Data controller and contact information
Data Protection Officer
Paul Stephens Ltd
Purposes and lawful basis for processing personal data
We may collect, process and use your personal data in the course of supplying vehicles, goods and services to you and to manage our relationship with you, in the following ways:
Processed under the lawful basis of Contract:
When you enquire about or purchase a vehicle, goods or services from us, we will collect personal information to enable us to respond to your enquiry and to process and complete your purchase.
When you enquire about purchasing a vehicle on finance, we will collect information to enable third parties to provide finance quotes and agreements.
We collect personal information from you when you apply for a job with us to enable us to contact you and process your application.
Processed under the lawful basis of Legal Obligation:
We collect and process your personal information for producing invoices and accounting purposes which is required to meet HMRC legislation.
We collect personal information from employees to enable us to meet employment law obligations.
Processed under the lawful basis of Consent:
If you have given consent to receive marketing communications from us, we will collect information concerning your marketing preferences and send you communications based on those preferences.
Who we share your personal data with
We do not share your data with any other third parties except:
if you have given your consent.
if it is necessary to enable the provision of third party services you have requested (for example to facilitate warranty, insurance or finance quotes or agreements).
if we are under a duty to comply with any legal obligation.
Third party recipients of your data
Data processors are third parties who provide elements of our business management services for us, who process or store personal data on our behalf. The categories of these recipients are accounting, marketing, software, and website providers.
We have contracts in place with our data processors to ensure they are looking after your data to GDPR standards, which means they cannot use, share or do anything with your personal data unless we have instructed them to do so.
Unless otherwise listed below, your personal data will be kept for a period of 7 years in order to comply with HMRC requirements.
Personal data processed under consent will be kept for as long as you consent to its processing. We will seek to refresh your consent at appropriate intervals.
Your rights in regard to your personal data
You have a number of rights in regard to your personal data. These include the right to request access to, rectification or erasure of personal data we hold, or restriction of processing concerning your data, or to object to the processing as well as the right of data portability. If you wish to make any such requests please contact us in writing using the contact details at the top of this page.
Right to withdraw consent
Where we have processed your personal data on the lawful basis of consent, you have the right to withdraw this consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Right to complain
If you have any concerns about how we have handled your personal data, please contact us so we may address them.
You also have the right to lodge a complaint with the supervisory authority, the Information Commissioner’s Office, about how we manage your data.
Provision of data
In most cases, the provision of your personal data is necessary to enter into a contract with us.
Changes to this policy
We will regularly review this privacy notice and update it where necessary. This policy was last updated in May 2018.