Privacy Notice

1. Introduction

1.1. Lithia UK takes its obligations about data protection seriously. As such, we are providing this notice (Privacy Notice) to you so that you are provided with information about how Lithia UK collects and processes your Personal Data in accordance with the Data Protection Act 2018 (the Act). Please read this Privacy Notice, as it contains important information that you need to know.

1.2. We have set out our contact details at the end of this Notice which you can use if you have any queries relating to how to access your Personal Data under the Act.

2. About Us

2.1. Lithia UK operates a number of individual companies which includes Lithia UK Holding Limited, Pendragon NewCo2 Limited, Evans Halshaw Limited, Stratstone Limited, Victoria (Bavaria) Limited, Derwent Vehicles Limited, Pendragon Sabre Limited, Pendragon Management Services Limited, Pendragon Vehicle Management Limited, National Fleet Solutions Limited, Car Store Limited, Lancaster UK Limited, Stratstone Specialist Cars Limited, Stratstone Cars Limited, Stratstone Sports Cars Limited, Stratstone Luxury Vehicles Limited, Stratstone Automotive Limited and Wayside Trade Parts Limited (the Operating Companies). All share a registered office at Lithia UK, Loxley House, 2 Oakwood Court Annesley, Nottingham NG15 0DR, together being the Lithia UK of companies (Lithia UK).

2.2. Please note that references to “we”, “us” or “our” means the members of the Lithia UK that process your personal information, being any Lithia UK company or dealership that supplies details about, or provides, vehicles, accessories, parts and/or related services to you.

2.3. In this Privacy Notice, references to “you” means the person whose personal information we collect, use, and process. This includes anyone who contacts us in connection with the products and services we provide or otherwise interacts with us about them including, for example, at any of our dealerships.

2.4. Lithia UK is a “controller”. This means that we are responsible for deciding how we hold and use personal information about you.

3. How Is Your Personal Data Collected And Why?

3.1. For us to provide our products (including vehicles and parts) and our services to you, it is necessary for us to collect, maintain, and process Personal Data about you as a prospective and/ or existing customers. “Personal Data” is information that relates to you and (either on its own or in combination with other information Lithia UK holds) allows Lithia UK to identify you as an individual prospective, existing, and/or historic customer and thus enables us to provide our products and services, or details of them, to you.

3.2. This Notice applies to Personal Data that we collect from or about you, through various websites operated by or for us, such as sites that we operate under our domains/URLs:

• www2.stratstone.com

• news.jardinemotors.co.uk

• bmwshop.jardinemotors.co.uk

• bmw-motorrad.jardinemotors.co.uk

• careers.jardinemotors.co.uk

• www.evanshalshaw.com

• www.stratstone.com

• quickco.co.uk

• evanshalshawleasing.com

• www.pendragonvehiclemanagement.co.uk

• www.jobsatpendragongroup.co.uk

• www.pendragonplc.com

• audishop.stratstone.com

• jaguarshop.stratstone.com

• landrovershop.stratstone.com

• sellyourcar.com

3.3. E-mail, text, and other electronic messages are interactions with electronic communications between you and us.

3.4. Offline registration forms which are printed or digital registration and similar forms that we collect via, for example, postal mail, in our dealerships, contests, and other promotions or events.

3.5. Interactions with our advertisements (e.g. if you interact with one of our advertisements on a third-party website, we may receive information about that interaction).

3.6. In the course of our interactions with you, we may create Personal Data about you (e.g. records of your purchases of any goods and/or services from us).

3.7. Data from other sources which includes third-party social networks (e.g. such as Facebook, and Google), market research (if feedback is not provided on an anonymous basis), third-party data aggregators, promotional partners, public sources, and data received when we acquire other companies.

3.8. Personal Data may be collected from monitoring devices and systems such as closed circuit television (CCTV) within our dealerships and premises. Our CCTV monitors our business premises 24 hours a day and this data is continuously recorded. Images may be monitored by authorised personnel during working hours and can be accessed remotely at other times if required. Live feeds from CCTV cameras are monitored where this is reasonably necessary, for example, to protect health and safety.

3.9. In the interest of ensuring the safety and security of our vehicles and passengers, we may fit dash cams to our courtesy vehicles. We believe we have a legitimate interest in doing so, as it allows us to monitor driving behaviour, address insurance claims, be used in any civil and criminal proceedings, and enhance overall vehicle security. These dashcams are installed to safeguard the interests of both the company and our customers. 

4. What Type Of Personal Information Does Lithia UK Collect

4.1. The Personal Data which we process may include the following:

• your full name and contact information (address, city, post code, email address and telephone number);

• your work address and contact details;

• the details and verification of your driving licence (including carrying out appropriate checks with DVLA) to verify your eligibility to legally drive any of our vehicles and to meet our legal requirements and/or the requirements of our insurers;

• details of your inquiry or interest or preferences about our products or services, such as possible planned purchase or lease date, vehicle(s) brand, make and/or model, or vehicle requirements;

• capturing and sending telematics device data for your specific location, direction, current speed, duration of journey and braking and cornering, amongst other factors to our telematics suppliers’ server and we will use the information to understand road type, speed and other conditions relating to your journey. This information is only available to us when you are provided with a courtesy/ demonstration vehicle and the information will be combined to form a driving score based on your driving behaviour. In addition to the above, the telematics device may also collect vehicle and battery health data;

• records of calls, emails, correspondence with you, and visits to us in relation to such inquiries, negotiations, resultant sales, and/or supplies;

• the registration number, brand, make and model of your vehicle, and GPS data;

• your image, actions, and location if you are recorded on CCTV that we operate on and around our sites;

• if you purchase a vehicle and/or services, information including registration number, brand, make, model, model year, selling dealership, servicing dealership, date of purchase, lease or service history;

• if you purchase vehicle parts, what they are, for which brand, make and model;

• time and date of any purchases or sales by you, including any prices and payment (including bank account and/or credit card) details, data collected on finance applications, payment history, default, and non-payment of any credit;

• with your consent, credit check details and proof of identity/valid driving licence information, such as passport/driving licence and utility bill details;

• demographic information (including your age range, employment status, marital status, and household composition);

• details about any marketing consents and marketing preferences; and

• feedback and survey results.

4.2. Personal Data will be primarily collected from you directly voluntarily. However, some Personal Data may, where lawful to do so, be collected by us from third parties, public sources, individuals who you have indicated have agreed for you to provide their personal information, government, tax, law enforcement agencies, and any other third parties. We may also collect personal information about you from your use of other Lithia UK websites or services. In addition, we may combine your Personal Data with other data held by third parties (such as vehicle and value data to allow us to provide vehicle valuation services). We may also buy in data for marketing purposes.

4.3. Please note that you are under no obligation to provide us with your Personal Data, but not providing such data when requested could prevent us from being able to help you, from providing information or products and/or services to you as requested and from fulfilling your order or contract with us.

4.4. We do not usually collect any Special Categories of Personal Data about you. This includes details about your race or ethnic origin, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data. We do not usually collect any information about criminal convictions and offences, except for any driving or motoring offences revealed from a check of your driving licence.

4.5. For customers with a disability who are seeking to purchase a vehicle supplied by us with the benefit of zero-rated VAT relief (or any other tax benefits, as amended from time to time by law), we may require proof of your eligibility (including appropriate medical information) to process the benefit(s) or otherwise to process the transaction under the scheme rules, any relevant guidance and recognised best practice.

5. Personal Data Of Children
We do not knowingly solicit or collect Personal Data from children below the age of 16. If you believe we have collected information from your child in error or have questions or concerns about our practices relating to children, please contact us as described below.
6. Your Personal Data Collected On Our Website

6.1. When you visit our websites, we may automatically collect standard internet and website log information and details of patterns about how website visitors behave. The information we may collect includes information about your Internet service provider, your operating system, browser type, domain name, the Internet protocol (IP) address of your computer (or other electronic Internet-enabled device), your access times, the website that referred you to us, the web pages you request and the date and time of those requests. This may allow us to find out which parts of the website are popular or need changing or to show you products and services of relevance to you, either on our website or through online advertising on Google, Facebook, or other websites. These details are in addition to other Personal Data collected from you but, unless you register an account with us and use that on our website, your website usage details are not linked to other Personal Data we may collect about you.

6.2. Our websites use information and may also involve the use of cookies and Web beacons. Please see our Cookies Policy for more information.

6.3. Our website allows you to interact with us in many ways, including raising customer service inquiries, emailing us if you have a question, any feedback, suggestions for us to consider as well as interacting with us through our social media accounts including Facebook, Twitter and Live Chat.

7. Why And For What Purposes Do We Need Your Personal Data?

7.1. Lithia UK processes Personal Data about you for several purposes, including:

• to one of our dealerships, or to arrange a test drive;

• for internal record keeping (including customer inquiry, deal files, accounting, and complaint files);

• for vehicle number plate recognition that alerts us when you arrive at some of our dealerships and allows us to improve site on-site security and customer service;

• to provide our products and services to you as requested or agreed;

• to help us review, develop, and improve the products and services we offer, for example through surveys, research, analysis and planning;

• where you are an existing or historic customer, to provide you with updates and promotional offers about our goods and/or services, MOT/Service reminders, and invitations to events, where you have not opted out of receiving such communications from us. Similarly, if you are not an existing customer but have previously enquired about our goods or services, to market you by post or telephone unless you have asked us not to do so;

• to communicate with you to provide you with customer and vehicle support, such as notifying you about changes to our products and services, any issues with them, or product recalls, and to otherwise communicate with you, for example, to respond to queries from you;

• to process and retain Personal Data relating to your credit/debit card (or bank account details) and order details to enable the fulfilment of your order, finance or insurance applications and to deal with any payments, sales proceeds, or refunds of payment;

• to remind you about important dates, such as service due dates and warranty expiry dates;

• to contact you from time to time to ensure your details on record are correct and up to date and to ensure we have your date-to-date preferences for marketing and contact;

• to depersonalise, pseudonymise or fully anonymise and/or aggregate your data to reduce privacy intrusion but facilitate our use of the data for analysis and research, to better understand our business and customer base and their needs, and to improve our products and services and business;

• where necessary as part of any restructuring of Lithia UK or the sale of any Lithia UK company, business, or assets; and

• to carry out security checks to protect against fraudulent transactions at or following any purchase or order you make to prevent and detect criminal activities. For example, we may undertake verification checks to identify any discrepancies with your payment details for fraud prevention and staff training purposes.

7.2. This list is not exhaustive and may be updated from time to time.

7.3. We also may use automated decision-making, where a decision is taken solely based on the automated processing of your Personal Data. This means processing using, for example, software code or an algorithm, which does not require human intervention.

7.4. We use automated decision-making, including profiling, in certain circumstances, such as when it is in our legitimate interests to do so, or where we have a right to do so because it is necessary for us to enter into, and perform, a contract with you. We use profiling to enable us to give you the best service across Lithia UK, including specific marketing in which we believe you will be interested. You have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects on you or affects you in any other significant way. If you are seeking to exercise this right, please contact us using the details in section 16 below.

7.5. If you are a prospective customer and/or an existing customer with us, we may use automated decision-making to carry out a credit check on you. In an underwriting context, profiling is routinely carried out on your personal risk information to assess your risk in order to decide on whether to provide you with the goods and/or services. We may also apply automated decision-making to telematics data.

7.6. You have certain rights in respect of automated decision-making, where that decision has significant effects on you, including where it produces a legal effect on you.

8. How Long Do We Keep Your Personal Data?

8.1. We will retain your Personal Data for as long as is reasonably necessary for the purposes for which it was collected. In some circumstances, we may retain your Personal Data for longer periods, for instance where we are required to do so under legal, regulatory, tax, or accounting requirements.

8.2. In specific circumstances we may also retain your Personal Data for longer periods so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your Personal Data or dealings with us.

8.3. We maintain a Data Retention Policy which we apply to records in our care. When your Personal Data is no longer required we will ensure it is either securely deleted or stored in a way that means it will no longer be used by the business.

9. Explaining The Legal Basis To Process Your Personal Data

9.1. We only process your Personal Data when permitted by law. The most common circumstances where we may use your Personal Data include:

Contractual necessity

We will process your data when it is required to fulfil a contract you are involved in or to take steps you have requested before entering into such a contract.

 

Legal or regulatory compliance

We will process your data when necessary to comply with legal or regulatory obligations that apply to us.

 

Legitimate interests

We will process your data when it is in our legitimate interest (or that of a third party) and these interests are not outweighed by your rights and freedoms. For example, this could involve processing your data to conduct and manage our business, ensuring we provide you with the best service or product and a secure experience. Before processing your data for our legitimate interests, we carefully consider and balance any potential impact on you and your rights. We do not use your data for activities where our interests are overridden by the impact on you, unless we have your consent or are otherwise legally required or permitted to do so.

 

Vital interests

We will process your data when it is necessary to protect your vital interests or those of another person.

 

Consent

We generally do not rely on consent as the primary basis for processing your data. You have the right to withdraw your consent to marketing at any time by contacting us using the details provided below.

 


10. Does Lithia UK Share Personal Information With Third Parties?

10.1. We may disclose your personal information to other members of our group of companies as well as companies that are owned by our parent company and fall within the same group.

10.2. We are authorised by several manufacturers to market, sell and supply specific branded vehicles, accessories, parts, and related services, subject to requirements imposed on us by the relevant manufacturer.

10.3. Where you have purchased goods and/or services or expressed an interest in any of the brands we represent, we may share your Personal Data with the relevant manufacturer or brand as we are an authorised retailer for these manufacturers. You can obtain a copy of the manufacturer's privacy policy by contacting us as set out in section 16 below.

10.4. We may also share your Personal Data with:

• our accredited finance providers to administer your finance application on your behalf with our accredited finance providers and/or allow you to facilitate funding to purchase a vehicle or other services; and

• our insurance providers and other added value product suppliers if you decide to purchase or express an interest in purchasing additional regulated or non-regulated products or services during the sale or after the sale of your vehicle. In such instances, we may pass your Personal Data to the relevant provider to fulfil your request.

10.5. If we share your information with third-party partners, the third party’s privacy notice will apply to their processing of your Personal Data.

10.6. Your personal information may also be made available to third parties (within or outside Lithia UK) providing relevant services under contract to us, such as marketing agencies, auditors, compliance managers, insurers, IT hosting, administration and IT maintenance providers (including those companies referred to in this Notice). These companies may use information about you to perform their functions on our behalf.

10.7. Whenever we share your Personal Data with a third party, we take steps to ensure that any third-party partners who handle your Personal Data comply with data protection legislation and protect your Personal Data just as we do. We only disclose personal information that is necessary for them to provide the service that they are undertaking on our behalf. We will aim to anonymise your Personal Data or use aggregated non-specific data sets where possible.

10.8. We may perform credit and identity checks with one or more Credit Reference Agencies (CRAs).

10.9. CRA (credit reference agency) checks involve us sharing your personal information with the UK’s CRAs (Credit Reference Agencies). The CRAs will give us information about you including your financial situation and financial history. CRAs will supply us with both public (including the electoral register) information and shared credit, financial situation and financial history information, and fraud prevention information. We may use this information to assess your financial position and to verify the accuracy of the data you have provided to us. We are required to tell you that the identities of the CRAs, their role also as fraud prevention agencies, the data they hold, how they use and share personal information, data retention periods, and your data protection rights with the CRAs are explained in more detail within the Credit Reference Agencies Information Document (CRAIN). The CRAIN can be found at:

Experian Limited: www.experian.co.uk/crain

Post: Experian, PO BOX 9000, Nottingham, NG80 7WF

Web Address: https://www.experian.co.uk/consumer/contact-us/index.html

Telephone: 0344 481 0800 or 0800 013 8888

10.10. You have a right to apply to the CRAs for a copy of your file. The information they hold may not be the same and there is a small fee that you may need to pay to each agency.

11. Will Your Personal Information Be Transferred Abroad?

11.1. Your personal information may be transferred to, stored, and otherwise processed in one or more countries outside of the European Economic Area (“EEA”). This may happen where our parent company, a manufacturer, supplier, or service provider is from time to time located in a country outside of the EEA.

11.2. We are committed to ensuring that adequate safeguards are in place when transferring Personal Data outside the EEA. We will take appropriate security measures to ensure that your personal information is adequately protected following the requirements of the GDPR.

11.3. Whenever we transfer your Personal Data out of the EEA, we will ensure a similar degree of protection is afforded to it as set out in this Notice. These steps include imposing contractual obligations on the recipient of your Personal Data or ensuring that the recipient is subscribed to recognised international frameworks for the protection of your Personal Data.

11.4. Please contact us using the details at the end of this Notice for more information on the specific mechanism used by us when transferring your Personal Data out of the EEA.

12. Using Your Personal Data For Direct Marketing

12.1. We may wish to provide you with information about new products, services, promotions, and offers which may be of interest to you and may invite you to take part in market research or request feedback on our products and services and our services.

12.2. We may collect your marketing preferences by e-mail, telephone call or message, post or text/SMS. We will obtain your consent and advise you on how to opt out of receiving such communications where we are required to do so in accordance with applicable law.

12.3. We may contact you with targeted advertising which is delivered through social media by using your personal information or use your personal information to tailor marketing that may be relevant to you, unless you object.

12.4. We may work with selected partners to display relevant online advertisements for you and our other customers on third-party websites and social media platforms. To do this, we may provide our partners with an individual’s personal information in an encrypted format, which they use only to identify the appropriate audiences for our advertisements.

12.5. We have a legitimate interest in using your personal data for marketing purposes. This means we do not usually need your consent to send you marketing information. If we change our marketing approach in the future so that consent is needed, we will ask for this separately and clearly.

12.6. You do, however, have the right to opt out of receiving marketing communications at any time by:

• contacting us at centraldataservices@lithia.co.uk; or

• using the ‘unsubscribe’ link in emails or the ‘STOP’ number in texts.

12.7. We may ask you to confirm or update your marketing preferences if you ask us to provide further products and/or services in the future, or if there are changes in the law, regulation, or the structure of our business.

13. What Rights Do You Have To Review And Amend Personal Information?

13.1. You have several rights in relation to your Personal Data.

13.2. Where our processing of your Personal Data is based on your consent, you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your Personal Data for that purpose unless there is another lawful basis we can rely on, in which case we will let you know. Your withdrawal of your consent will not impact any of our processing up to that point.

13.3. You may request access to your data, correction of any mistakes in our files, erasure of records where no longer required, restriction on the processing of your data, objection to the processing of your data, exercise rights of data portability and obtain information about any automated decision making and profiling or the basis for international transfers. You may also exercise a right to complain to the Information Commissioner’s Office (“ICO”). For more information about each of these rights, please refer to the table set out below.

Access

You can ask us to:

  • confirm whether we are processing your Personal Data;
  • give you a copy of that data; and
  • provide you with other information about your Personal Data such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out any automated decision making or profiling, to the extent that this information has not already been provided to you in this Notice.

Rectification

You can ask us to rectify inaccurate Personal Data. We may seek to verify the accuracy of the data before rectifying it.

Erasure

You can ask us to erase your Personal Data, but only where:

  • it is no longer needed for the purposes for which it was collected; or
  • you have withdrawn your consent (where the data processing was based on consent); or
  • following a successful right to object (see Objection below); or
  • it has been processed unlawfully; or
  • to comply with a legal obligation to which we are subject.
  • We are not required to comply with your request to erase your Personal Data if the processing of your Personal Data is necessary:
  • for compliance with a legal obligation; or
  • for the establishment, exercise, or defence of legal claims.
  • There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances in which we would deny that request.

Restriction

You can ask us to restrict (i.e. keep but not use) your Personal Data, but only where:

  • its accuracy is contested (see Rectification above), to allow us to verify its accuracy; or
  • the processing is unlawful, but you do not want it erased; or
  • it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise, or defend legal claims; or
  • you have exercised the right to object, and verification of overriding grounds is pending.
  • We can continue to use your Personal Data following a request for restriction, where:
  • we have your consent; or
  • to establish, exercise or defend legal claims; or
  • to protect the rights of another natural or legal person.

Portability

You can ask us to provide your Personal Data to you in a structured, commonly used, machine-readable format, or you can ask to have it ‘ported’ directly to another controller, but in each case only where:

  • the processing is based on your consent or the performance of a contract with you, or
  • the processing is carried out by automated means.

Objection

You can object to any processing of your Personal Data which has our ‘legitimate interests’ as its legal basis if you believe your fundamental rights and freedoms outweigh our legitimate interests.

Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests that override your rights and freedoms.

Automated decision making

You can ask not to be subject to a decision that is based solely on automated processing, but only where that decision:

  • produces legal effects concerning you (such as the rejection of a claim); or
  • •otherwise significantly affects you.
  • In such situations, you can also obtain human intervention in the decision-making, and we will ensure measures are in place to allow you to express your point of view, and/ or contest the automated decision. Your right not to be subject to automated decision-making does not apply where the decision is made:
  • is necessary for entering into or performing a contract with you; or
  • is authorised by law and there are suitable safeguards for your rights and freedoms; or
  • is based on your explicit consent.

However, in these situations, you can still obtain human intervention in the decision-making, and we will ensure measures are in place to allow you to express your point of view, and/or contest the automated decision.

The right to withdraw consent

If you have provided us with consent to use your personal data you have a right to withdraw that consent easily at any time.

 

You may withdraw consent by contacting our Customer Services team, the contact details are set out below.

 

Withdrawing consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn.

13.4. You will not have to pay a fee to access your Personal Data or to exercise any of the other rights within this section. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

13.5. We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data or to exercise any of your other rights. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information about your request to speed up our response.

13.6. We aim to respond to any valid requests within one month unless it is particularly complex or you have made a number of requests in which case we will inform you of this and we will then aim to respond within three months of receipt of the valid original request.

 


14. Data Security

14.1. We have put in place appropriate security measures to seek to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality.

14.2. We have put in place procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator (such as the Information Commissioner’s Office) of a breach where we are legally required to do so.

14.3. If we have provided you with a password, or if you have chosen your own password, it is your responsibility to ensure that the password is kept confidential.

15. Changes To This Notice

15.1. We will keep this Notice under regular review. We may change this Notice from time to time by updating this Notice in order to reflect changes in the law and/or our privacy practices. The date in paragraph 1.3 at the beginning of this Notice will be updated accordingly.

15.2. We encourage you to check the date of this Notice when you visit our website for any updates or changes. We will notify you of any modified versions of this Notice that might materially affect the way we use or disclose your personal information.

16. Contact And Complaints

16.1. The primary point of contact for all issues arising from this Notice, including requests to exercise data subject access requests, is our Customer Experience Team.

16.2. The Customer Experience can be contacted in the following ways:

Web portal: Stratstone: https://www.stratstone.com/legal/privacy-notice/

Evans Halshaw: https://www.evanshalshaw.com/legal/privacy-notice/

Lithia Motors Group: https://www.2stratstone.com/site/privacy-notice/

(Web portal to be used for Subject Access Requests only)

Helpline: 0800 012 5050

Write to: Customer Experience Team - Lithia UK

Loxley House, 2 Oakwood Court, Little Oak Drive, Annesley, Nottingham NG15 0DR

16.3. If you have a complaint or concern about how we use your Personal Data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with the Information Commissioner’s Office (ICO) at any time.

More Information