Heading
Close X
Menu
Contents
1. Introduction ...................................................................................................................................... 1
2. Scope of this Policy ......................................................................................................................... 2
3. Aims of this Policy ........................................................................................................................... 2
4. Legal considerations ....................................................................................................................... 2
5. Role of JMG .................................................................................................................................... 2
6. What is Personal Data? .................................................................................................................. 2
7. What activities are regulated by this Policy? ................................................................................... 3
8. Why should I comply with this Policy? ............................................................................................ 3
9. What does “fair, lawful and transparent use of Personal Data” mean? .......................................... 3
10. What is a Privacy Notice? ............................................................................................................... 4
11. What are Special Categories of Personal Data? ........................................................................... 5
12. Employee obligations on processing relevant data and keeping it accurate .................................. 6
13. Data retention .................................................................................................................................. 6
14. An individual’s rights ....................................................................................................................... 7
15. Security measures .......................................................................................................................... 8
16. Disclosure of Personal Data to third parties .................................................................................... 9
17. Can I send Personal Data overseas? ........................................................................................... 10
18. Personal data for marketing purposes .......................................................................................... 10
19. Data Protection impact assessments ............................................................................................ 11
20. Data Protection by design and default .......................................................................................... 12
21. Records of processing .................................................................................................................. 12
22. Notification of a Personal Data breach ......................................................................................... 12
23. Governance ................................................................................................................................... 12
Schedule 1 – JMG Subsidiary Companies ........................................................................................... 13
1. Introduction
This Data Protection Policy (“Policy”) applies to Jardine Motors Group UK Limited and its Group companies from time to time, including those companies listed in Schedule 1 (“the Group”).
Jardine Motors Group UK Limited is the UK parent company with trade and assets relating to different franchises sitting in separate legal entities. The Group is managed as a single entity with processes and management operating seamlessly across the Group. The Group shall be referred to as “JMG” for the purposes of this Policy.
JMG needs to collect, use and store certain types of information about its customers and staff to satisfy operational and legal obligations. This personal information must be collected and dealt with appropriately, whether it is collected on paper, stored in a computer database, or recorded on other material. It must be dealt with in compliance with JMG’s legal obligations under the General Data Protection Regulation (“GDPR”) and any subsequent amendments issued from time to time. JMG must also comply with related regulations on privacy in electronic communications, such as the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). Compliance with these laws is important, as they are enforced by the UK’s regulator, the Information Commissioner’s Office (“ICO”).
This Policy regulates the way in which JMG obtains or processes Personal Data (as defined later in this Policy) about individuals and ensures all of its employees know the rules for handling and protecting Personal Data. Further, it describes individuals' rights in relation to their Personal Data processed by JMG. Additionally, this Policy regulates the situations where one JMG Company processes Personal Data on behalf of another JMG company.
JMG has practices in place in relation to its handling of personal information to ensure that JMG and its employees are acting in accordance with UK laws and regulatory guidance.
It is important that JMG staff read and comply with this Policy, attend data protection training when requested and follow relevant JMG procedures and guidance when handling these personal details. Failure to do so may cause JMG to contravene its legal obligations and damage JMG’s reputation and business, as well as having a harmful impact on affected individuals.
Treating personal information confidentially, with respect and securely is always important. It is even more so in relation to regulated financial transactions, or clearly private or sensitive details.
2. Scope of this Policy
This Policy applies to all employees and workers, at all levels in our businesses. It is imperative that you read and understand this policy. A breach of this policy may, in certain circumstances, amount to misconduct (or, depending on the severity and recklessness of the breach, gross misconduct).
3. Aims of this Policy
This Policy aims to outline how we expect our colleagues to obtain, use and process Personal Data.
4. Legal considerations
The following pieces of legislation apply to this policy:
5. Role of JMG
GDPR controls and restricts the use by JMG of personal details that are Personal Data, as explained below. Where a JMG Company decides what Personal Data to collect and why, such as when it decides what HR data to obtain from an employee and what to use it for, that entity is a data controller and must comply with the GDPR. Each JMG Company has its own separate obligation to comply with the GDPR in respect of the Personal Data it processes and such use must be consistent across JMG as required by this Policy.
JMG has a Group CRM & Database Manager to help JMG comply with the GDPR, PECR and with this Policy. Any questions about the operation of this Policy, or any concerns that the Policy has not been followed, should be referred in the first instance to the Group CRM & Database Manager or to Group Legal.
6. What is Personal Data?
Personal Data is any information (for example, a person’s name) or combination of information (for example, name and address) relating to an identified or identifiable natural person.
Examples of Personal Data that may be used by JMG in its day to day business include names, addresses (email and land addresses), telephone numbers and other contact details of customers, and CVs, performance reviews, payroll and salary information of employees. The definition also includes opinions, appraisals or statements of intent regarding individuals (e.g. customer enquiries,
employees, job applicants, individual consultants, contractors, personal contacts at suppliers, or customers and members of the public).
The laws governing how JMG can use Personal Data apply whether the Personal Data is stored electronically (for example, in e-mails, on IT systems, as part of a database or in a word processed document) or in structured paper records (for example, in paper files, card indexes or filing cabinets).
7. What activities are regulated by this Policy?
JMG processes Personal Data (including Special Categories of Personal Data - see Section 11 for more information) on its employees, contractors, business contacts, customers, suppliers and other individuals, including job applicants and former employees, depending on the relationship with them, for a multitude of business purposes. Depending upon the type of individual affected and details involved, use of Personal Data may include all or any of the following purposes:
When JMG collects, stores, uses, shares, transfers, deletes or destroys Personal Data it is called ”processing”. If JMG staff make use of Personal Data (e.g. read, amend, copy, print, delete or send Personal Data to another company, whether within JMG or outside of JMG) this is a type of processing and is subject to this Policy.
8. Why should I comply with this Policy?
Data protection laws are enforced by a Data Protection Authority. In the UK, this regulator is the ICO, who can investigate complaints, audit JMG’s use or processing of Personal Data and can take action against JMG (and JMG staff personally in some cases) for breach of these laws. Action may include making JMG pay a fine and/or stopping the use by JMG of the Personal Data, which may prevent JMG carrying on its business. Companies who breach one or more laws on Personal Data also often receive negative publicity for the breaches which affects the reputation of the company and its business as a result.
Each JMG employee is required to read and comply at all times with this Policy. In this Policy a “Third Party” is anyone who is not an employee of JMG, for example manufacturers, agents, external organisations, consultants, contractors, and service providers.
9. What does “fair, lawful and transparent use of Personal Data” mean?
One of the main data protection obligations requires JMG (and its employees) to process Personal Data fairly, lawfully and transparently. This involves three stages:
Reliance on these conditions must be discussed with Group Legal prior to being relied upon. All new data processing activities and projects involving the use of Personal Data must be approved prior to being started as there are complex exemptions and other lawful reasons for processing which may apply. For example, if someone provides their details as a contact for maintenance/warranty purposes, you may not be able to start sending them marketing emails unless that is covered in an appropriate notice and consent from that individual.
Consent to use of Personal Data is limited to the JMG operating company that collected the information unless the notice to the individual and their consent clearly covers use by other JMG companies or other relevant parties.
10. What is a Privacy Notice?
When JMG collects any Personal Data about an individual (whether directly from them or indirectly), JMG must make sure the individual knows:
Providing this information is known as providing a “privacy notice”. You should give individuals appropriate privacy notices when collecting Personal Data about them. This means that JMG has to inform individuals about the processing of their Personal Data before or at the time the data is collected.
You should, therefore, check whether there is an applicable notice which covers the processing you intend to carry out for JMG. If you are unsure about where to obtain this information, please speak to Group Legal (or, where the processing relates to employee personal data, the Group HR Director).
You should only process Personal Data in a manner and for purposes consistent with the relevant privacy notice(s). It should not be collected for one purpose and then used for a second purpose unless that is also set out in the relevant notice.
If you have any questions about drafting notices, or whether a particular notice is applicable, please contact Group Legal.
Even with consent or if one of the other lawful reasons for processing applies, JMG cannot make any use it wants of Personal Data. All the other rules explained in this Policy (and the relevant privacy notice) still have to be complied with. For example, JMG still has to satisfy the other requirements described below, such as making sure the information collected is not excessive. Simply because a person has consented to giving you their information does not override that restriction. Similarly, Personal Data must not be used in a way which would infringe another law, for example, for bribery, or racial, age, sexual, or disability discriminatory purposes. To do so would also render its collection and use unlawful.
Where collecting Personal Data about an individual indirectly e.g. from another company, you must ensure there is suitable evidence that the provider has the lawful right to disclose these details to JMG for the envisaged use by JMG.
These rules apply even where Personal Data is obtained from a published source e.g. from the internet.
11. What are Special Categories of Personal Data?
“Special Categories of Personal Data” are Personal Data about a person’s race or ethnicity, their health, their sexual preference, their religious beliefs, genetic or biometric data, their political views, or trade union membership. Personal Data on criminal convictions, prosecutions, offences and decisions of the court are also subject to enhanced levels of protection. Please see our Privacy Policy for when we may need to process such data.
Where collected, Special Categories of Personal Data should not be used unless strictly necessary. Extra care must be taken with it (in addition to the normal rules for Personal Data) and it must be kept more securely. Additional restrictions are placed on top of the lawful reasons for processing mentioned above. For example, it is difficult lawfully to use such details without the consent of the individual, which has to be explicit, in writing and obtained prior to processing any Special Categories of Personal Data.
JMG does not generally seek to obtain Special Categories of Personal Data unless:
Employees should note that the “legitimate interest” criteria for processing Personal Data alone is not enough to process Special Categories of Personal Data.
Special Categories of Personal Data should not be e-mailed or disclosed unless measures are taken to encrypt or otherwise secure that information due to the potential for harm or distress if the e-mail is received by unintended recipients or otherwise goes astray. Special Categories of Personal Data should be collected and used as little as possible, be kept separate from other details, be subject to more limited and strictly need to know access and used subject to greater security measures than other details.
You must make use of any systems and processes designed to protect and safeguard Personal Data, especially Special Categories of Personal Data e.g. working in the secure system and sending links to access details, which can only be used by those authorised to see and use them. You must not circumvent any such processes or systems provided.
Where details are used which are not strictly within the definition of Special Categories of Personal Data but whose loss or misuse may cause harm, loss or distress (e.g. identify theft and/or fraud), JMG requires you to use these details very carefully, i.e. strictly on a need to know basis.
12. Employee obligations on processing relevant data and keeping it accurate
The Personal Data you collect should be adequate, relevant and limited to what is necessary for the relevant purpose(s) for which you are collecting it, but not excessive for that purpose(s). Only process the data which is necessary for the task; minimise your use of Personal Data rather than maximise it. Do not collect and process more Personal Data than you really need. In the end, it simply adds to JMG’s compliance burden and storage costs and may prevent JMG from complying with its legal obligations on data protection. For example, if you will never telephone someone at home, you do not need their home telephone number.
In addition, you must take care to record and input Personal Data accurately. This is important. There can be serious problems if Personal Data is incorrect. Some Personal Data may change from time to time (such as addresses and contact details, bank accounts and the place of employment). It
is important to keep current records up to date. If not, there may be serious problems. For example, a renewal or termination notice for a contract may be sent to the wrong address and may not be valid.
Employees must ensure that data is collected within the boundaries defined in this Policy. This applies to Personal Data that is collected in person, or by completing a form. When collecting Personal Data, employees must ensure that the data subject:
13. Data retention
Information and records relating to data subjects should be stored securely and will only be accessible to authorised staff.
As a general rule, when Personal Data is no longer needed by JMG for the purposes for which it was collected, this Personal Data should be securely destroyed as soon as practicable and in line with any JMG data retention policy as amended from time to time. Any proposed destruction of data must be discussed with your line manager prior to any decision being made.
It is JMG’s responsibility to ensure all Personal Data and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.
Please refer to the JMG retention policy for further information on data retention. 14. An individual’s rights
Individuals have certain rights in relation to their Personal Data:
Should you receive a request from an individual to correct their details, to withdraw their consent to use their Personal Data or for JMG to stop certain uses of their Personal Data, you must inform the Group CRM & Database Manager (or, where the processing relates to employee Personal Data, the Group HR Director) and promptly follow their instructions.
Individuals are allowed to withdraw their consent to JMG’s use of their Personal Data at any time. If an individual contacts you to withdraw consent, inform the Group CRM & Database Manager (or, where the processing relates to employee Personal Data, the Group HR Director).
If you receive a request to stop sending direct marketing materials, you should cease sending further direct marketing communications to that individual as soon as possible and inform the Group CRM &
Database Manager. JMG should then add that person’s name to a marketing suppression list rather than simply deleting their details entirely from the relevant database.
Requests received for access to Personal Data
Individuals can also ask for copies of the Personal Data JMG holds about them and other details about how JMG uses their Personal Data. This request must be made in writing and JMG have a standard template form to assist with customers making such requests. Employees who receive a written request should forward it to Customer Services or, if the request relates to an employee or former employee, the Group HR Director.
Subject to receipt of proof of ID where considered necessary, on receipt of a written request from an individual for access to his/her Personal Data, JMG will (to the extent requested by the applicant):
If you receive such an access request, there are special legal rules which must be followed as part of this process. Therefore, any request should be passed on immediately to Customer Services. If relating to requests for a copy of personnel or occupational health files please pass them to the Group HR Director immediately and follow their instructions. There are strict statutory deadlines for responding with which JMG must comply, so you must not delay. You must not deal with such requests yourself.
15. Security measures
JMG must keep all Personal Data secure. This means that the Personal Data must be protected against being accessed by other companies or individuals (for example, via hacking), from being corrupted (data corruption) or from being lost or stolen. The Personal Data must also be protected so the wrong people cannot read or use the details. This applies to details in IT systems, emails and attachments and paper files. This is why, for example, you have a password and controlled access rights to IT systems and may have encryption software on your JMG computer and/or mobile device.
To facilitate the protection of Personal Data within the JMG IT system, Personal Data relating to customers or prospective customers must only be stored in JMG authorised systems, e.g. Autoline or Jardine Vision. Personal Data relating to customers or prospective customers must not be stored in individual’s Microsoft Outlook accounts or in personal files e.g. Microsoft Excel.
You must comply with JMG’s security procedures whenever you handle Personal Data. JMG relies on you to keep data secure and for data security. Otherwise, there can be serious problems; for example, customer pricing details could be leaked. You must only access and use Personal Data you
have a right to access and which you properly need to use for your role. You must not access Personal Data held by JMG for private reasons or to help any Third Party.
If you work away from JMG’s premises, you must comply with any additional procedures and guidelines issued by JMG for home working and/or offsite working.
Extra care is needed to secure Special Categories of Personal Data because more damage is likely if it is lost. For example, if details of an individual’s medical condition got into the wrong hands it could be very distressing for that individual. Be especially careful if you want to send Special Categories of Personal Data to another person - that it is sufficiently secure and can only be received and accessed by the intended recipient. If you email Special Categories of Personal Data outside JMG, other than to and from the relevant customer or employee at their request or with their consent, it must be secure from unauthorised access. If you need more details about this, or have any queries, speak to IT and/or Group Legal before emailing the details.
JMG also recognises that adequate security is important where it arranges for outside service providers to process Personal Data on its behalf. Where such arrangements are established by JMG, service providers must be bound by written contracts to protect the Personal Data provided to them. See section 16 “Disclosure of Personal Data to third parties”.
What should I do if I lose Personal Data or I think there is a data security issue?
There are potentially significant repercussions for JMG and the individuals affected, arising from a security issue. Where a security issue arises you must:
If you know or suspect that a personal data breach has occurred, do not attempt to investigate the matter yourself. You should preserve all evidence relating to the potential personal data breach.
16. Disclosure of Personal Data to third parties
A disclosure of Personal Data is a form of processing. That means that the rules described above for fair and lawful use have to be satisfied. These rules apply even when sharing details between related companies. For JMG, although we are made up of separate companies, the way we operate means that our functions and services for customers and staff are organised across the Group, requiring multiple Group companies to be involved with the disclosure of Personal Data. JMG have put in place specific data sharing agreements to allow the sharing of data across JMG companies. When sharing details within JMG, you must ensure you only share relevant details needed for the recipient to perform their role or function. Special care is needed before disclosing Personal Data outside JMG e.g. a potential buyer of one of our businesses, a government department, the police, or a regulator.
JMG may also wish to disclose Personal Data we hold to third parties:
You must not disclose Personal Data to a third party outside JMG unless either to a service provider and the required form of contract is in place or where that disclosure constitutes a lawful reason for processing and satisfies the information notice requirements as explained above.
There are some exceptions to deal with disclosures, such as those requested lawfully by police where the information is necessary to prevent or detect a crime. If you receive a request for information about an individual from government, police or other similar bodies or from journalists or other investigators, you should pass that request immediately to the Group General Counsel & Company Secretary for advice and guidance on how such a request should be dealt with.
The applications of the relevant exceptions need careful consideration. Unlawful disclosure (however well-meaning and however seemingly authoritative the requestor) risks placing JMG in breach of obligations under data protection legislation. Special care is needed with telephone requests for information, often used by unauthorised parties to ‘blag’ or obtain Personal Data to which they are not entitled, such as an ex-spouse or private investigator. Always make sure you are certain who you are dealing with, ideally have a written request for information and ensure any disclosures are justified in advance. Line Managers should refer to Group Legal for advice and guidance on data requests from Third Parties where required.
A key difference may apply where a JMG entity is processing the Personal Data on behalf of another JMG entity, i.e. acting as its Data Processor, in which case the details can be shared with that entity, or as it directs, in accordance with the data sharing agreements.
Access to Personal Data must be restricted to those employees of JMG and third parties (companies, businesses and organisations outside JMG) who need to access it in order to perform their role e.g. relevant staff at an external service provider appointed to help JMG with its customer marketing function will need to be able to use relevant customer marketing details to send marketing
communications on behalf of JMG. You must only process Personal Data where and to the extent you need to see and process it to carry out your job / role properly.
JMG may use Third Parties to provide services to it - for example, running a marketing campaign. Where such third parties use Personal Data on behalf of JMG, special rules apply. Only authorised third parties with written contracts in place should be used. Please refer to the Company Intranet or contact Group Purchasing to check if the third party is approved. In the instance where the third party is not approved, please contact Head of Purchasing who will be able to provide assistance.. JMG is responsible for its use of its Personal Data and so this is important.
17. Can I send Personal Data overseas?
There are special rules on whether Personal Data collected in the UK can be transferred to another country. Within the EU, there are restrictions on the transfer of Personal Data outside of the European Economic Area (EEA). If you plan to make any new transfers of any Personal Data to another jurisdiction, please contact Group Legal.
The fact that there will be transfers of Personal Data to other countries, especially to countries outside the EEA, should be clearly set out in the privacy notices described in the fair use section of this Policy above so that it is expected by the affected individuals.
JMG may only transfer Personal Data outside the EEA if one of the following conditions applies:
(a) the European Commission has issued a decision confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the data subjects' rights and freedoms;
(b) appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism;
(c) the data subject has provided explicit consent to the proposed transfer after being informed of any potential risks; or
(d) the transfer is necessary for one of the other reasons set out in the GDPR, including the performance of a contract between us and the Data Subject, reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent and, in some limited cases, for our legitimate interest.
All employees making any such transfers should first consult with Group Legal. Further information on data which may be transferred overseas can be found in JMG’s Privacy Notices. 18. Personal data for marketing purposes
As with other types of processing, the use of Personal Data for marketing purposes must satisfy the fair and lawful use requirements set out above. This means information notices must be given, and a lawful reason for processing has to be satisfied. Typically, this will require consent. You therefore should not use Personal Data to contact individuals for marketing purposes (including sole traders and individual members of business partnerships) by email, text or similar unless the individual has consented to marketing use.
Where marketing is to be by email, text or similar electronic means, normally individual consent is needed and must clearly cover marketing by email, text or similar. Special rules apply to when consent is needed and how consent is obtained (for example, individuals generally need to “opt in” to receiving marketing) depending on the type of marketing contemplated and the means of communication with the individual. Special rules apply to facilitate prompt action regarding objections to marketing.
It is advisable to check the scope of any marketing consent you are relying upon, particularly if you are sending information relating to other Group companies or divisions, third parties or contemplating sharing the Personal Data with a third party to allow them to do so. If you are obtaining Personal Data from a third party for marketing use, then you should check that the consents they have obtained permit disclosure to JMG and the intended processing by JMG. Please check with Group Legal to verify consent.
You must promptly comply with any request by an individual not to receive direct marketing (where it is addressed to them) or their choice not to receive marketing by a particular method (for example, post, fax, telephone, e-mail or text messaging).
JMG obtains individual consent by inviting customers to tick a box to opt in to receive marketing messages. Please contact centraldataservices@jardinemotorsgroup.co.uk or the Group CRM & Database Manager who will be able to provide you with appropriate guidance to ascertain if consent has been obtained.
You must liaise with Group CRM & Database Manager about any marketing plans and follow their instructions. 19. Data Protection impact assessments (DPIAs)
Where JMG are considering a type of processing using new technology or implementing major system or business change programmes, for example an employee monitoring system or number plate recognition technology, and where there is a risk to the rights and freedoms of natural persons, an assessment of the impact of the processing should be carried out. JMG must also conduct DPIAs in respect to high risk processing. The assessment must contain:
Please contact the Head of IT and/or Group Legal for further guidance on this topic.
20. Data Protection by design and default
For all processing JMG must take into account the state of the art, the cost of implementation and the nature, scope and context of the processing and implement where applicable pseudonymisation and data minimisation to ensure compliance with data privacy principles.
21. Records of processing
JMG must keep a record of all processing containing as a minimum the following information:
22. Notification of a Personal Data breach
JMG have to comply with strict reporting criteria for any data breach that affects the rights and freedoms of a natural person. On detecting a possible Personal Data breach, you must:
Depending on the nature and severity of the breach, JMG may need to notify to individuals and the ICO without undue delay (and within 72 hours of discovery of the breach). It is therefore imperative that you notify JMG without undue delay upon discovering a potential breach.
The breach will need to be notified to individuals where the personal data breach is likely to result in a high risk to the rights and freedoms of the individual. In such an instance, JMG will:
- name and contact details of the contact person at JMG dealing with the matter;
- the security breach's likely consequences; and
- the measures taken to address the security breach including measures to mitigate potential adverse effects.
23. Governance
This Policy has been approved by the JMG Data Protection Steering Group and is effective from the date stated at the bottom of this Policy. This Policy will be reviewed with other JMG policies and guidelines that relate to the use of data on a periodic basis.
Schedule 1 – JMG Subsidiary Companies
Lancaster Plc
Jardine Automotive Limited
Stratstone Luxury Vehicles Limited
Jardine Cars Limited
Jardine Specialist Cars Limited
Jardine Sports Cars Limited
Abridge Loughton TPS Limited
Wayside Trade Parts Limited