Privacy Policy

1. About this notice
   1. This notice was last updated on the 23rd May 2018.
   2. 1.2 This privacy notice (“notice”) describes what types of personal data GGH Holdings Limited and companies within the GGHH Group (referred to throughout this notice as “GGHH Group”, “we”, “us” or “our”) collect from you, when, how and why it is collected, used and disclosed and how it is kept secure when you use our website www.griersonandgraham.com and when you purchase goods or services from us.
   3. It is important that you read this notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This notice supplements the other notices and is not intended to override them.
   4. This website and our services are not intended for children and we do not knowingly collect personal data relating to children.
   5. please do not provide us with any of your personal data unless you have the permission of your parent or guardian to do so.
   6. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us by contacting us using the details in Section 3 (How to contact us or make a complaint).
2. Changes to this notice
3. The contents of this notice may change from time to time. We will post any updates to this notice on our website www.griersonandgraham.com/privacy-policy. You may wish to check this page to ensure you are still happy to share your personal data with us. Where we make material changes to this notice, we will also contact you directly to notify you of these changes.
4. How to contact us or make a complaint
   1. We have appointed a data protection officer who is responsible for overseeing data protection for the GGHH Group. If you have any questions about this notice, your rights under data protection legislation as set out in Section 12 (What rights you I have under data protection legislation?) or the processing of your personal data generally you can contact us free of charge at any time by using the details below:
      1. By sending an email to our Data Privacy & Compliance Team data.team@griersonandgraham.com
      2. By writing to us at Data Privacy & Compliance Team, GGHH Limited, 51 Rae Street, Dumfries, DG1 1JD.
      3. By calling us on 01387 257800
   2. If you are dissatisfied with our use of your personal data or our response to any exercise of these rights you have the right to complain to your data protection authority, this in the UK is the Information Commissioner's Office (ICO) www.ico.org.uk.
      
5. Processing another person’s personal data

If you provide us with personal data on behalf of someone else for example you provide your spouse’s name on a loan car form to allow the vehicle to be insured for them to drive, you confirm to us that you have their permission to pass their personal data to us and that they are aware of the contents of this notice and do not have any objection to our processing their personal data in accordance with this notice.

1. Who is the controller for my personal data?
   1. A ‘controller’ is a person or organisation who decides why and how your personal data is collected, used and shared. They are responsible for ensuring that the processing complies with data protection legislation. This notice covers the GGHH Group and companies ‘controllers’ within this group see Section 19 (Which GGHH Group Companies are covered by this notice?) for more information.
2. What personal data do we collect about you?
   1. Personal data means any information about a living individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We collect and process personal data about you which we have grouped together into different types of data to make it easier for you to understand what we do with your personal data and what our legal basis is for processing the personal data. Details of how we process your personal data and why are set out in Section 11 (Why we process your personal data) and details of the legal bases we rely on to process your personal data are set out in Section 10 (What is the legal basis for processing your personal data):
      1. Contact Data – details of your name(s), home address, previous home address, home phone number (including mobile), home email, work address, work phone numbers (including mobile);
      2. Identity Data – details of your passport, drivers licence, date of birth, utility bills, national insurance number;
      3. Financial Data – details of your bank account, bank statements, payment card details, vehicle purchase agreement, your employment history and salary if required as part of your finance application;
      4. Transaction Data – details about payments to and from you and other details of products and services you have purchased from us.
      5. Website Data - our web servers store as standard details of your browser and operating system, the website from which you visit our websites, the pages that you visit on our websites, the date of your visit to the website, web browsing behaviour, demographics, profiling and statistics and the internet protocol (IP) address assigned to you by your internet service provider. For more details about how we collect your personal data through the use of cookies please see Section 18 (Cookies and how we use these to process your personal data).
      6. Location Data – details of your travel history or home address will be collected if a loan car has a vehicle tracker fitted or you have used the satellite navigation system in the loan vehicle provided by GGHH Group.
      7. Image Data – photographic images and footage of you is collected via the operation of CCTV when you come into our showrooms or visit our dealerships.
      8. Vehicle Data – details of your number plate is collected through the use of automatic number plate recognition technology you when you drive into our dealership for a pre-booked service. You will provide details of your vehicle to us to make a service booking although not personal data this will be the registration number, make, model and type of vehicle. If you purchase a vehicle from GGHH Group we will retain details of the vehicle on our systems.
      9. Audio Data – details of telephone voice calls maybe recorded for monitoring, dispute resolution and training purposes when you contact us or we contact you from our dealerships or customer service teams in our contact centres.
      10. Social Network Data – detail of personal data that is part of your public profile on a third party social network may be collected if you like, follow, message, post opinion or comment on our GGHH Group social media pages.
      11. Family Data – details of your direct family such as their name for example to purchase a vehicle for them and allow the vehicle to be registered to the correct keeper.
      12. Public Authority Data – details about you and your vehicle held with the driving and vehicle licencing agency (DVLA) including any penalties you may have on your driving licence.
   2. As a whole we do not collect the following special categories of personal data about you, details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, and information about your health or genetic and biometric data. Nor do we collect any information about criminal convictions and offences. In limited circumstances for example if you lease a vehicle via the third party Motability scheme we may collect details about your disability and mobility allowance to administer your application and check your eligibility to join the scheme. For further details about this scheme please visit Motability’s website https://www.motability.co.uk.
   3. We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
3. If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.

1. Where do we get your personal data from?
   1. Personal data you have given to us. We collect personal data when you provide this to us directly in the scenarios listed below:
      1. by entering personal data via our websites, live chat boxes or social media platforms and through testimonials and opinions you may have posted publically on our websites or social media platforms;
      2. when you contact our customer service teams based in our call centres;
      3. on an enquiry form during a showroom, manufacturer or third party event that you have attended;
      4. when you register interest in a vehicle in one of our dealerships;
      5. when you complete customer surveys, provide feedback or participate in competitions we run online and in our dealerships;
      6. when you place any order for our goods, products or services for example when you purchase a vehicle or book an appointment for your vehicle to be serviced in our dealership;
      7. when you apply for a loan, personal contract purchase or lease agreement from one of our accredited finance providers to purchase your vehicle;
      8. when you part exchange your vehicle and provide full service history of that vehicle;
      9. when you provide documents to evidence your vehicle is covered by a valid insurance policy;
      10. when you respond to an advertisement or any other promotional communication we may have sent to you;
      11. by corresponding with us by phone, email, in person or otherwise (for example via social media) for any other purpose.
   2. Personal data we may receive from within the GGHH Group. We collect the personal data from the GGHH Group of companies in the scenarios listed below:
      1. for accounting purposes your personal data is included on invoices;
      2. to handle complaints or to provide information you have requested.
   3. Personal data we may receive from vehicle manufacturers. We collect the personal data from vehicle manufactures in the scenarios listed below:
      1. if you have requested a brochure, test drive, specific detail about a vehicle or registered an interest in a vehicle the manufacturer will share your personal information with our dealership;
      2. to provide vehicle support services for warranty or in the event of safety recall;
      3. if you exercise your rights to access, to erasure, etc. as detailed in section 12 we will receive notification from the manufacturer.
   4. Personal data we may receive from finance providers and brokers. We collect the personal data from finance providers in the scenarios listed below:
      1. If you have engaged a third party broker to act on your behalf to administer the purchase of a vehicle;
      2. Our approved finance providers have a legitimate interest to provide your details to GGHH Group to allow us to contact you to discuss your options during the term of the loan contract. For example if you have a Personal Contract Purchase (PCP) contract which is about to end in 6 months we will discuss all your options with you such as how to pay the balloon payment, changing your vehicle or returning your vehicle to allow you to make an informed decision before the contract ends.
   5. Personal data we may receive from insurance providers. We collect the personal data from insurance providers in the scenarios listed below:
      1. when we are required to carry our repairs on your vehicle as part of a claim you have made through your insurance company for the purposes of carrying out those repairs and providing you with a loan car.
   6. Personal data we may receive from regulatory bodies. We collect personal data from regulatory bodies in the scenarios listed below:
      1. from the Driver and Vehicle Licencing Agency (DVLA) to confirm if you hold a valid driving licence to allow the provision of a loan car or a test drive.
   7. Personal data we may receive from other public sources. We collect the personal data from the following public sources in the scenarios listed below:
      1. to assist the police or other public authorities with their enquiries and/or investigations.
2. Sharing your personal data with third parties
   1. We share your personal data with the GGHH Group of companies (as set out in Section 18 (Which GGHH Group companies are covered by this notice?) for the following purposes:
      1. for sending communications or direct marketing to customers by brand;
      2. for accounting purposes your personal data is included on invoices;
      3. to handle complaints or to provide information you have requested.
   2. We share your personal data with the manufacturers listed in Section 18 (List of manufacturers with whom we share your personal data) because the GGHH Group is an authorised retailer for these manufacturers. A link to each manufacturer’s privacy notice can be found next to their name or you can obtain a copy of this link at any time by contacting us at data.team@griersonandgraham.com. The personal data is shared for the following purposes:
      1. to fulfil your order for a vehicle;
      2. for warranty purposes relating to your vehicle;
      3. to diagnose and fix problems with your vehicle; and
      4. where you have provided your consent, for marketing communications. Please see Section 14 (Using your personal data for marketing and how to opt-out) for details about how you withdraw your consent to marketing.
   3. We share your personal data with our accredited finance providers for the following purposes:
      1. to administer your finance application on your behalf with our accredited finance providers;
      2. to allow you facilitate funding to purchase a vehicle.
      3. We process information relating to your finance application on behalf of GGHH Group’s approved finance providers who are acting as data controller.
   4. We share your personal data with our insurance providers for the following purposes:
      1. If you decide to purchase additional regulated or non-regulated products or services during the sale or after the sale of your vehicle we may pass your personal data to the relevant provider to fulfil your request. For example if you purchase a Guaranteed Asset Protection (GAP) insurance policy for your vehicle we will pass your personal data to the insurance provider Global / AXA.
   5. We do not sell your personal data to third parties. However, we may from time to time disclose your personal data to the following categories of companies or organisations to which we pass the responsibility to handle services on our behalf: roadside assistance service providers, vehicle collection & delivery, accident management, external third party body shops, direct marketing communications agencies and consultants, market research and market analytics service providers, our legal and other professional advisors.
   6. We take steps to ensure that any third-party partners who handle your personal data comply with data protection legislation and protect your personal data just as we do. We only disclose personal information that is necessary for them to provide the service that they are undertaking on our behalf. We will aim to anonymise your personal data or use aggregated none specific data sets where ever possible.
3. What is the legal basis for processing your personal data?
   1. We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
      1. Contractual performance – where we need to process your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
      2. Legal or regulatory obligation – when we have to process your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
      3. Legitimate interest – when it is in our legitimate interest (or that of a third party) and those interests do not override your rights and freedoms, for example when it is in the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us using the contact details set out in Section 3 (How to contact us or make a complaint).
      4. Vital interests – where it is necessary to process your personal data to protect your vital interests or another person.
      5. Consent – generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by us using the contact details set out in Section 3 (How to contact us or make a complaint).
4. Why we process your personal data
   1. We have set out below, in a table format, a description of all the ways we use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
   2. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us using the contact details set out in Section 3 (How to contact us or make a complaint) if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
   3. We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please us using the contact details set out in Section 3 (How to contact us or make a complaint). If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
   4. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

When you are making an enquiry or negotiating to buy a vehicle

Processing activity: To respond to enquiries you send to us and fulfil the requests you make to us for example send a brochure or to provide detail of the vehicle specification you have enquired about.

Type of data: Contact data / Audio data

Legal Basis: Contractual performance / legitimate interest

Processing activity: If you enquire about a used vehicle we will send via our provider CITnow a video presentation by email which shows the vehicle in detail in the footage.

Type of data: Contact data

Legal Basis: Contractual performance / legitimate interest

Processing activity: When you provided your personal information to a third party website to enquire about a vehicle advertised for example Auto trader or Car Wow. Your personal data will be forwarded to a GGHH Group dealership to follow up your request.

Type of data: Contact data

Legal Basis: Legitimate interest

Processing activity: To arrange a test drive we have a legal obligation to check you hold a valid driving licence as required by law and for insurance purposes.

Type of data: Contract data / Identity data

Legal Basis: Contractual performance / Legal or regulatory obligation

Processing activity:Photographic images and footage of you is collected via the operation of CCTV when you come into our showrooms or visit our dealerships. This is for security, crime prevention and required for insurance purposes.

Type of data: Image data

Legal Basis: Legitimate interest

Purchasing a vehicle
Processing activity: Completion of all mandatory sales documentation to purchase a vehicle and make payment non-finance

Type of data: Contact data / Identity data / Vehicle data / transaction data / Family data if applicable

Legal Basis: Contractual performance

Processing activity: To share your personal data with manufacturer systems to allow vehicle ordering, in car systems setup, and activation of services and products for the vehicle including warranty

Type of data: Contact data / Vehicle data / Family data if applicable

Legal Basis: Contractual performance

Processing activity: To administer the manufacturers complimentary insurance on your behalf ( if applicable to that manufacturer)

Type of data: Contact data / Family data if applicable

Legal Basis: Contractual performance / Legal or regulatory obligation

Processing activity: Registering and taxing the vehicle with the DVLA

Type of data: Contact data / Vehicle data

Legal Basis: Contractual performance / Legal or regulatory obligation

Processing activity: To provide or manage any information, products or services you have asked for specifically related to the purchase of your vehicle for example the purchase of a GAP policy or paint protection product.

Type of data: Contact data

Legal Basis: Contractual performance / Consent

Processing activity: If you are part exchanging / selling your vehicle to our dealership we will check your vehicle details via third party provider CAP-HPI this includes vehicle mileage, condition, outstanding finance and history before making an offer to buy the vehicle.

Type of data: Vehicle data

Legal Basis: Contractual performance / Legal or regulatory obligation

Processing activity: We will send a customer survey to you following your vehicle purchase to gain your feedback about our products and services provided.

Type of data: Contact data

Legal Basis: Legitimate Interest

Purchasing a vehicle with finance
The processing activity detailed in the table below is in addition to ‘purchasing a vehicle’ if you would like GGHH Group to arrange finance for you.

Processing activity: To administer and arrange finance for you to purchase or lease a vehicle.

Type of data: Contact data / Vehicle data / Identity data / Financial data

Legal Basis: Legal or regulatory obligation / Legitimate interest

Processing activity: Completion of all documents to comply with the financial conduct authority guidelines when administering finance on your behalf.

Type of data: Contact data / Vehicle data / Identity data / Financial data

Legal Basis: Legal or regulatory obligation

Processing activity: GGHH Group will enter your personal details into the finance providers system which allows the finance provider to conduct a credit check and affordability assessment on you before making a decision whether to offer you finance to fund your vehicle.

Type of data: Contact data / Vehicle data / Identity data / Financial data

Legal Basis: Contractual performance / Consent

Processing activity: If your application for finance is declined by the finance provider we will advise you of this before sending your personal information to another lender for consideration. We will always seek your consent before passing your application to other GGHH Group approved finance providers or credit brokers.

Type of data: Contact data / Vehicle data / Identity data / Financial data

Legal Basis: Consent

Vehicle maintenance, repairs and servicing
Processing activity: To contact you to book an appointment to bring your vehicle into the dealership which falls under your service contract or service plan for your vehicle.

Type of data: Contact data / Vehicle data

Legal Basis: Contractual performance

Processing activity: To collect or deliver your vehicle outside our dealership for example to collect your vehicle from your home or work address to undertake service works on the vehicle. This service maybe outsourced to an approved third party vehicle delivery company.

Type of data: Contact data / Vehicle data

Legal Basis: Contractual performance

Processing activity: Arranging a courtesy car subject to availability. If we agree to provide a courtesy vehicle to you for the duration of the works on your vehicle you will be asked to provide a copy of your driving licence. This is for insurance purposes and to ensure you hold a valid driving licence. If you incur any speeding, parking or other motoring offences when using the vehicle you will be liable for all costs and we will forward your contact data to the third party enforcing the penalties.

Type of data: Contact data / Vehicle data / Identity data

Legal Basis: Contractual performance / Legal or regulatory obligation

Processing activity: Aftersales, we will contact you in relation to all on-going servicing, repairs and maintenance of your vehicle, including manufacturer warranty claim.

Type of data: Contact data / Vehicle data / Audio data

Legal Basis: Contractual performance / Legitimate interest

Processing activity: Rectification works to your vehicle as part of an insurance claim. Your insurance provider may request your vehicle is repaired by one of our approved body shops and they will share your personal information with GGHH Group for this purpose.

Type of data: Contact data / Vehicle data

Legal Basis: Contractual performance / Legitimate interest

Processing activity: We may capture your vehicle registration number when you drive onto our dealership premises using ANPR to recognise you in relation to your service booking.

Type of data: Contact data / Vehicle data/ Image data

Legal Basis: Contractual performance / Legitimate interest

Processing activity: Breakdown assistance, your personal details are provided by the breakdown provider to GGHH Group to complete the repairs for example the AA towed your vehicle to our dealership for repair.

Type of data: Contact data / Vehicle data

Legal Basis: Contractual performance / Legitimate interest

Processing activity: We will contact you to notify you when your vehicle is due for servicing or MOT as a duty of care. The legal responsibility for maintaining the vehicle in line with the manufacturer’s guidelines is with you.

Type of data: Contact data

Legal Basis: Legitimate Interest

Processing activity: To contact you if there is an urgent safety or product recall notice issued by the manufacturer to arrange rectification works at our authorised dealership.

Type of data: Contact data / Vehicle data

Legal Basis: Vital interest

Processing activity: We may contact you with other communications relating to manufacturer recommendation for maintenance of your vehicle, vehicle health checks or other similar services.

Type of data: Contact data / Vehicle data

Legal Basis: Legitimate Interest

Processing necessary for us to promote our business and engage with our customers

Processing activity: If you are an existing or new customer to GGHH Group we will send you promotional marketing information including invitations to events in our dealerships and offers from time to time if you have purchased a product or service from us. You have the right to object to us sending you this information at any time. Please see section 14 in this privacy notice for further detail about your rights.

Type of data: Contact data

Legal Basis: Legitimate Interest

Processing activity: If you do not have a previous relationship with GGHH Group or have never negotiated to buy a vehicle or purchased any of our products or services we will only send you marketing communications if you have opted in to receive these communications from May 25th 2018.

Type of data: Contact data

Legal Basis: Consent

Processing activity: To contact you with targeted advertising delivered online through social media and other platforms operated by other companies, unless you object. You may receive advertising based on information about you that we have provided to the platform or because, at our request, the platform has identified you as having similar attributes to the individuals whose details it has received from us. To find out more, please refer to the information provided in the help pages of the platforms on which you receive advertising from us.

Type of data: Social Network data / Website data

Legal Basis: Legitimate interest

Processing activity: To identify and record when you have received, opened or engaged with our website or electronic communications.

Type of data: Contact data / Social Network data / Website data

Legal Basis: Legitimate interest

Processing activity: To administer competitions and promotions that you enter with us from time to time and to distribute prizes.

Type of data: Contact data

Legal Basis: Consent

Processing activity: To undertake market analysis and research (including contacting you with customer surveys) so that we can better understand you as a customer and provide tailored offers, products and services that we think you will be interested in.

Type of data: Contact data

Legal Basis: Legitimate interest

Processing activity: We may take photographic images of you when you collect your new vehicle from the dealership or record video footage during dealership events with your consent to promote our business via social media channels or via our websites.

Type of data: Image data

Legal Basis: Consent

Processing necessary for our business to operate on a daily basis and fulfil data protection laws
Processing activity: For general administration including managing your queries, complaints, or claims.

Type of data: Contact data

Legal Basis: Contractual performance / Legitimate Interest

Processing activity: Processing necessary for us to operate the administrative and technical aspects of our business efficiently and effectively.

Type of data: Contact data

Legal Basis: Contractual performance

Processing activity: For network and information security purposes i.e. in order for us to take steps to protect your personal data against loss, damage, theft or unauthorised access

Type of data: Contact data

Legal Basis: Legal or regulatory obligation

Processing activity: To comply with a request from you in connection with the exercise of your rights (for example where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request)

Type of data: All types of data depending on the request

Legal Basis: Legal or regulatory obligation

Processing activity: To inform you of updates to our terms and conditions and policies

Type of data: Contact data

Legal Basis: Legal or regulatory obligation

12. What rights do you have under data protection legislation?

• 12.1 Under certain circumstances, you have rights under data protection laws. These are set out below:
• 12.1.1 The right to request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• 12.1.2 The right to request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• 12.1.3 The right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• 12.1.4 The right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which over ride your rights and freedoms.
• 12.1.5 The right to request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• 12.1.6 The right to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• 12.1.7 The right to withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

12.2 If you wish to exercise any of the rights set out above, please contact us using the details set out in Section 3 (How to contact us or make a complaint).

12.3 You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

12.4 We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

12.5 We try to respond to all legitimate requests within one calendar month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

13 How do we keep your personal information secure?

• 13.1 We use a variety of security measures, including encryption and authentication tools, to help protect and maintain security, integrity and availability of your personal data.
• 13.2 Although data transmission over the Internet or website cannot be guaranteed to be secure, we and our business partners work hard to maintain physical, electronic and procedural safeguards to protect your personal data in accordance with applicable data protection requirements. Our main security measures are:
  • 13.2.1 restricted personal access to your data on a 'need to know' basis and for the communicated purpose only;
  • 13.2.2 highly confidential data stored in encrypted form;
  • 13.2.3 firewalled IT systems to prohibit unauthorised access e.g. from hackers; and
  • 13.2.4 permanently monitored access to IT systems to detect and stop misuse of personal data.

14 Using your personal data for marketing and how to opt-out?

• 14.1 If you are wondering why you have received a communication from us, this is because we collected your personal data when we were negotiating a sale for example you asked us for a quotation, etc… You have the right at any time to opt out or update your preferences in terms of the marketing you receive from us and the manner in which we communicate with you. You can change your marketing choices, or withdraw your consent in relation to how GGHH Group use your personal information in one of the following ways:
  • 14.1.1 Through a ‘marketing choices’ link to our data privacy preference centre in every email communication. This link will allow you to update your preferred promotional marketing choices and your preferred method of communication; or
  • 14.1.2 By sending an email data.team@griersonandgrahm.com; or
  • 14.1.3 By calling us on 01387 257800; or
  • 14.1.4 By writing to us at Data Privacy & Compliance Team, GGHH Group, 51 Rae Street, Dumfries, DG1 1JD
• 14.2 Please be aware that if you opt out of marketing communications received from one dealership within the GGHH Group, your personal data may also be held by another dealership within GGHH Group Limited, you will continue to receive information from that dealership until such time as you opt out of marketing activity from that dealership specifically.

15 How long do we keep your personal data?

• 15.1 We retain your personal data only as long as is necessary for the purpose for which we obtained them and any other permitted linked purposes. If personal data is used for two purposes we will retain it until the purpose with the latest period expires; but we will stop using it for the purpose with a shorter period once that period expires. Our retention periods are based on business needs and your personal data that is no longer needed is either irreversibly anonymised or destroyed securely.
• 15.2 Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us using the contact details set out in Section 3 (How to contact us or make a complaint).

16 Third-Party Links contained on our website

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy notices and statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

17 Cookies and how we use these to process your personal data?

• 17.1 A 'cookie' is a piece of information that a website transfers to the cookie file of the browser on your computer's hard disk, so that the website can remember who you are. A cookie will typically contain the name of the domain from which the cookie has come, the 'lifetime' of the cookie, and a value, usually a randomly generated unique number. You can accept or decline cookies by modifying the settings in your browser. However, you may not be able to use all the interactive features of our websites if cookies are disabled. You can restrict the type of cookies being placed on your hard drive when browsing our website by clicking on the button ‘change cookie settings’ at the bottom of the web page.

18 Which GGHH Group companies are covered by this notice?

GGHH Group is registered in Scotland under Company number: 560497 and headquartered in Dumfries.

GGHH Group Limited is authorised and regulated by the Financial Conduct Authority (FCA) for insurance and mediation activities under FRN 653133.

The following GGHH Group companies are covered by this notice. All of these companies have their registered office address at 51 Rae Street, Dumfries, DG1 1JD.

• GGIA Limited – registered in Scotland under Company number: 560575
• Grierson & Graham Ltd – registered in Scotland under Company number: 31432

Which Manufacturers do we share your data with (and link to their Privacy Policy)?

• Honda Motor Europe - http://www.honda.co.uk/cars/useful-links/privacy-policy.html