The data controller for Toomey Motor Group is Laindon Holdings Limited, our parent company.
Personal data is any information relating to an identified or identifiable living person. We process personal data as a data controller pursuant to the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018.
Our policy is to be transparent about why and how we process personal data.
What data do we collect?
We may collect the following information:
First name, last name, form of address, job title
Date of birth
Vehicle information (incl. VRN, VIN, service reminders, mileage, and warranty information)
Details of any transactions between you and us
The date and time you used our services
other information relevant to customer surveys and/or offers
credit/debit card information provided to us other than online
Voice recordings of calls you make to our customer service centre
"Live chat" records
How do we use your information?
We use your information for various purposes including accounting, billing and audit, credit or other payment card verification, fraud screening, event organisation, customer satisfaction reviews. safety, security and legal purposes, statistical and marketing analysis, systems testing, maintenance and website development. We also collect your personal data for the detection and prevention of crime purposes, when you visit our premises, and we capture your image on our CCTV systems.
We process your personal data, in accordance with our obligations under applicable data protection laws and regulations. Accordingly, we will not sell, distribute, or lease your personal data to any third parties unless it is necessary for us to fulfil our obligation to you, we have your permission to do so, or we are required to disclose your information by law with competent authorities e.g. the police, or regulatory bodies e.g. the ICO.
We process your personal data, in accordance with our obligations under applicable data protection laws and regulations, for the following reasons:
to provide you with the services you have requested
to comply with applicable laws and regulations
for administrative purposes
to provide you with information about us and our services
internal record keeping
for statutory or contractual requirements
improvement of our products and services
advertising our products and services (subject to your marketing preferences)
We use the information you provide to fulfil any orders placed through the Online Parts and Accessories Shop. This will include the following:
processing of payment information
communicating with you regarding your order
screening orders for potential risk or fraud
providing you with a confirmation invoice/ order confirmation
delivery of our products and services
arranging for shipping
providing information regarding the despatch of your goods
Occasionally, we may need to contact you by mail, email and/or telephone for administrative or operational reasons – for example, to send you confirmation of your purchase(s). These communications are not made for marketing purposes and as such, you will continue to receive them even if you opt out of receiving marketing communications from us.
How do we collect your information?
You may choose to submit your personal information to us by filling in an online form on the websites that are used by our Online Parts and Accessories Shop to deliver its services.
We will only ever use your personal data for marketing purposes if we have your consent to do so.
We use a third-party provider to deliver our marketing emails. If you have opted-in to receiving marketing communications from us, we will collect the following information on your email consumption:
how you interacted with each email: e.g. whether you opened, deleted, or forwarded the email, and details of any links you clicked.
the type of device you used to open the email.
your browser type and operating system.
your geographic location.
What is our legal basis for processing your data?
We rely on the following lawful bases to process your personal data:
consent (for example to send you direct marketing by email)
contractual relationship (for example to provide you with goods or services that you have bought from us, or when you agree to participate in user experience research)
legal obligation (for example carrying out due diligence on agreements).
legitimate interests (see below)
Our legitimate interests
Personal data may be legally processed if the processing is in the legitimate interest of the organisation using the data, provided such use is fair and does not adversely impact the rights and freedoms of the individual concerned. The data can also be processed in the legitimate interests of the data subject.
We always assess if our processing of your personal data is fair and balanced and if, in our opinion, it is within your reasonable expectations. We will balance your rights and our legitimate interests to make sure that we use your personal information in ways that are not unduly intrusive or unfair.
Who do we share your information with?
We cannot do everything ourselves, so often we need to share your personal information with trusted third parties who have the skill, experience, and expertise to deliver the goods or services you need or to provide you with the services or information you have requested.
We share your personal information with the third parties listed below for the reasons stated:
We may also share your personal data with other parts of Toomey Motor Group Limited.
How long do we keep your information?
We retain your personal data in a live environment for as long as necessary to fulfil the purpose(s) for which it was collected (including as required by applicable law or regulation, typically 7+ years). We may keep your data for longer to establish, exercise, or defend our legal rights and yours.
We are required to keep details of financial transactions, for 7 years to meet accountancy and HMRC requirements. We will anonymise or delete personal data if, after a period of seven years, we have not had any contact or communication from you (this will be measured on a rolling seven-year period).
We maintain data retention criteria to help implement this. This takes account of our legal and accounting obligations, balancing this with what would be considered reasonable.
Where there is a need to retain your personal data, it is securely archived, and appropriate safeguards are applied e.g. restricted access
International data transfers
Your personal data is primarily processed on our servers located in the UK. However, some of our service provision, such as online reservations, payments, customer reviews and marketing, requires your personal data to be transferred outside of the European Economic Area (EEA). In such circumstances, if your information needs to be sent to a country that has not been granted a finding of adequacy by EC, we will only transfer your data using ‘appropriate safeguards’ i.e. Binding Corporate Rules (BCR) or Standard Contract Clauses (SCC) (also known as Model Contract Clauses) etc., or we will seek your consent, on a case-by -case basis, where appropriate to do so.
If you are a European resident, we note that we are processing your information in order to fulfil contracts we might have with you – e.g. if you make an order through the Store, or otherwise to pursue our legitimate business interests listed above.
Security of your personal data
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.
Once we have received your information, we will use appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
Additionally, we have put in place appropriate security procedures and access controls to ensure the confidentiality of the special categories of personal data that we process. For instance, information relating to your health or a disability.
The personal data we collect through our website(s) is transmitted across the Internet securely using high-grade encryption. We only use service providers who specialise in the secure capture and processing of online payments. If you pay for your goods by credit or debit card, we will not retain your card details after processing your payment.
Links to other websites
What at are my data subject rights?
We support your data subject rights in relation to the processing of your information under the Data Protection Act 2018 and the UK GDPR, including your:
right to be informed (chiefly via this policy)
right of access
right to rectification
right to erasure
right to restrict processing
right to data portability
right to object
rights related to automated decision-making including profiling.
You can exercise any of these rights by contacting us using any of the methods shown below in the ‘How do I contact you?’ section.
You can request a copy of the information we hold about you by using any of the methods shown below in the ‘How do I contact you’ section.
We will respond to any request you make as quickly as possible. Usually, this will be within one month of receiving your request.
Controlling your personal information
Withdrawing my consent
Where we process your information based on your consent, you may withdraw your consent at any time. You can do this by contacting us at any time by writing to us at the address shown below in the ‘How do I contact you?’ section or by emailing us at: email@example.com
We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.
If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by writing to us at the address shown below in the ‘How do I contact you?’ section or emailing us at: firstname.lastname@example.org
Updating my information
You may request us to correct, update, or delete your personal data, by contacting us using any of the methods shown below in the ‘How do I contact you?’ section.
If you have opted-in to receiving communications form us, your preferences will remain in effect until you tell us that you want to opt-out of receiving any further communications. Normally, you can do this by clicking the link at the footer of the email you have received.
You can change your preferences at any time by clicking the relevant link in the emails we send you or by contacting using any of the methods shown below in the ‘How do I contact you?’ section.
Making a complaint to us
We hope you will never have the need, but if you do want to complain about our use of your personal data, or our facilitation of your data subject rights, you can contact us using any of the methods shown below in the ‘How do I contact you?’ section.
Our Data Protection Officer will investigate your complaint and provide you with an appropriate response as quickly as possible.
Making a complaint to the Information Commissioner
You can lodge a complaint with the Information Commissioner at any time. For instance, if you are unhappy with the way in which we are processing your information, or we have failed to facilitate your data subject rights. The Information Commissioner can be contacted as follows:
By post: Information Commissioner’s Office
By phone: 0844 496 4636 (local rate)
Further information about your data subject rights and how to complain to the ICO can be found here: ICO Make a Complaint
How do I contact you?
You may contact us using any of the following methods: