CUSTOMER PRIVACY NOTICE

1. INTRODUCTION

Dexel Tyre Company Ltd, trading as Dexel Tyre & Auto Centre™ (Company registration number: 00683166) is registered as a Data Controller with the Data Protection Regulator, The Information Commissioner's Office (ICO) on registration number ZA030667. This means that we are responsible for deciding how we hold and use personal data about you.

Dexel Tyre Company Ltd (“We”) only collects or uses personal and other information relating to its customers (“You”) for the purposes indicated within the Information Commissioner's Office’s register and as detailed in this privacy notice, in accordance with all applicable UK & International Laws.

This Privacy notice explains how we use your personal data: how it is collected, how it is held, and how it is processed. It also explains your legal relating to your personal data.

We are committed to protecting the privacy and security of your personal data as well as being transparent about how we collect and process that data.

2. WHAT IS PERSONAL DATA?

Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”.

In simpler terms, personal data is any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.

3. WHY WE COLLECT AND PROCESS YOUR PERSONAL DATA

Under the GDPR, we must always have a lawful basis for processing your personal data. This may be because the data is necessary for our performance of a contract with you, because you have consented to our use of your personal data, or because it is in our and/or your legitimate interests to use it.

Your personal data may be used for any of the following purposes;

• Provide you with goods or services to you that you have purchased from us. This is done under the legal basis of performance of a contract.
• Contacting you about a manufacturers safety recall relating to a product you have purchased from us. Depending on the severity of the safety recall this may be done under the legal basis of vital interest or legitimate interest, as it is of the utmost importance that such faulty products are removed from your vehicle as soon as possible.
• To send you review/feedback requests to help improve our services. These messages will not include any promotional content and do not require prior consent when sent by email or text message. This is done under the legal basis of legitimate interests as it helps make our products and service offering more suitable to you.
• To send you annual vehicle maintenance schedules and usage-based safety reminder. These messages are tailored to you and will only include promotional content directly related to your vehicles particular maintenance schedule, or the vehicle part we have calculated should be approaching the manufacturers recommended replacement limit. As such these messages do not require prior consent when sent by email, post or text message. This is done under the legal basis of legitimate interests as we are helping you to proactively keep up to the date with the essential maintenance of your vehicle.
• To send you discount codes, special offers and/or information about promotions. These messages are not vehicle or customer specific and so will be sent under the legal basis of consent, meaning we will only send you these messages if you have provided prior contest for your data to be processed for these purposes.
  Consent will be asked for at the point of order when making a booking or placing an order online, or at the point of invoice in-store, referring to this privacy policy.
  Should you later wish to withdraw consent, you may do so using the unsubscribe link in any email you receive from us, or you may use our contact details (found in section 9) to make this request.

4. INFORMATION WE MAY COLLECT FROM YOU

Personal Information

When you place an order with us, either in-store or on our website (www.dexel.co.uk) we may collect some or all of the following personal data;

• Your Name
• E-mail Address
• Home Address
• Contact Telephone Numbers
• Payment Details
• Vehicle Registration Mark’s (VRMs)

Tracking & Performance Data

To help improve our website and better understand the buying behaviour of users, we use cookies which are small text files containing tracking information which are stored on your computer's hard drive. You can set your internet browser to reject cookies, however doing so may limit your ability to use some areas of our website.

Our cookies may hold some or all of hold the following information;

• A unique identification number to keep track of your order
• A unique reference number to help identify your order as a whole
• Product information
• Computer IP address
• Web Browser & version
• Page views & visit information

To find more about cookies and how we use them, please refer to our Cookie Policy.

Other Information about you

We may collect additional information from you such as;

• E-mail messages you send to us
• Recordings of any telephone conversations you may have with us for training, legal obligations, warranty and improvement purposes.

5. HOW LONG WE KEEP YOUR PERSONAL DATA

We will not keep your personal data for any longer than is necessary in light of;

• The reasons for which it was first collected (as outlined in section 3)
• Compliance with any regulatory requirements
• Defence against possible future legal claims

Once it is no longer deemed necessary to retain your personal data will either be deleted completely or anonymised, so that identification is no longer possible.

6. WHERE WE STORE YOUR PERSONAL DATA

We will only store your personal data in the UK. This means that it will be fully protected under the GDPR. However, we routinely transfer some of your personal data to third parties to supply services to you on our behalf (as outlined below in section 7). These third parties may store some or all of your personal data we have supplied in countries outside the European Economic Area (the “EEA” consists of all EU member states, plus Norway, Iceland, and Liechtenstein). These countries may not be required to adopt data protection practices as strong as those in the UK and/or the EEA as standard, however your personal data will only be permitted for transfer to third party suppliers, where we deem necessary steps have been taken to ensure that your data is treated securely and in accordance with this privacy notice.

The security of personal data transmitted via the internet cannot be guaranteed. Any transmission made to our website by you, is done so at your own risk. Once we are in receipt of your personal data, we take a number of important measures to protect it, as outlined below.

• We operate a bespoke software system that can only be accessed and read using a further bespoke application, which is stored on our firewall protected servers, and is password protected by user.
• All back-ups of the data stored within this system are encrypted and stored on additional firewall protected servers.

7. DISCLOSURE OF YOUR PERSONAL DATA

We may share your personal data with any member of our group, which means our subsidiaries, our ultimate holding company, and its subsidiaries, as defined in section 736 of the UK Companies Act 1985.

We also contract with the following third parties to supply services to you on our behalf, requiring them to have access to some of your personal data that we hold.

• Trustpilot, Inc.
  Primary Company Address:
  245 5th Avenue, 5th floor, New York, NY 10016, USA.
  

  Trustpilot, Inc. (“Trustpilot”)acts as a data processor on our behalf for the purpose of providing a review invitation service. When you make a purchase on our website, Trustpilot receives a copy of the order confirmation so they can e-mail you using an automated feedback service (AFS). When you make a purchase instore at one of our branches, your personal data is transmitted to Trustpilot for a manual review invitation to be e-mailed.

  The person data included in this data processing is;

  • Your Name
  • E-mail Address

  When a review invitation is sent via the automated feedback service (AFS), Trustpilot may store, but not process the following additional personal data;

  • Home Address
  • Contact Telephone Numbers

  Trustpilot may store and/or process your personal data outlined above in countries outside of the European Economic Area (the “EEA”), as Trustpilot engages with sub-processors in the processing of your personal data. The sub-processors engaged are as follows;

  • Trustpilot Ltd.
    Location: United Kingdom
  • Trpilot PTY Limited
    Location: Australia
  • Trustpilot UAB
    Location: Lithuania
  • Trustpilot GmbH
    Location: Germany
  • Sendgrid, Inc.
    Location: USA
  • Google Ireland Limited
    Location: Ireland
  • Amazon Web Services
    Location: Ireland, Germany, United Kingdom, France
  • New Relic, Inc.
    Location: USA

• Dotmailer Limited
  Primary Company Address:
  No 1 London Bridge, London, SE1 9BG, UK.
  

  Dotmailer Limited (“Dotmailer”) acts as a data processor on our behalf to provide an e-mail and SMS marketing automation service. Your personal data, combined with transactional and vehicle data is transmitted and stored in Dotmailer cloud-based platform. Dotmailer processes this data on our instruction to provide e-mail and SMS communication to you.

  The person data included in this data processing is;

  • Your Name
  • E-mail Address
  • Home Address
  • Contact Telephone Numbers
  • Vehicle Registration Mark’s (VRMs)

  For Dotmailer customer within the European Economic Area (the “EEA”), of which we are one, Dotmailer only store data personal in facilities within the European Economic Area (the “EEA”). However, Dotmailer engages sub-processors to provide support to their service, some of which are in countries outside the European Economic Area (the “EEA”). The sub-processors engaged in the processing of personal data are as follows;

  • Dynmark International Ltd (a dotdigital group company)
    Location: United Kingdom
  • Amazon Web Services
    Location: Ireland, Germany, United Kingdom, France
  • Cloudflare, Inc.
    Location: USA
  • GGR Communications Ltd
    Location: United Kingdom
  • MagneticOne
    Location: USA, Ukraine

• Cam Systems Ltd.
  Primary Company Address:
  Draycott Business Park, Dursley, Gloucestershire, GL11 5DQ, UK.
  

  Cam Systems Ltd. (“Cam Systems”) acts as a data processor on our behalf to transfer data from our website to our invoicing system. When you make a purchase on our website, Cam Systems’ cloud-based platform receives the order information, reformats it and transmits it into our invoicing system at the relevant Dexel Tyre Company Ltd branch.

  The person data included in this data processing is;

  • Your Name
  • E-mail Address
  • Home Address
  • Contact Telephone Numbers
  • Vehicle Registration Mark’s (VRMs)

  Cam Systems do not engage with any sub-processors and do not store or process any of your personal data in countries outside the European Economic Area (the “EEA”).

• Global Payments Inc.
  Primary Company Address:
  3550 Lenox Road, Suite 3000, Atlanta, Georgia 30326, USA.
  

  Global Payments Inc. (“Global Payments”) acts as a data processor on our behalf to provide a secure payment gateway solution for credit and debit card transactions on our website.

  The person data included in this data processing is;

  • Your Name (Cardholder’s Name)
  • Your contact information (Cardholder’s contact information)
  • Card Number

  Global Payments may process your personal data outlined above in countries outside of the European Economic Area (the “EEA”), as Global Payments engages with sub-processors in the processing of your personal data. The sub-processors engaged are as follows;

  • Transaction Network Services (UK) Limited
    Location: USA, United Kingdom, Australia, Hong Kong, Malaysia, New Zealand, Taiwan, Singapore

If any of your personal data is required by a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law.

We contract with third parties (as described above), and some of those third parties are located outside of the European Economic Area (the “EEA” consists of all EU member states, plus Norway, Iceland, and Liechtenstein). If any personal data is transferred to a third party outside of the EEA, we will take suitable steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the GDPR.

In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.

We may also share your personal data with third parties if;

• Dexel Tyre Company Ltd or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.

8. YOUR RIGHTS

Under the GDPR, you have numerous rights concerning the processing of your personal data, which we always work to uphold.

The purpose of this Privacy Notice is to address the key transparency requirement under the GDPR, your right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details below in Part 9.

The other rights granted to data subjects under the GDPR are as follows.

Right to Access

You may contact us to ask what data we hold about you. We will provide this to you within 40 days of your initial request.

Depending on the complexity or sensitivity of the initial request we may issue a Subject Access Request (SAR) form to make sure we have clarity on exactly what data you are requesting. If a Subject Access Request (SAR) form is deemed necessary, then the 40-day response period will recommence from when we receive the completed form back. Should we require more than 40 days to process your request, we will contact you within the 40-day period and let you know.

Right to Accuracy

We always take steps to certify all data we collect is accurate, however, if you believe we hold data about you that is inaccurate, you can request we correct this data by contacting us using the details below in Part 9. If it is deemed that the complexity or sensitivity of the corrections requested requires a Subject Access Request (SAR) form to be completed, one will be issued.

Right to Object

If you are dissatisfied with how we are processing your personal data, you can provide details of your objection by contacting us using the details below in Part 9. If it is deemed that the complexity or sensitivity of the corrections requested requires a Subject Access Request (SAR) form to be completed, one will be issued.

You may ask us to restrict or completely stop processing your personal data. If we believe we have an overriding legal basis upon which we are processing your personal data, we will contact you stating our reasoning. If you are not satisfied with our response, you may appeal by referring the matter to The Information Commissioner's Office (ICO).

Right to Erasure

You may ask us to remove all personal data that relates to you by contacting us using the details below in Part 9. If we believe we have an overriding legal basis upon which we are processing your personal data, we will contact you stating our reasoning. If you are not satisfied with our response, you may appeal by referring the matter to The Information Commissioner's Office (ICO).

Right to Portability

You can us to provide any personal data held about you to another organisation in a universally compatible, machine readable format, such as a CSV file. You may make this request by contacting us using the details below in Part 9.

9. CONTACTING US

To invoke any of the rights listed above is known as a Subject Access Request (SAR) and should be made in writing by completing a Subject Access Request (SAR) form, available as a PDF here.

The Subject Access Request (SAR) form should be printed, completed and returned to us together with two types of identification as detailed in the Subject Access Request (SAR) form.

Valid proofs of identification include, but are not restricted to:

• Birth Certificate
• Passport
• Driver's License
• Bank statement
• Council tax bill
• Utility bill

Once completed, return the form and accompanying documents by email, to privacy@dexel.co.uk

Alternatively, send the form and accompanying documents to:

Data Protection Office,
Dexel Tyre & Auto Centre,
128 Staniforth Road,
Sheffield, S9 3JQ

We strongly recommend sending all postal communications by Recorded Delivery.

10. CHANGES TO OUR PRIVACY POLICY

We may make changes to this Privacy Notice without prior notification. Any changes we may make to our privacy notice will be posted on this page and, where appropriate, customers will be notified by e-mail.

It is your responsibility to be familiarised with the latest versions before using our website and our services.

This Privacy Notice was last updated on: 15th June 2018