I.M. NORDIC PRIVACY NOTICE
I.M. Nordic Privacy Notice
Last updated May 2018.
This is the Privacy Notice made on behalf of the following companies which are members of the I.M. Group:
Name of Entity
Subaru Nordic AB
DPO notified to datainspektionen
Isuzu Sverige AB
DPO notified to datainspektionen
I.M. Nordic AB
DPO notified to datainspektionen
(hereinafter “the I.M. Nordic Companies”)
1. Identity and contact details of the data controller / DPO
Data Protection Officer
Telephone: (44) 0121 730 8079
I.M. Group Ltd
Deputy Nordic DPO
Telephone: 046 406 184 947
2. What Information do we collect?
The I.M. Nordic Companies operate mainly in the Automotive market. As a generality, we hold details about our customers and prospective customers, contact details and address so that we can communicate with them when necessary. Very occasionally, we also hold details of our customers financial arrangements where there is a business-related need for us to do so. We also hold electronic copies of our correspondence sent to or received from our customers and any contractors and suppliers who work with us. This correspondence is primarily in email format. Our Automotive businesses hold extensive data relating to the vehicles owned by customers who purchased them from a member of our nationwide dealer networks. (“The Personal Data”)
3. How will your information be used?
The I.M. Nordic Companies will only use the Personal Data for the benefit of its customers or for some other lawful purpose. In particular, it will never sell the Personal Data to a Third Party. We will only pass the Personal Data to Third Parties where there is a business driven need to do so or where we have an Article 28 Agreement in place with them.
4. Our legal basis for processing your data
Where we do not have your consent pursuit to Article 6 1. (a) of GDPR, we always have a legitimate interest pursuit to Article 6 1. (f). In addition, or alternatively from time to time we process Personal Data pursuit to lawful bases contained in other provisions of Article 6 such as the performance of a contractual obligation.
5. Who receives your information
As well as the I.M. Nordic Companies, we often share the Personal Data with Third Parties who carry out processing on our behalf pursuit to the terms of an Article 28 agreement or where there is a business driven need to do so. Such processing is necessary for the I.M. Nordic Companies to do their job properly and to service the needs of its customers throughout its various businesses. As a generality such Third Parties fall into the following main categories:
- • Car Dealerships within our dealer networks
- • Roadside Assistance Providers
- • Holders of the Vehicle Safety Recall Databases
- • Insurance Companies
- • Accident Management and Repair Service Providers
- • Fraud Prevention Agencies
- • Banks and Credit References
- • Agents and Advisers who we use to help us carry out our business
6. Where your information is stored and how it is kept secure
On our secure computer systems and in some cases in hard form in our offices or in our onsite storage facility. We have invested in state of the art technical and organizational security measures to safeguard the Personal Data.
7. Transfers to 3rd countries and safeguards in place
The I.M. Nordic Companies operate in Sweden, Denmark, Finland, Estonia, Lithuania and Latvia
Generally, we are unlikely to transfer your Personal Data outside the EEA. We will only send your data outside of the European Economic Area (‘EEA’) to:
- Follow your instructions.
- Comply with a legal duty.
- Work with our agents and advisers (including vehicle manufacturers) who we use to help run our businesses.
If we do transfer Personal Data to our agents or advisers outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA. We’ll use one of these safeguards:
Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA.
Put in place a contract with the recipient that means they must protect it to the same standards as the EEA.
Transfer it to Organisations that are part of Privacy Shield. This is a framework that sets privacy standards for data sent between the US and EU countries. It makes sure those standards are similar to what is used within the EEA.
8. How long your information will be held
If we collect your Personal Data, the length of time we retain it is determined by a number of factors including the purpose for which we use that data and our obligations under other laws.
We do not retain Personal Data in an identifiable format for longer than is necessary.
We may need your Personal Data to establish, bring or defend legal claims, in which case we will retain your personal information for 7 years after the last occasion on which we have used your personal information in one of the ways specified in How will your information be used? in paragraph 3 above.
The only exceptions to this are where:
- the law requires us to hold your Personal Data for a longer period, or delete it sooner;
- you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted in this paragraph, or because we are required under the law (see further Erasing your Personal Data or restricting its processing in paragraph 9) below;
- and in limited cases, the law permits us to keep your personal information indefinitely provided we put certain protections in place.
We may use your Personal Data to tell you about relevant products and offers. This is what we mean when we talk about ‘marketing’.
The Personal Data we have for you is made up of what you tell us, and data we collect when you buy one of our products from us or one of our dealers. We may also collect digital data relating to your web browsing and your interactions with our marketing emails.
We study this to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.
We can only use your Personal Data to send you marketing messages if we have either your consent or a ‘legitimate interest’. That is when we have a business or commercial reason to use your information. It must not unfairly go against what is right.
You can ask us to stop sending you marketing messages by contacting us at any time.
Whatever you choose, you'll still receive details of product recalls, and other important information.
We may ask you to confirm or update your choices. We will also ask you to do this if there are changes in the law, regulation, or the structure of our business.
If you change your mind you can update your choices at any time by contacting us or by utilising our Automotive Preference Centre.
'Cookies' are small pieces of information sent to your device and stored on its hard drive to allow our websites to recognise you when you visit. For more information on how we handle cookies click here
11. Your rights as a Data Subject
- Your ‘data subject’ rights:
You have a number of rights in relation to your Personal Data under GDPR. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your Personal Data. Except in rare cases, we will respond to you within 30 days after we have received this information or, where no such information is required, after we have received your request.
- Accessing your Personal Data
You have the right to ask for a copy of the information that we hold about you by emailing or writing to us at either of the addresses in paragraph 1 of this privacy notice. We may not provide you with a copy of your Personal Data if this concerns other individuals or we have another lawful reason to withhold that information.
- Correcting and updating your Personal Data
The accuracy of your personal data is important to us and we are working on ways to make it easier for you to review and correct the information that we hold about you.
In the meantime, if you change your name or address/email address, or you discover that any of the other information we hold is inaccurate or out of date, please let us know by contacting us.
- Withdrawing your consent
Where we rely on your consent as the legal basis for processing your Personal Data, as set out under in paragraph 4 above, you may withdraw your consent at any time by contacting us using the details in paragraph 1 of the privacy notice.
- Objecting to our use of your Personal Data and automated decisions made about you.
Where we rely on our legitimate business interests as the legal basis for processing your Personal Data for any purpose(s), as outlined under paragraph 4, you may object to us using your Personal Data for these purposes by emailing or writing to us at either of the addresses in paragraph 1 of this privacy notice. Except for the purposes for which we are sure we can continue to process your Personal Data, we will temporarily stop processing your Personal Data in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise we will provide you with our justification as to why we need to continue using your data.
You may object to us using your Personal Data for direct marketing purposes and we will automatically comply with your request.
- Erasing your Personal Data or restricting its processing
In certain circumstances, you may ask for your Personal Data to be removed from our systems by emailing or writing to us at either of the addresses in paragraph 1 of this privacy notice. Unless there is a reason that the law allows us to use your Personal Data for longer, we will make reasonable efforts to comply with your request.
You may also ask us to restrict processing your Personal Data in the following situations:
• where you believe it is unlawful for us to do so,
• you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings.
In these situations, we may only process your Personal Data whilst its processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.
- Transferring your Personal Data in a structured data file
Where we rely on your consent as the legal basis for processing your Personal Data or need to process it in connection with your contract, as set out under paragraph 4 above, you may ask us to provide you with a copy of that information in a structured data file. We will endeavor to provide this to you electronically in a structured, commonly used and machine readable form, such as a CSV file.
12. How to make a complaint to us and our supervisory authority
You have the right to complain to the Information Commissioners Office (ICO) if you are concerned about the way we have processed your Personal Data. Please visit the ICO’s website for further details.