1. Introduction

In line with data protection requirements and good practice, Universal Honda Ltd. wish to put in place, and be able to demonstrate, appropriate and effective management of personal data throughout the organisation.

Universal Honda Limited wishes to demonstrate commitment and compliance with the current Data Protection Acts and the General Data Protection Regulation (GDPR), which comes into effect May 2018. Fundamental to the GDPR is the principle of accountability. Controllers and processors are both responsible and accountable for the protection of personal data, and must be able to demonstrate how they maintain compliance with data protection requirements.

The implementation of an approved Privacy Notice Policy goes towards demonstrating the Company’s commitment to the protection of personal data, and provides a basis for maintaining and improving compliance with data protection requirements and good practice.


1.1 Purpose of this Document

When a controller collects personal data, they are required to give the data subject certain information (Articles 13 and 14 of the GDPR), such as the controller’s identity, how the data subjects’ data will be used, etc. This is usually done through a privacy notice.

The purpose of this document is to clearly establish the requirements of privacy notices (also referred to as a privacy statements) which must be made available to data subjects prior to Universal Honda Ltd. collecting any personal data from them. It is designed to ensure fairness and transparency, providing details to the data subject of who is processing their personal data, how it is processed, and with whom it is shared, along with the data subject’s rights, in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

This policy will also help to ensure that Universal Honda Ltd. identifies where privacy notices are required, and provides these notices at all points of collection.

1.2 References

  1. General Data Protection Regulation (ref: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679)
  2. Data Protection Bill 2018 (ref: http://www.oireachtas.ie/documents/bills28/bills/2018/1018/b1018s.pdf)

1.3 Scope and Constraints

Privacy notices must be provided to the data subjects prior to collecting the personal data, regardless of the collection method. For example:

  • Website analytics
  • Online forms
  • CCTV
  • Recruitment

All privacy notices must be reviewed and updated in line with legal advice and guidance obtained from Universal Honda’s legal counsel. This is to ensure that all notices are in line with the current legal, regulatory, and business requirements.

1.4 Policy Review, Approval, and Continuous Improvement

In line with best practice, this policy has been approved by Senior Management, along with a commitment of continual improvement. This document will be reviewed at least annually by Senior Management and the Universal Honda Ltd. Data Protection Coordinator to ensure alignment with changing business and legal requirements.

1.5 Roles and Responsibilities

It is the responsibility of each department to identify how and where personal data is collected within their area, and to customise suitable privacy notices for data subjects which describe the reasons for processing, legal basis, and retention periods. Heads of Functions or Departments should refer to the Universal Honda Ltd. Personal Data Inventory to assist them in identifying the points of collection for personal data.

This document provides assistance and guidance in the generic areas of such notices, and minimum contents required, to ensure a consistent approach to privacy notices across the organisation.


2. Requirements of a Privacy Notice

2.1 Information that must be included in Privacy Notices

Data subjects must be informed, prior to the collection of data, of the following basic information:

RefDescriptionContext
1The identity of the organisation collecting the data
Generic i.e applicable across the organisation
2The purpose/s for processing the personal dataDepartment specific
3How the data will be usedDepartment specific
4Third parties (recipients), or categorises of recipients1, to whom the information will be disclosed
Department specific
5If the data is going to be transferred out of the EEA
Department specific


In addition, to comply with the General Data Protection Regulation (Reference 1), the following information must also be included in the privacy notices:

RefDescriptionContext
6The duration for retaining the information, or criteria for determining how long the data will be retainedDepartment Specific
7The legal basis for processing the personal data (documented in the Universal Honda Personal Data Inventory)Department Specific
8The individual rights that data subjects have with regard to their personal data i.e. right to access, right to withdraw consent, right to rectify, right to erasure, right to restriction of processing, right to be forgottenGeneric
9The contact details of the Universal Honda Data Protection Coordinator should the data subject wish to exercise their rights or make an enquiry (this does not necessarily have to be a named person, but should be easily contactable, and in a manner, that suggests that queries can be made in confidence i.e. a generic email address such as info@Honda.ie would not be acceptable)Generic
10Information about the individual’s rights to lodge a complaint with the supervisory authority if they are unhappy with any forms of this processing.Generic
11In instances where the personal data is not collected directly from the data subject, then the categories of personal data collected must also be included in the notice (this may be the case for personal data passed to Universal Honda by third parties)Department Specific


2.2 Privacy Notice Format

The General Data Protection Regulation (Reference 1), also requires that the information is provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This means that privacy notices must be:

  • Readily available to the data subjects so that they do not have to search for the required information
  • Written or worded in a manner that is easy to understand
  • Written or worded in a manner that allows a data subject to clearly determine the purposes of the processing without any ambiguity or obfuscation

Privacy notices must be in writing, or where appropriate, by other means such as in the form of pop-ups, ‘hover-over’ notices, videos, voice alerts, pre-recorded messages, public signage, etc.


3. User Testing

Where possible, consideration should be given to performing user testing of the developed privacy notices. User testing will allow for the gathering of feedback to ensure that privacy notices are transparent and effective. Each department should determine if this is required. For example, it may be decided that user testing of privacy notices should be carried out in all cases where Special Categories of data are collected and processed in order to facilitate Data Protection Impact Assessments.

The following information should be gathered:

  • How the data subject accessed and used the privacy notice
  • If they found the language used easy to understand
  • If there were any errors in the information provided
  • If any of the information was ambiguous or unclear
  • Any suggestions for other methods of delivering the privacy notice


4. Privacy Notice Examples

4.1 Telephone Notices

Where personal data is collected by phone, the privacy notice will be read to the data subjects prior to obtaining their personal data, or a pre-recording may be used. This may require customised scripts to be developed per department, depending on the specifics of the processing. An example wording of a recorded privacy notice may be:

“Any personal data provided is controlled by Universal Honda Ltd. [Ref 1.], and collected in order to [Ref 2: give specific purpose/s for the processing and Ref 7: legal basis for processing]. The information will be used to [Ref 3: list use/s it will be put to], and may be shared with [Ref 4: list recipients or third parties, or recipient categories]. The data collected will be retained for [Ref 6: list data retention period/s] in keeping with the legal basis for processing.

As the owner of the personal data, you have certain rights [Ref 8.], including a right to access, rectification, or erasure of your data, and should you wish to enact these rights you should contact our Data Protection Coordinator [Ref 9: list relevant contact details]. If you are not happy with this form of processing, you also have a right to lodge a complaint with the Irish Data Protection Commissioners office [Ref 10.].”

4.2 Website Notices

Where personal data is collected via a website, such as web-forms, the privacy notice should be made available on the website. A link to the privacy statement/notice should appear on each page of the website, and should use colours and text that make the link clearly visible. An example wording of a privacy statement can be:


Privacy Statement

Universal Honda Ltd.

302 Brownsbarn Drive, Citywest Business Campus, Dublin 24 D24 C678

Universal Honda Ltd. is committed to protecting the confidentiality and privacy of information entrusted to us. This Privacy Statement sets out what information we collect, how we collect it, what we do with it and how we protect this information.

Your personal data is processed in accordance with Irish and European data protection laws.

The information we collect

We obtain personal information about you if you choose to provide it when you register for certain services or purchase a vehicle. By registering and/or submitting personal information to Universal Honda Ltd. you are also agreeing to the use of this information in accordance with this Privacy Statement.

How information about you will be used?

Universal Honda Ltd. complies with its obligations under the Data Protection Act 2018 and the General Data Protection Regulation by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.

Personal information which you supply to us may be used for the following purposes:

  • For processing your order
  • to provide the services you requested
  • to maintain warranty records
  • to send you email marketing communications about other products and services we think may be of interest to you (only if you consent to it)

What is the legal basis for processing your information?

Sharing your information

We will not share your information with any third parties unless one of the following conditions applies:

as required by law, any applicable regulation to protect the rights, property, or safety of ourselves or others.

when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

if Universal Honda Ltd. is involved in a merger, acquisition, or sale of all or a portion of its assets, to any prospective seller or buyer of all (or part of) our business or assets. You will be notified via email and/or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information;

You have given your consent to pass your personal data to a third-party marketing companies who might contact you on Universal Honda’s behalf with information about products and services of Universal Honda Ltd. which may be of interest to you

International transfers

Information we collect will not be processed in or transferred to any country or territory outside of the European Economic Area. If we undertake international transfers in the future, you will be contacted before any such transfer takes place with the following information:

  • Details regarding the transfer to the third country
  • What safeguards are in place

Security

The security of your personal data is important to us. We restrict access to personal information to Universal Honda Ltd. employees, contractors and processors who have a requirement to process your personal information. 

What are your rights?

You have a right to know what categories of personal data we hold about you; the purpose of processing and any recipient or categories of recipient to whom your information has been disclosed. We will respond within one month of the receipt of your request.

You have the right to ask for a copy of any personal information which we hold about you, to correct any inaccuracies and to object to the processing of your personal data subject to certain criteria.

You have a right to have your information transferred where technically feasible. You can request that we no longer hold your personal information subject to certain criteria.

We reserve the right to charge a fee to cover our costs where we feel the access request is unfounded or excessive.

If you have any questions or concerns about how we process your data, you can contact us at dpc@honda.ie

You have a right to lodge a complaint with a supervisory authority specifically in the member state where you habitually reside or place of the alleged infringement if you consider we have infringed your data protection rights.

How long do we keep your personal data?

We keep your personal data for no longer than reasonably necessary for a period of [insert relevant period from UHL Data Retention Policy] in order to [insert sufficient reason for retaining personal data – (“just in case” it might come in useful one day, will not be a sufficient reason)].  Examples could be: - in case of any recall requirements/warranty claims/complaints; for safeguarding purposes etc.

Marketing

We may contact you with information about our products and services through email. All such communications will come from Universal Honda Ltd. or our selected marketing partners.

You have the right at any time to stop us from contacting you for marketing purposes or giving your information to third party marketing companies.  You will also be given the opportunity on every email communication that we or our trusted partners send you to indicate that you no longer wish to receive our or their direct marketing material.

Changes to this Privacy Statement

Our privacy statement will change from time to time and any changes will be updated on this page.


Contact

If you have any questions or comments about this privacy statement, you can contact us by email at the following email address: dpc@honda.ie


[1] The third party or recipient does not specifically have to be named on the privacy notice, but the type, or category, of recipient must be included. Examples of recipient categories may be: marketing agencies, banks, government authorities, tax offices, technical service providers, etc.