IM Group Privacy Notice
Last updated 03 July 2020
IM Group is dedicated to protecting the confidentiality and privacy of information entrusted to us in accordance with the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. Please read this Privacy Notice to learn about your rights, what information we collect, how we use and protect it.
1. Who are we?
This Privacy Notice applies to IM Group and its entities, namely, IM Group Limited, IM Facilities Limited, International Motors Limited, Subaru (UK) Limited, Isuzu (UK) Limited, IM Parts and Service Limited, Daihatsu Vehicle Distributors Limited, IM Trade Assist Limited, Great Wall Motor Distributors (UK) Limited, IM Insurance Limited, International Motors Finance Limited (49%), IM Automotive Limited, IM European Motors Limited, IM Properties PLC, IM Properties (Coleshill) Limited, IM Properties Development Limited, IM Properties Finance Limited, Spitfire Bespoke Homes Limited, IM Properties (Bvp 1) Limited, IM Properties (Mell Square 1) Limited, The Hub Management Company Ltd, IM Properties (Logistics) Limited, BVP Management Company Limited and I.M. UK Trade Company Limited.
2. Who can you contact for privacy questions or concerns?
If you have questions or comments about this Privacy Notice or how we handle personal data, please direct your correspondence to:
Data Protection Officer
IM Group Ltd
Telephone: 0121 730 8079
3. How do we collect Personal Data?
- Directly: We obtain personal data directly from individuals in a variety of ways, including obtaining personal data from individuals who provide us with their business card(s), complete our online forms, subscribe to our newsletters, attend marketing events we host, visit our offices, have purchased motor vehicles from a member of our nationwide dealer networks, or for recruitment purposes. We may also obtain personal data directly when, for example, we are establishing a business relationship.
- Indirectly: We obtain personal data indirectly about individuals from a variety of sources. We may attach personal data to our customer relationship management system to better understand and serve our customers, subscribers and individuals, satisfy a legal obligation, or pursue our legitimate interests.
- Online: We collect information about you that you give to us via our websites or our social media pages or by contacting us by phone, email or otherwise.
- Cookies: We may automatically collect personal data that our web servers store as standard details of your browser and operating system, the website from which you visit our websites, the pages that you visit on our websites, the date of your visit, and, for security reasons, e.g. to identify attacks on our websites, the Internet protocol (IP) address assigned to you by your internet service. We collect some of this information using cookies, please see our Cookies Policy for further information;
- Social media: We may also collect personal data which you allow to be shared that is part of your public profile on a third-party social network;
- Third party: We may obtain certain personal data about you from sources outside our business which may include our dealer networks or other third-party companies, such as estate agents.
- Analytical / trend data: From time to time we also hold marketing and analytical data relating to our customers including history of those communications, whether our customers open them or click on links, and information about products or services we think our customers may be interested in, and analytical data to help target offers to our customers that we think are of interest or of relevance. This may include insights about customers or potential customers gained from analysis or profiling of customers.
- Recruitment: We may obtain personal data about candidates from an employment agency to aid in recruitment.
4. What Information do we collect?
The IM Group and its entities operate in various markets, but mainly in automotive and property. We may obtain the following categories of personal data about individuals:
- Personal data: Here is a list of personal data we commonly collect to conduct our business activities:
- Contact details E.g. Name, physical address, and sometimes work and mobile numbers, date of birth, gender and marital status
- In the automotive division we capture names and addresses when vehicles are registered. We need to do this as part of our contractual obligation to provide breakdown cover for new vehicles. This data is passed to organisations such as the AA and the RAC.
- Very occasionally, we also hold details of our customers financial arrangements where there is a business-related need for us to do so.
- CCTV at some of our sites may collect images of visitors. Our policy is to automatically overwrite CCTV footage within 30 days.
- Your opinion of our products through surveys we will send you about our vehicles, products services, and dealerships;
- Sensitive personal data: We typically do not collect sensitive or special categories of personal data about individuals other than our own employees.
- Child data: Although we do not intentionally collect information from individuals under 13 years of age.
- Location-based data: We may process geographical locations you enter when seeking an office near you.
- Correspondence: We also hold electronic copies of our correspondence sent to or received from our customers and any contractors and suppliers who work with us. This correspondence is primarily in email format, mainly where an issue/problem has been raised by the customer and we write back, advising of the course of action being taken to resolve the issue.
- Profiling: From time to time we also hold marketing and analytical data relating to our customers including history of those communications, whether our customers open them or click on links, and information about products or services we think our customers may be interested in, and analytical data to help target offers to our customers that we think are of interest or of relevance. This may include insights about customers or potential customers gained from analysis or profiling of customers.
5. How will your information be used?
IM Group will only use the personal data for the benefit of its customers or for some other lawful purpose. For example, we may use your personal data:
- In the automotive division we capture names and addresses when vehicles are registered. We need to do this as part of our contractual obligation to provide breakdown cover for new vehicles. This data is passed to organisations such as the AA and the RAC;
- for analysis, and profiling to inform our marketing strategy, and to enhance and personalise your customer or visitor experience;
- for market research in order to continually improve the products and services that we and our authorised dealers and agents deliver to you;
- for marketing activities e.g. to tailor marketing communications or send targeted marketing messages via social media and other third-party platforms;
- to create a better understanding of you as a customer or visitor;
- for client entertainment (including staff parties and dealer conference, or similar events);
- to administer our websites and for internal operations, including troubleshooting, testing, statistical purposes;
- for the prevention of fraud and other criminal activities;
- to undertake credit checks for finance;
- to correspond and communicate with you;
- for network and information security for us to take steps to protect your information against loss or damage, theft or unauthorised access;
- for efficiency, accuracy or other improvements of our databases and systems e.g. by combining systems or consolidating records we or our group companies hold about you;
- for general administration including managing your queries, complaints, or claims, and to send service messages to you.
- to comply with a request from you in connection with the exercise of your rights (for example where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request);
- for the purposes of corporate restructure or reorganisation or sale of our business or assets;
- to enforce or protect our contractual or other legal rights or to bring or defend legal proceedings; and
- for direct marketing communications and related profiling to help us to offer our customers relevant products and service, including deciding whether to offer our customers certain products and service. We’ll send marketing to our customers by SMS, email, phone, post, social media and digital channels (for example, using Facebook Custom Audiences and Google Custom Match). Offers may relate to any of our products and services as well as to any other offers and advice we think may be of interest
- to provide personalised content and services to our customers, such as tailoring our products and services, our digital customer experience and offerings, and deciding which offers or promotions to show our customers on our digital channels
- We may use your personal data to tell you about relevant products and offers. This is what we mean when we talk about ‘marketing’. The personal data we have for you is made up of what you tell us, and data we collect when you buy one of our products from us or one of our dealers. We may also collect digital data relating to your web browsing and your interactions with our marketing emails.
- We may use our customers’ home address, phone numbers, email address and social media or digital channels (for example, Facebook, Google and message facilities in other platforms) to contact you according to our customers’ marketing preferences.
We study this to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you. We can only use your personal data to send you marketing messages if we have either your consent or a ‘legitimate interest’. That is when we have a business or commercial reason to use your information. It must not unfairly go against what is right. You can ask us to stop sending you marketing messages by contacting us at any time. Whatever you choose, you’ll still receive details of product recalls, and other important information. We may ask you to confirm or update your choices. We will also ask you to do this if there are changes in the law, regulation, or the structure of our business. If you change your mind you can update your choices at any time by contacting us. It will never sell the personal data to a third party. We will only pass the personal data to third parties where there is a business driven need to do so and where we have an Article 28 Agreement in place with them.
6. What is our legal basis for processing your data?
Where we do not have your consent pursuant to Article 6 1. (a) of GDPR, we always have a legitimate interest pursuant to Article 6 1. (f). In addition, or alternatively from time to time we process personal data pursuant to lawful bases contained in other provisions of Article 6 such as the performance of a contractual obligation.
- Consent: there may be circumstances where we hold personal data with your consent, such as when you provide it to us through online forms or an events registration system. You can remove your consent at any time. You can do this by contacting email@example.com.
- Contractual Obligations: we often have a duty to process personal data as part of a contractual obligation. In these circumstances we will only retain personal data for as long as is necessary to fulfil that obligation.
- Legal obligations: We may process personal data in order to meet our legal and regulatory obligations or mandates
- Vital interests: the processing is necessary to protect someone’s life.
- Legitimate Interest: to enable us to carry on our various businesses we inevitably need to process personal data in a vast variety of situations. Where we rely on Legitimate Interest we will always carry out, beforehand, a Legitimate Interest Assessment to ensure that our use of personal data does not exceed that which is strictly necessary to perform the job in hand, nor that it unnecessarily infringes the rights and expectation of privacy of the Data Subject.
a) Some Examples: in some cases, we may have multiple legal bases for processing your data. For example, if we need to notify vehicle owners of a safety recall campaign initiated by the manufacturer, we may need to contact all current vehicle owners which will include not only our direct customers but also people who purchased their vehicle second hand. Accordingly, we must obtain a list of all current keepers from DVLA and use it to contact the current keepers to direct them to their nearest authorised dealer
b) Legitimate Interest is also the basis of some of our Direct Marketing communications and related profiling to help us to offer our customers relevant products and services, including deciding whether to offer our customers certain products and services. We will send marketing to our customers by SMS, email, phone, post and social media and digital channels for example, using Facebook Custom Audiences and Google Custom Match. (In some cases, however, we will also have consent of our customers for direct marketing communications).
Whatever the legal basis upon which our processing rests we always aim to practise data minimisation so as to ensure that we only hold that personal data which is necessary for the task in hand and that we only retain that data for as long as necessary to fulfil our legal obligation or legitimate business interest. We never transfer personal data to third parties unless we have a proper reason for doing so and where we have an Article 28 agreement (or equivalent) in place. Privacy by Design is the principle we follow whenever we gather, use or process personal data.
7. Who receives your information?
As well as IM Group and its entities, we often share the personal data with third parties who carry out processing on our behalf pursuant to the terms of an Article 28 agreement. Such processing is necessary for IM Group to do their job properly and to service the needs of its customers throughout its various businesses. As a generality, such third parties fall into the following main categories:
- Car Dealerships within our dealer networks
- Roadside Assistance Providers (e.g. AA and RAC)
- Holders of the Vehicle Safety Recall Databases (e.g. SMMT and SIMI)
- Insurance Companies
- Accident Management and Repair Service Providers
- Estate Agents
- Fraud Prevention Agencies
- Credit References
- Agents and Advisers who we use to help us carry out our business
8. Where your information is stored and how it is kept secure
On our secure computer systems and in some cases in hard form in our offices or in our onsite storage facility. We have invested in state of the art technical and organisational security measures to safeguard your personal data.
9. Transfers to third countries and safeguards in place
IM Group operate in the following countries:
- UK, Guernsey
- Republic of Ireland
- Sweden, Denmark, Finland, Estonia, Lithuania and Latvia
- People’s Republic of China
- United States
Generally, we are unlikely to transfer your personal data outside the European Economic Area (‘EEA’). We will only send your data outside of the EEA to:
- Follow your instructions.
- Comply with a legal duty.
- Work with our agents and advisers (including vehicle manufacturers) who we use to help run our businesses.
If we do transfer personal data to our agents or advisers outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA. We’ll use one of these safeguards:
- Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA.
- Put in place a contract with the recipient that means they must protect it to the same standards as the EEA.
- Transfer it to Organisations that are part of Privacy Shield. This is a framework that sets privacy standards for data sent between the US and EU countries. It makes sure those standards are like that used within the EEA.
10. How long your information will be held
If we collect your personal data, the length of time we retain it is determined by several factors including the purpose for which we use that data and our obligations under other laws. We do not retain personal data in an identifiable format for longer than is necessary.
We may need your personal data to establish, bring or defend legal claims, in which case we will retain your personal information for 7 years after the last occasion on which we have used your personal information in one of the ways specified in How will your information be used? in paragraph 4 above. The only exceptions to this are where:
- the law requires us to hold your personal data for a longer period, or delete it sooner;
- you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted in this paragraph, or because we are required under the law (see further Erasing your personal data or restricting its processing in paragraph 12) below;
- and in limited cases, the law permits us to keep your personal information indefinitely provided we put certain protections in place.
12. Do we link to other websites?
Our websites may contain links to other sites, including sites maintained by our partners or member dealerships that are not governed by this Privacy Notice. Please review the destination websites’ privacy notices before submitting personal data on those sites. Whilst we try to link only to sites that share our high standards and respect for privacy, we are not responsible for the content, security, or privacy practices employed by other sites.
13. What is your data protection rights?
Under data protection law, you have rights including:
- Your right of access: You have the right to ask us for copies of your personal information.
- Your right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
- Your right to restriction of processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.
- Your right to object to processing: You have the the right to object to the processing of your personal information in certain circumstances.
- Your right to data portability: You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
If you would like to exercise your Data Subject Rights, you can email firstname.lastname@example.org. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
14. How to make a complaint to us and our supervisory authority
If you have any concerns about our use of your personal information, you can make a complaint to us at email@example.com
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
15. Do we change this Privacy Notice?
We regularly review this Privacy Notice and will post any updates to it on this webpage. This Privacy Notice was last updated on 03 July 2020.