The following document is designed to outline the approach adopted by Haynes Brothers Ltd for the handling of the GDPR legislation, scheduled for May 25th 2018.
It outlines the options available and general approach supported.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
What lawful grounds do we rely on when we use your personal information?
There are different lawful grounds that we rely on to use your personal information and we will collect and use your personal information in the following situations:
where our use of your personal information is necessary to perform a contract or contracts that you are a party to, or to take steps that you request before entering into a contract. These contracts could include the conditions on which you enter a competition or agreements you enter into for service products, for example;
where our use of your personal information is within our legitimate interests or the legitimate interests of the organisation with which we have shared your personal information and we have made sure that your personal information, and your rights in relation to that information, are protected. For example, we may rely on this legal ground if we and/or the companies within the Haynes Group use your personal information to: understand and improve our (or their) products, services and/or marketing strategies; for research purposes; to manage and improve our relationship with you and for administrative purposes; to help find out what information, products and services are most likely to interest you and to send or show you information, offers, and online advertisements for these products or services; to personalise your experience of our products and services; to ensure that our products and services are delivered and used in accordance with the law and the terms and conditions that apply to them; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues,
where we believe it is necessary to use your personal information to comply with a legal or regulatory obligation to which we are subject,
in limited circumstances where we believe it is necessary to protect someone's safety or vital interests,
Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9).
The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).
Online at haynesgrp.co.uk
When someone visits one of our company websites we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.
In order to understand how users use the Haynes Group Websites and our services and the things they are interested in, we may collect your Internet Protocol addresses (also known as IP addresses). Your IP address is a unique address that computer devices (such as PCs, tablets and smartphones) use to identify themselves and in order to communicate with other devices in the network.
Security and performance
Haynes Group use a third party service, Aptus, to help maintain the security and performance of the Haynes Group website. To deliver this service it processes the IP addresses of visitors to the Haynes website.
Haynes Group conducts annual Penetration Testing to its own IP addresses Typically, penetration tests are used to identify the level of technical risk emanating from software and hardware vulnerabilities. Penetration Testing is an appropriate method for identifying the risks present on a specific, operational system consisting of products and services from multiple vendors. It is also applied to systems and applications developed 'in-house'. Links to other websites
Please note, our company websites may contain links to other websites (such as those of our manufacturers and suppliers) that are not controlled by us or our service providers. These links are provided for your convenience. We are only responsible for our own privacy practices and our security of Haynes Group Websites. We recommend that you check the privacy and security policies and procedures of each and every other website that you visit. Cookies
Most browsers automatically accept cookies but you can usually change your browser to prevent cookies being stored. With experience, you can usually choose to switch off all cookies or to allow only certain ‘trusted’ sites to place cookies. For further information on cookies and Flash cookies and how to switch them off see the Information Commissioner’s website at www.ico.gov.uk or visit www.allaboutcookies.org or www.aboutcookies.org.
PLEASE NOTE, IF YOU DO TURN COOKIES OFF, THIS WILL LIMIT THE SERVICE THAT WE ARE ABLE TO PROVIDE TO YOU AND MAY AFFECT YOUR USER EXPERIENCE
People who contact us via social media
If you send us a private or direct message via social media the message will be stored by Haynes for twelve months. It will not be shared with any other organisations. Haynes operate and manage our own social media accounts and no third parties are involved. People who call our telephone number
When you call the Haynes, tracked telephone lines will collect Calling Line Identification (CLI) information. We use this information to help improve its efficiency and effectiveness. Recorded calls are retained for twelve months. People who email us
Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with office policy. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law. People who use our online Service Booking facility
If you use our online service booking form we will collect your name, email address, phone number and details of your car and request. This information will be transferred to our DMS system and will be retained in accordance with their policies. Auto Responses
We may use auto-responders to communicate with you by e-mail. To protect your privacy, we use a verified opt-in system for such communications and you can always opt-out of such communications using the links contained in each auto-responder message. If you have difficulties opting out, you may contact us by email, using a website contact form, or in writing by mail at the details at the bottom of this policy. User Names and Passwords
Your access to certain parts of our website may be protected by a user name and a password. Do not give your password to anyone. If you enter a section of our website that requires a password, you should log out when you leave. As a safety precaution, you should also close out of your web browser completely and re-open it before viewing other parts of the Internet.
People who make a complaint to us
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for up to seven years and typically three years from conclusion of any relevant contract. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
If we take enforcement action against someone, we may publish the identity of the defendant in our Annual Report or elsewhere. Usually we do not identify any complainants unless the details have already been made public. Queries
Haynes tries to meet the highest standards when collecting and using personal information. For this reason, we take any questions we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. People who use Haynes services
We have to hold the details of the people who have requested a service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes.
Job applicants, current and former Haynes employees
When individuals apply to work at Haynes, we will only use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Criminal Records Bureau we will not do so without informing them beforehand unless the disclosure is required by law.
Personal information about unsuccessful candidates will be held for 3 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.
Once a person has taken up employment with Haynes, we will compile a file relating to their employment. The information contained in this will be kept secure
and will only be used for purposes directly relevant to that person’s employment. Once their employment with Haynes has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete it. Access to personal information
Haynes tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 2018. If we do hold information about you we will:
give you a description of it;
tell you why we are holding it;
tell you who it could be disclosed to;
let you have a copy of the information
To make a request to Haynes for any personal information we may hold you need to put the request in writing addressing it to our Data Protection Officer at Haynes Group using the address provided below. This request will be free and information will be made available by the Haynes Group within 31 days.
If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting Haynes. Disclosure of personal information
In many circumstances we will not disclose personal data without consent. However, when we investigate a complaint, for example, we will need to share personal information with the organisation concerned and with other relevant bodies. You can also get further information on:
agreements we have with other organisations for sharing information;
circumstances where we can pass on personal data without consent for example, to prevent and detect crime and to produce anonymised statistics;
our instructions to staff on how to collect, use and delete personal data; and
how we check that the information we hold is accurate and up to date.
The information you provide to us will be held on our server in the United Kingdom and may be accessed by or given to our staff.
We are registered as a data controller in the United Kingdom with the Information Commissioner’s Office under registration number Z5658230
and that the company has in place appropriate and lawful policies for the processing of data.
We may pass your data onto any law enforcement agency, court, regulator, government authority or other third party where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
You have the right to ask us not to process your personal information for marketing purposes. We will usually inform you before collecting your information if we intend to use or disclose it for such purposes. If you do not want us to use your information for marketing purposes the latest communication received will have an opt out avenue. You can also email us at DPO@haynesgroup.co.ukand ask for your data to be removed or write to us at the address above. Other examples
By using our Site, you consent to the processing of data about you by Google in the manner and for the purposes set out above. Manufacturer Data
We take the business of reviews seriously and use a company called Judge Services to conduct our after sales reviews for our Used Vehicle departments. Judge Services adhere to the UK’s Consumer Protection from Unfair Trading Regulations (CPRs) and advertising rules. They also follow the Competition and Markets Authority guidance for online reviews and endorsements.
They work in accordance with the Information Commissioner’s Office, who regulate these laws and publish marketing guidance, to understand what is needed to be legally compliant. Should you wish to find out more about Judge Services please contact them at:
11 Cardale Court
How to contact us
Data Protection Officer
Haynes Brothers Ltd
23 Ashford Road,
Kent. ME14 5DQ
We may amend this Policy from time to time. If we make substantial or material changes in the way we wish to use your personal information we will communicate providing a prominent notice on the Website or by contacting you directly. If you do not agree with these changes, please do not continue to use our company Websites.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of Haynes collection and use of personal information. This Privacy Notice will be reviewed annually and this will be due in May 2019. This privacy notice was last updated on May 25th 2018.
List of Manufacturers and Subsidiary Companies that Haynes Group provide information to, alongside reputable third parties used for relevant processing:
Ford Motor Company Limited, Eagle Way, Brentwood, Essex. CM13 3BW.
FCE Bank PLC, Manchester Business Centre, Number One 1 Tony Wilson Place, Manchester M15 4FN.
Ford Lease, Oakwood Drive, Emersons Green, Bristol, United Kingdom. BS16 7LB.
ALD Automotive, Oakwood Drive, Emersons Green, Bristol, United Kingdom. BS16 7LB.
IVECO Ltd, Cranes Farm Road, Basildon, Essex. SS14 3AD
FCA Italy S.P.A., Corso G. Agnelli 200, 10135 Turin, Italy.
Case IH, CNH Industrial N.V., Corporate Office, 25 St. James's Street,
London, SW1A 1HA
JCB Finance Limited Ltd, The Mill, Rocester, Staffordshire ST14 5JW
1. J.C. Bamford Excavators Limited (company number 00561597)
2. JCB Sales Limited (company number 0792807)
3. JCB Service (company number 0564955)
4. JCB Landpower Limited (company number 2321141)
5. JCB Earthmovers Limited (company number 0934508)
6. JCB Heavy Products Limited (company number 2517503)
7. JCB Access Limited (company number 03943798)
8. JCB Power Products Limited (company number 5846086)
9. JCB Power Products Broadcrown Limited (company number 09783957)
10. JCB Compact Products Limited (company number 1980852)
New Holland Agriculture, Cranes Farm Road, Basildon, Essex. SS14 3AD
List of our Reputable Third Parties used for reviews and marketing events in consultation and accordance with Haynes Group policies and procedures:
WillCreate Media, Suite 3, The Thorne Estate Business Park. Ashford, Kent. TN26 3AF
JudgeService, 12 Cardale Ct., Cardale Park, Harrogate. HG3 1RY
RhinoEvents.com, Russell Street, Hyde, Cheshire, SK14 2HD.
Haynes Brothers Group
Haynes House 23 Ashford Road, Maidstone, Kent, ME145DQ
Registered in England No. 00048511
We are constantly looking to improve our service and your call may be recorded for training purposes.