permission of your parent or guardian to do so.
1.5 It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us by contacting us using the details in Section 3 (How to contact us or make a complaint).
The contents of this notice may change from time to time. We will post any updates to this notice on our website www.carshop.co.uk/terms-and-conditions. You may wish to check this page to ensure you are still happy to share your personal data with us. Where we make material changes to this notice, we will also contact you directly to notify you of these changes.
3.1 We have appointed a data champion who is responsible for overseeing data protection for CarShop. If you have any questions about this notice, your rights under data protection legislation as set out in Section 12 (What rights you I have under data protection legislation?) or the processing of your personal data generally you can contact us free of charge at any time by using the details below:
3.1.1 By completing this secure web based form on our privacy portal
3.1.2 By writing to us at Data Privacy & Compliance Team, CarShop, 9 Cheyne Walk, Northampton, NN1 5PT
3.1.3 By contacting us by phone on 0333 800 1695 (Option 4)
3.2 If you are dissatisfied with our use of your personal data or our response to any exercise of these rights you have the right to complain to your data protection authority, this in the UK is the Information Commissioner's Office (ICO) www.ico.org.uk.
3.3 CarShop is registered with the ICO as a data controller.
If you provide us with personal data on behalf of someone else for example you provide your spouse’s name on a loan car form to allow the vehicle to be insured for them to drive, you confirm to us that you have their permission to pass their personal data to us and that they are aware of the contents of this notice and do not have any objection to our processing their personal data in accordance with this notice.
5.1 A ‘controller’ is a person or organisation who decides why and how your personal data is collected, used and shared. They are responsible for ensuring that the processing complies with data protection legislation.
6.1 Personal data means any information about a living individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We collect and process personal data about you which we have grouped together into different types of data to make it easier for you to understand what we do with your personal data and what our legal basis is for processing the personal data. Details of how we process your personal data and why are set out in Section 11 (Why we process your personal data) and details of the legal bases we rely on to process your personal data are set out in (What is the legal basis for processing your personal data):
6.1.1 Contact Data - details of your name(s), home address, previous home address, home phone number (including mobile), home email, work address, work phone numbers (including mobile);
6.1.2 Identity Data - details of your passport, drivers licence, date of birth, utility bills, national insurance number;
6.1.3 Financial Data - details of your bank account, bank statements, payment card details, vehicle purchase agreement, your employment history and salary if required as part of your finance application;
6.1.4 Transaction Data - details about payments to and from you and other details of products and services you have purchased from us.
6.1.6 Location Data - details of your travel history or home address will be collected if a loan car has a vehicle tracker fitted or you have used the satellite navigation system in the loan vehicle provided by CarShop.
6.1.7 Image Data - photographic images and footage of you is collected via the operation of CCTV when you come into our showrooms or visit our stores.
6.1.8 Vehicle Data - details of your number plate is collected through the use of automatic number plate recognition technology you when you drive into our store for a pre-booked service. You will provide details of your vehicle to us to make a service booking although not personal data this will be the registration number, make, model and type of vehicle. If you purchase a vehicle from CarShop we will retain details of the vehicle on our systems.
6.1.9 Audio Data - details of telephone voice calls maybe recorded for monitoring, dispute resolution and training purposes when you contact us or we contact you from our stores or customer experience teams in our contact centres.
6.1.10 Social Network Data - detail of personal data that is part of your public profile on a third party social network may be collected if you like, follow, message, post opinion or comment on our social media pages.
6.1.11 Family Data - details of your direct family such as their name for example to purchase a vehicle for them and allow the vehicle to be registered to the correct keeper.
6.1.12 Public Authority Data - details about you and your vehicle held with the driving and vehicle licencing agency (DVLA) including any penalties you may have on your driving licence.
6.2 As a whole we do not collect the following special categories of personal data about you, details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, and information about your health or genetic and biometric data. Nor do we collect any information about criminal convictions and offences. In limited circumstances for example if you lease a vehicle via the third party Motability scheme we may collect details about your disability and mobility allowance to administer your application and check your eligibility to join the scheme. For further details about this scheme please visit Motability’s website https://www.motability.co.uk.
6.3 We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
8.1 Personal data you have given to us. We collect personal data when you provide this to us directly in the scenarios listed below:
8.1.1 by entering personal data via our websites, live chat boxes or social media platforms and through testimonials and opinions you may have posted publically on our websites or social media platforms;
8.1.2 when you contact our customer experience teams based in our call centres;
8.1.3 on an enquiry form during a showroom or event that you have attended;
8.1.4 when you register interest in a vehicle in one of our stores;
8.1.5 when you complete customer surveys, provide feedback or participate in competitions we run online and in our stores;
8.1.6 when you place any order for our goods, products or services for example when you purchase a vehicle or book an appointment for your vehicle to be serviced in our store;
8.1.7 when you apply for a loan, personal contract purchase or lease agreement from one of our accredited finance providers to purchase your vehicle;
8.1.8 when you part exchange your vehicle and provide a service history of that vehicle;
8.1.9 when you provide documents to evidence your vehicle is covered by a valid insurance policy;
8.1.10 when you respond to an advertisement or any other promotional communication we may have sent to you;
8.1.11 by corresponding with us by phone, email, in person or otherwise (for example via social media) for any other purpose.
8.1.12 for accounting purposes your personal data is included on invoices;
8.1.13 to handle complaints or to provide information you have requested.
8.2 Personal data we may receive from finance providers and brokers. We collect the personal data from finance providers in the scenarios listed below:
8.2.1 If you have engaged a third party broker to act on your behalf to administer the purchase of a vehicle;
8.2.2 Our approved finance providers have a legitimate interest to provide your details to CarShop to allow us to contact you to discuss your options during the term of the loan contract. For example, if you have a Personal Contract Purchase (PCP) contract which is about to end in 6 months we will discuss all your options with you such as how to pay the balloon payment, changing your vehicle or returning your vehicle to allow you to make an informed decision before the contract ends.
8.3 Personal data we may receive from insurance providers. We collect the personal data from insurance providers in the scenarios listed below:
8.3.1 when we are required to carry our repairs on your vehicle as part of a claim you have made through your insurance company for the purposes of carrying out those repairs and providing you with a loan car.
8.4 Personal data we may receive from regulatory bodies. We collect personal data from regulatory bodies in the scenarios listed below:
8.4.1 from the Driver and Vehicle Licencing Agency (DVLA) to confirm if you hold a valid driving licence to allow the provision of a loan car or a test drive.
8.5 Personal data we may receive from other public sources. We collect the personal data from the following public sources in the scenarios listed below:
8.5.1 to assist the police or other public authorities with their enquiries and/or investigations.
9.1 We share your personal data with our accredited finance providers for the following purposes:
9.1.1 to administer your finance application on your behalf with our accredited finance providers;
9.1.2 to allow you facilitate funding to purchase a vehicle.
We process information relating to your finance application on behalf of CarShop’s approved finance providers who are acting as data controller.
9.2 We share your personal data with our insurance providers for the following purposes:
9.2.1 If you decide to purchase additional regulated or non-regulated products or services during the sale or after the sale of your vehicle we may pass your personal data to the relevant provider to fulfil your request. For example, if you purchase a Vehicle Asset Protection (VAP) insurance policy for your vehicle we will pass your personal data to the insurance provider.
9.3 We do not sell your personal data to third parties. However, we may from time to time disclose your personal data to the following categories of companies or organisations to which we pass the responsibility to handle services on our behalf: roadside assistance service providers, vehicle collection & delivery, accident management, external third party body shops, direct marketing communications agencies and consultants, market research and market analytics service providers, our legal and other professional advisors.
9.4 We take steps to ensure that any third-party partners who handle your personal data comply with data protection legislation and protect your personal data just as we do. We only disclose personal information that is necessary for them to provide the service that they are undertaking on our behalf. We will aim to anonymise your personal data or use aggregated none specific data sets where ever possible.
10.1 We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
10.1.1 Contractual performance - where we need to process your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
10.1.2 Legal or regulatory obligation - when we have to process your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
10.1.3 Legitimate interest - when it is in our legitimate interest (or that of a third party) and those interests do not override your rights and freedoms, for example when it is in the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us using the contact details set out in Section 3 (How to contact us or make a complaint).
10.1.4 Vital interests - where it is necessary to process your personal data to protect your vital interests or another person.
10.1.5 Consent - generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by us using the contact details set out in Section 3 (How to contact us or make a complaint).
11.1 We have set out below, in a table format, a description of all the ways we use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
11.2 Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us using the contact details set out in Section 3 (How to contact us or make a complaint) if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
11.3 We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please us using the contact details set out in Section 3 (How to contact us or make a complaint). If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
11.4 Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
When you are making an enquiry or negotiating to buy a vehicle
Processing activity Type of data Legal Basis To respond to enquiries you send to us and fulfil the requests you make to us for example to provide detail of the vehicle specification you have enquired about. Contact data / Audio data Contractual performance / legitimate interest When you provided your personal information to a third party website to enquire about a vehicle advertised for example Autotrader. Your personal data will be forwarded to our Customer Contact Centre or a CarShop store to follow up your request. Contact data Legitimate interest To arrange a test drive we have a legal obligation to check you hold a valid driving licence as required by law and for insurance purposes. Contract data / Identity data Contractual performance / Legal or regulatory obligation Photographic images and footage of you is collected via the operation of CCTV when you come into our stores. This is for security, crime prevention and required for insurance purposes. Image data Legitimate interest
Purchasing a vehicle
Processing activity Type of data Legal Basis Completion of all mandatory sales documentation to purchase a vehicle and make payment non-finance Contact data / Identity data / Vehicle data / transaction data / Family data if applicable Contractual performance Registering and taxing the vehicle with the DVLA Contact data / Vehicle data Contractual performance / Legal or regulatory obligation To provide or manage any information, products or services you have asked for specifically related to the purchase of your vehicle for example the purchase of a VAP policy, Extended Warranty or a Paint Protection product. Contact data Contractual performance / Consent If you are part exchanging / selling your vehicle to our store we will check your vehicle details via third party provider CAP-HPI this includes vehicle mileage, condition, outstanding finance and history before making an offer to buy the vehicle. Vehicle data Contractual performance / Legal or regulatory obligation We will send a customer survey to you following your vehicle purchase to gain your feedback about our products and services provided. Contact data Legitimate Interest
Purchasing a vehicle with finance
The processing activity detailed in the table below is in addition to ‘purchasing a vehicle’ if you would like CarShop to arrange finance for you.
Processing activity Type of data Legal Basis To administer and arrange finance for you to purchase or lease a vehicle. Contact data / Vehicle data / Identity data / Financial data Legal or regulatory obligation / Legitimate interest Completion of all documents to comply with the financial conduct authority guidelines when administering finance on your behalf. Contact data / Vehicle data / Identity data / Financial data Legal or regulatory obligation CarShop will enter your personal details into the finance providers system which allows the finance provider to conduct a credit check and affordability assessment on you before making a decision whether to offer you finance to fund your vehicle. Contact data / Vehicle data / Identity data / Financial data Contractual performance / Consent If your application for finance is declined by the finance provider we will advise you of this before sending your personal information to another lender for consideration. We will always seek your consent before passing your application to CarShop approved finance providers or credit brokers. Contact data / Vehicle data / Identity data / Financial data Consent
Vehicle maintenance, repairs and servicing
Processing activity Type of data Legal Basis To contact you to book an appointment to bring your vehicle into the store which falls under your service plan for your vehicle. Contact data / Vehicle data Contractual performance To collect or deliver your vehicle outside our store for example to collect your vehicle from your home or work address to undertake service works on the vehicle. This service maybe outsourced to an approved third party vehicle delivery company. Contact data / Vehicle data Contractual performance Arranging a courtesy car subject to availability. If we agree to provide a courtesy vehicle to you for the duration of the works on your vehicle you will be asked to provide a copy of your driving licence. This is for insurance purposes and to ensure you hold a valid driving licence. If you incur any speeding, parking or other motoring offences when using the vehicle you will be liable for all costs and we will forward your contact data to the third party enforcing the penalties. Contact data / Vehicle data / Identity data Contractual performance / Legal or regulatory obligation Our Customer Contact Centremay contact you in relation to all on-going servicing, repairs and maintenance of your vehicle, including any warranty claims. Contact data / Vehicle data / Audio data Contractual performance / Legitimate interest Rectification works to your vehicle as part of an insurance claim. Your insurance provider may request your vehicle is repaired by one of our stores and they will share your personal information with CarShop for this purpose. Contact data / Vehicle data Contractual performance / Legitimate interest We may capture your vehicle registration number when you drive onto our premises using ANPR to recognise you in relation to your service booking. Contact data / Vehicle data/ Image data Contractual performance / Legitimate interest Breakdown assistance, your personal details are provided by the breakdown provider to CarShop to complete the repairs for example where the RAC towed your vehicle to our store for repair. Contact data / Vehicle data Contractual performance / Legitimate interest We will contact you to notify you when your vehicle is due for servicing or MOT as a duty of care. The legal responsibility for maintaining the vehicle in line with the manufacturer’s guidelines is with you. Contact data Legitimate Interest To contact you if there is an urgent safety or product recall notice issued by the manufacturer to arrange rectification works at our authorised store. Contact data / Vehicle data Vital interest We may contact you with other communications relating to recommendations for maintenance of your vehicle, vehicle health checks or other similar services. Contact data / Vehicle data Legitimate Interest
Processing necessary for us to promote our business and engage with our customers
Processing activity Type of data Legal Basis If you are an existing or new customer to CarShop we will send you promotional marketing information including invitations to events in our stores and offers from time to time if you have purchased a product or service from us. You have the right to object to us sending you this information at any time. Please see section 14 in this privacy notice for further detail about your rights. Contact data Legitimate Interest If you do not have a previous business relationship with CarShop or have never negotiated to buy a vehicle or purchased any of our products or services we will only send you marketing communications if you have opted in to receive these communications from May 25th 2018. Contact data Consent To contact you with targeted advertising delivered online through social media and other platforms operated by other companies, unless you object. You may receive advertising based on information about you that we have provided to the platform or because, at our request, the platform has identified you as having similar attributes to the individuals whose details it has received from us. To find out more, please refer to the information provided in the help pages of the platforms on which you receive advertising from us. Social Network data / Website data Legitimate interest To identify and record when you have received, opened or engaged with our website or electronic communications. Contact data / Social Network data / Website data Legitimate interest To administer competitions and promotions that you enter with us from time to time and to distribute prizes. Contact data Consent To undertake market analysis and research (including contacting you with customer surveys) so that we can better understand you as a customer and provide tailored offers, products and services that we think you will be interested in. Contact data Legitimate interest We may take photographic images of you when you collect your new vehicle from the store or record video footage during store events with your consent to promote our business via social media channels or via our websites. Image data Consent
Processing necessary for our business to operate on a daily basis and fulfil data protection laws
Processing activity Type of data Legal Basis For general administration including managing your queries, complaints, or claims. Contact data Contractual performance / Legitimate Interest Processing necessary for us to operate the administrative and technical aspects of our business efficiently and effectively. Contact data Contractual performance For network and information security purposes i.e. in order for us to take steps to protect your personal data against loss, damage, theft or unauthorised access Contact data Legal or regulatory obligation To comply with a request from you in connection with the exercise of your rights (for example where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request) All types of data depending on the request Legal or regulatory obligation To inform you of updates to our terms and conditions and policies Contact data Legal or regulatory obligation
12.1 Under certain circumstances, you have rights under data protection laws. These are set out below:
12.1.1 The right to request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
12.1.2 The right to request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
12.1.3 The right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
12.1.4 The right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which over ride your rights and freedoms.
12.1.5 The right to request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
12.1.6 The right to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
12.1.7 The right to withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
12.2 If you wish to exercise any of the rights set out above, please contact us using the details set out in Section 3 (How to contact us or make a complaint)
12.3 You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
12.4 We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
12.5 We try to respond to all legitimate requests within one calendar month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
13.1 We use a variety of security measures, including encryption and authentication tools, to help protect and maintain security, integrity and availability of your personal data.
13.2 Although data transmission over the Internet or website cannot be guaranteed to be secure, we and our business partners work hard to maintain physical, electronic and procedural safeguards to protect your personal data in accordance with applicable data protection requirements. Our main security measures are:
13.2.1 restricted personal access to your data on a 'need to know' basis and for the communicated purpose only;
13.2.2 highly confidential data stored in encrypted form;
13.2.3 firewalled IT systems to prohibit unauthorised access e.g. from hackers; and
13.2.4 permanently monitored access to IT systems to detect and stop misuse of personal data.
14.1 If you are wondering why you have received a communication from us, this is because we collected your personal data when we were negotiating a sale for example you asked us for a quotation, etc… You have the right at any time to opt out or update your preferences in terms of the marketing you receive from us and the manner in which we communicate with you. You can change your marketing choices, or withdraw your consent in relation to how CarShop use your personal information in one of the following ways:
14.1.1 Through a ‘marketing choices’ link to our data privacy preference centre in every email communication. This link will allow you to update your preferred promotional marketing choices and your preferred method of communication; or
14.1.2 By sending an email firstname.lastname@example.org; or
14.1.4 By writing to us at Data Privacy & Compliance Team, CarShop, 9 Cheyne Walk, Northampton, NN1 5PT
15.1 We retain your personal data only as long as is necessary for the purpose for which we obtained them and any other permitted linked purposes. If personal data is used for two purposes we will retain it until the purpose with the latest period expires; but we will stop using it for the purpose with a shorter period once that period expires. Our retention periods are based on business needs and your personal data that is no longer needed is either irreversibly anonymised or destroyed securely.
15.2 Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us using the contact details set out in Section 3 (How to contact us or make a complaint)
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy notices and statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
17.1 A 'cookie' is a piece of information that a website transfers to the cookie file of the browser on your computer's hard disk, so that the website can remember who you are. A cookie will typically contain the name of the domain from which the cookie has come, the 'lifetime' of the cookie, and a value, usually a randomly generated unique number. You can accept or decline cookies by modifying the settings in your browser. However, you may not be able to use all the interactive features of our websites if cookies are disabled. You can restrict the type of cookies being placed on your hard drive when browsing our website by clicking on the button ‘change cookie settings’ at the bottom of the web page.