Introduction
This Privacy Policy outlines how OEConnection Limited (“OEC”, “we” or “us”) collects and uses personal data on behalf of Toyota (GB) PLC.
This Privacy Policy details the categories of personal data we collect, how we use your personal data, how we protect your personal data, when we may share your personal data with third parties, and when we may transfer your personal data to countries outside of your home country, and what your corresponding rights are concerning the General Data Protection Regulation (EU) 2016/679 (GDPR) and the UK General Data Protection Regulation 31/01/2020 (UK-GDPR) (the “Data Protection Laws”).
We will process your personal data in accordance with this Privacy Policy unless you object or otherwise as required by applicable laws. We will take all reasonable steps to ensure that the personal data we collect about you is adequate, relevant, not excessive, and only processed for limited purposes.
This Privacy Policy is subject to and shall be interpreted in accordance with applicable law, and any disputes relating to this Privacy Policy, or its performance shall be submitted to us and the appropriate authority as defined by applicable law.
What data do we collect about you
Data relating to persons or personal information is any information about a person from which that person can be identified. This does not include data where the identity has been removed (anonymous data). There are different types of personal data we may collect, use, store and share about you, which we have summarized as follows:
- Identity Data – such as first name, last name and title;
- Contact Data – billing address, shipping address, email address, and phone numbers;
- Technical Data – your IP address, login details, browser type and version, browser usage, time zone setting and location, the duration of your visit, the pages you viewed on our website, browser plug-in types and versions, operating system and platform, and other technologies on the devices you use to access this website;
- Profile Data – your username and password, details of specific parts orders, as well as other preferences, feedback and survey responses;
- Usage Data – data about how you use our website, products and services; and
- Marketing and Communications Data – data on your preferences about receiving marketing from us and our third-party vendors and your communications preferences.
Also, we collect, use, and share aggregate data such as statistical or demographic data for any purpose. Aggregate Data may be derived from your Personal Data, but it does not fall under the scope of application of the Data Protection Laws. We may aggregate your Usage Data to calculate the percentage of users who access a particular feature of the Site. However, if we combine or link aggregate data with your personal data so that it can directly or indirectly identify you, we will treat the combined data as personal data used in accordance with this Privacy Policy.
However, we do not collect special categories of personal data about you, including information about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political views, trade union membership, information about your health, and genetic and biometric data. We also do not collect information about criminal convictions and offenses.
How do we collect your data
To collect data from and about you, we use a variety of methods, including but not limited to:
Direct Interactions – You may provide us with your identity and contact information by filling out forms, electronically or otherwise, or by corresponding with us in person or by mail, telephone, email or otherwise. This includes personally identifiable data you provide when, for example, you
- create an account on our website;
- fill out a “contact us” or “request more information” form on our website;
- subscribe to our services or publications;
- request to receive marketing materials;
- enter a competition, promotion or survey; or
- provide us with feedback.
Automated technologies or interactions – When you interact with our website, we may automatically collect technical data about your devices, browsing activities and patterns. We collect this personal information using cookies, server logs, and other similar technologies.
Third parties or publicly available sources – We may receive personal data about you from various third parties and public sources as set out below:
- Technical Data from the following parties:
- (a) analytics providers, such as Google, which may be based outside the EU and the UK;
- (b) marketing tools, such as Hubspot, which may be based outside the EU and the UK; and
- (c) search information providers such as Wistia, which may be based outside the EU and the UK.
- Contact, Financial and Transaction Data from providers of technical, payment and delivery services.
- Identity and Contact Data from data brokers or aggregators; or
- Identity and Contact Data from publicly availably sources.
How we will use your data
We may process your personal data for the following legitimate business purposes and for the purposes of performing any contracts we may have with you:
- To register you as a new customer;
- To verify your eligibility and deliver prizes in connection with promotions, contests and sweepstakes;
- To enforce our terms and conditions;
- To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data);
- To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you;
- To use data analytics to improve our website, products/services, marketing, customer relationships and experiences;
- To make suggestions and recommendations to you about goods or services that may be of interest to you;
- To comply with applicable law; and
- To perform other functions as described to you at the time of collection; and
- To manage our relationship with you and provide you with effective customer support which will include:
- Notifying you about changes to our terms or Privacy Policy;
- Training and consulting; and
- New feature announcements.
We will only process your personal data for the purposes we collected it for or for compatible purposes. If we need to process your personal data for an incompatible purpose, we will provide notice to you and, if required by law, seek your consent. We will only process your personal data without your knowledge or consent where required by applicable law or regulation.
We may have to share your personal data with the parties set out below for the purposes set out above:
Internal/External Third Parties such as:
- Vendors and service providers acting as processors who provide IT and system administration services;
- Professional advisers and other agents and representatives acting as processors or joint controllers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services;
- Regulators and other authorities acting as processors or joint controllers based in the EU and the UK who require reporting of processing activities in certain circumstances;
- With other partners, including but not limited to, automotive dealerships, automotive manufacturers, repair facilities, parts suppliers, and insurance companies to facilitate transactions; or third parties that conduct customer satisfaction surveys on behalf of TGB. third parties are used to ensure anonymity of survey respondents.
We may also disclose your personal data for the following additional purposes, where permitted or required by applicable law:
- To other members of our group of companies (including outside of your home jurisdiction) for the purposes set out in this Privacy Policy;
- As part of our regular reporting activities to other members of our group of companies;
- To comply with legal obligations or valid legal processes such as search warrants, subpoenas, or court orders. When we disclose your personal data to comply with a legal obligation or legal process, we will take reasonable steps to ensure that we only disclose the minimum personal data necessary for the specific purpose and circumstances;
- To protect the rights and property of TGB;
- During emergency situations;
- Where the personal data is publicly available;
- If a business transfer or change in ownership occurs and the disclosure is necessary to complete the transaction. In these circumstances, we will limit data sharing to what is absolutely necessary, and we will anonymize the data where possible; and
- For additional purposes with your consent where such consent is required by law.
International Transfers
Where permitted by applicable law, we may transfer the personal data we collect about you to other jurisdictions that may not be deemed to provide the same level of data protection as your home country, as necessary to perform a contract with you and for the purposes set out in this Privacy Policy.
Whenever we transfer your personal data out of the EU and the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the by applicable law or regulation;
- We may use specific contracts approved by the applicable law or regulation which give personal data the same protection it has in Europe;
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US; or
- Where we transfer your personal data between Toyota Group of entities, we have implemented adequate safeguards in the form of an Intra Group International Transfer Agreement, including the Standard Contractual Clauses for processors approved by European Commission Decision C (2010)593, among all the Toyota Group of companies to secure the transfer of your personal data to the US and other jurisdictions.
Please contact us at privacy@oeconnection.com if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA and the UK.
How do we store your data
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We further require all our third-party service providers to implement appropriate security measures to protect your personal data consistent with our policies and any data security obligations applicable to us. We take all reasonable measures to ensure that our third-party service providers do not use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements or as necessary to resolve disputes.
Details of retention periods for different aspects of your personal data are available in our retention policy, which you can request from us by contacting us at privacy@oeconnection.com.
In some circumstances you can ask us to delete your data. Moreover, in some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Marketing
We do not generally rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us at Toyota@tradeparts.oeconnection.com. You will not be subject to decisions based on automated data processing without your prior consent.
We will get your express opt-in consent before we share your personal data with any company outside of OEC or of TGB for marketing purposes.
Opting Out
You can ask us or third parties to stop sending you marketing messages at any time by contacting us at Toyota@tradeparts.oeconnection.com.
Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, warranty registration, product/service experience or other transactions.
What are your data protection rights
We would like to ensure that you are fully aware of all your data protection rights. You are entitled to:
The right to access – commonly known as a “data subject access request”. This allows you to obtain a copy of the personal data we hold about you and check that we are processing it lawfully.
The right to rectification – This allows you to have incomplete or inaccurate data we hold about you corrected, although we may need to verify the accuracy of new data you provide to us.
The right to erasure – This allows you to request that we erase your personal data if there is no good reason to continue processing it. However, please note that we may not always be able to comply with your request for erasure for certain legal reasons, which may be communicated to you at the time of your request.
The right to restrict processing – This allows you to ask us to suspend the processing of your personal data in the following circumstances: (a) if you want us to verify the accuracy of the data; (b) if our use of the data is unlawful but you do not want us to erase it; (c) if we need to keep the data even if we no longer need it because you need it to establish, exercise or defend legal claims; or (d) if you have objected to the use of your data but we need to verify that we have compelling legitimate reasons to use it.
The right to object to processing – You have the right to object to the processing of your personal data if we rely on a legitimate interest (or that of a third party) and there is something in your particular situation that leads you to object to the processing on that ground because you consider that it adversely affects your fundamental rights and freedoms. You also have the right to object when we process your personal data for direct marketing purposes. In some cases, we may be able to demonstrate that we have compelling legitimate grounds for processing your data that override your rights and freedoms.
The right to data portability – The right to data portability – This allows you to request that your personal data be transferred to you or to a third party. We will provide you or a third party of your choosing with your personal data in a structured, commonly used, and machine-readable format. Note that this right only applies to automated data that you have originally consented to the use of, or where we have used the data to perform a contract with you.
If you wish to exercise any of the rights set out above, please contact us at privacy@oeconnection.com.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated. Reasonable access to your personal information will normally be provided at no cost.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
If for some reason access is denied, we will provide an explanation as to why access has been denied.
Privacy policies of other websites
Our website or other materials may contain links to websites owned and operated by others. They may collect personal information about you. Our Privacy Policy applies only to our website in case you click on a link to another website, you must read their privacy policy.
Changes to our privacy policy
We reserve the right to update this Privacy Policy at any time. If we would like to use your previously collected personal data for different purposes than those, we notified you about at the time of collection, we will provide you with notice and, where required by law, seek your consent, before using your personal data for a new or unrelated purpose.
You can access and print out the current Privacy Policy at any time on our website at toyotatradeparts.co.uk.
How to contact us
In case you wish to raise a complaint or feel that we have not addressed your concern satisfactorily, please do not hesitate to contact us.
Email us at: privacy@oeconnection.com
Or write to us at:
UK
OEC International Limited
OEC, Construction House, Winchester Road
Burghclere
Newbury RG209EQ
England
OEConnection Limited
OEC, Construction House, Winchester Road
Burghclere
Newbury RG209EQ
England
OEC Europe Holdings Limited
OEC, Construction House, Winchester Road
Burghclere
Newbury RG209EQ
England
Poland
OEC Sp. z o.o
Wadowicka 3A, 30-347 Krakow
Poland
Germany
OEConnection GmbH
Joseph-Schumpeter-Allee 31
53227 Bonn
Germany
France
OEC S.A.R.L.
52 Boulevard de Sebestopol
75003 Paris
France
OEC’s Data Protection Representative:
Justyna Sorn
OEC Sp. zo.o
Wadowicka 3A, 30-347
Krakow
Poland
How to contact the appropriate authority
You have the right to file a complaint with the data protection authority in your jurisdiction should you wish to make a complaint or feel that we have not addressed your concerns satisfactorily, including for the UK, the Information Commissioner’s Office, and for the EU, the European Data Protection Board, EU member state data protection authorities and ultimately the European Commission.