Tobell Automotive is a Data Controller of personal data associated with the sale of insurance and guarantee products to automotive dealers and end customers. We deliver our services via a network of third parties, including vehicle repairers (and their subcontractors), insurance underwriters, insurance/warranty resellers, agents and partners, and technology solution providers.
We have taken steps to ensure that we adopt best practice under General Data Protection Regulation (GDPR) to protect the privacy of individuals. We aim to maintain and whenever possible improve on the minimum standards for the assurance of individuals’ rights to data privacy and protection.
Tobell is registered with the Information Commissioner’s Office (ICO) as a Data Controller for the processing of Personal Data (Z1054340).
Data Protection Office
As a Data Controller we recognise our responsibility in responding to individuals’ Rights. We manage this process by executing procedures in line with GDPR requirements.
We coordinate Data Subject Access Requests through our Data Protection Officer, who is contacted by:
· Post: Data Protection Officer, Tobell Automotive. Westthorpe Business Innovation Centre Westthorpe Business Park Killamarsh Sheffield S21 1TZ
· Email: email@example.com
· Phone: 0114 321 9881
How We Protect Your Personal Data
In order to protect your privacy, we train our staff to understand their responsibilities in helping Tobell Automotive maintain GDPR compliance. We specifically focus on the following areas:
· Notifying end users of their Rights through Privacy Statements
· Handling end users’ Data Subject Access Requests
· Working with our Data Processors
· And, what to do in the event of a personal data breach.
We review annually our staff awareness of data privacy and protection.
We also apply appropriate technical measures in order to protect data. We comply with the highest levels of cybersecurity under the cyber essentials scheme.
If you would like to know more about our approaches to GDPR, please contact our Data Protection Office.
As a Data Controller we recognise our responsibility in responding to individuals’ Rights. We manage this process by executing procedures in line with GDPR requirements for Data Subject Access Requests and prevention of data breaches in discharging our obligations during this process.
The right to be informed
We will inform individuals of their right to object “at the point of first communication” and clearly lay this out in our privacy notices (see links below.)
The right to access
Should you wish to receive a record of the personal data that we hold about you, then we require you to contact us at the above Data Protection Office.
The right to rectification
We have implemented processes that ensure your personal data remains accurate and up to date. In the event data is deemed not accurate and you wish this data to be amended, you must contact us. You must specify which records you wish to be updated.
The right to erasure
At any time you may request that your personal data is erased from our records. We will erase all records in accordance with our storage and retention policy. You must provide details of the record you wish to be erased.
The right to restrict processing
You have the right to block or restrict the processing of your personal data. This means that we will store your personal data, but will not process it for further use in our marketing services. We will restrict processing under the following circumstances:
Where you contest the accuracy of the personal data, we will restrict processing until we have verified the accuracy of the personal data with you.
Where you object to the processing we will consider whether our businesses lawful basis override those of you as the individual. We will store the data, but will not undertake any further processing until both parties have agreed that our business use is within our lawful basis.
When processing is unlawful and the individual opposes erasure and requests restriction instead. We will store the data and will not undertake further processing. We refer you to the right to erasure policy, and will implement our erasure policy upon receiving your request.
Where we no longer need the personal data but you require the data to be retained to establish, exercise or defend a legal claim. You must state details of the record you wish to be retained. We will automatically delete personal data records in accordance with the consent policy. However, should you wish this data to be retained in order to establish, exercise or defend a legal claim, then we will store and retain this data until the legal claim has been resolved. We will inform you when we decide to lift a restriction on processing.
The right to data portability*
You have the right to obtain and reuse your personal data for your own purpose. We will provide you with your personal data or move, copy or transfer that data to another business in a safe and secure way.
The right to data portability only applies:
* to personal data you have provided us;
* where the processing is based on your consent or for the performance of a contract.
We will provide this data to you or the business to which you require your personal data to be transferred, within one month of receiving instruction from you. However, if we decide that the data request is complex, then we will extend this time period for a further two months. Where this is the case, we will provide an explanation.
We will provide the personal data in a structured, commonly used and machine readable format. Examples of appropriate formats include CSV and XML files.
Where we are unable to transfer the data to another business due to technicalities or restrictions, then we will send the personal data to you for you to complete the transfer. This service will be provided free of charge.
The right to object
You have the right to object to any processing undertaken for the purposes of direct marketing (including profiling). We will stop processing for direct marketing as soon as we receive your objection. We will stop processing from the date of receipt of your objection.
The right not to be subject to automated decision-making including profiling.
We do not perform automated decision-making using your personal data to profile, nor do we supply the information we hold to third parties for use in analysis or prediction. Complaints
The ICO’s address is: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow Cheshire, SK9 5AF. You can also contact them by telephone on 01625 545 745 or via their website at www.ico.org.uk.