1. INTRODUCTION
This Consumer Privacy Notice “Notice” explains how your Personal Data is collected, used and disclosed by GSF Car Parts Limited and its subsidiaries (hereinafter referred to collectively as, “GSF” or “we”, “our”, “us”).
2. USEFUL INFORMATION
We have included some information here that may be helpful to you as you read through the Notice.
Our GSF Privacy and Data Protection Officer ensures that we are clear and fair about how we use your personal data and comply with any law that may affect your privacy. You can contact the Privacy Officer through email at: [email protected] or by mail at 15th Floor 6 Bevis Marks, Bury Court, London, EC3A 7BA.
Key Definitions
Capitalised terms not otherwise defined in this Notice have the following meanings:
Personal Data means any information relating to an identified or identifiable living individual.
Sensitive Personal Data means any information relating to an individual’s racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, criminal records/history or processing of genetic data or biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
Processing means the use of personal data including collection, recording, , structuring, amending, analysis, , disclosure, dissemination, aligning, copying, transfer, storage, deletion, hosting, combination, destruction, disposal, or other use or handling of personal data.
Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Third Party means any natural person or legal entity, public authority, agency or any other body other than Data Subject, Data Controller, any vendor, supplier or service provider who solely or jointly process personal data on behalf of the Data Controller and acts on the Data Controller’s instructions.
Data Subject means the identified or identifiable living individual to whom the Personal Data relates
3. CONSUMER PRIVACY NOTICE
We are committed to protecting the privacy and security of all personal data, and to being transparent about how and why we collect and process your data. We update this Notice from time to time and encourage you to revisit to stay informed of how we are using personal data.
In this Notice we cover:
3.1 The personal data we collect
3.2 How we collect your personal data
3.3 How we use your personal data
3.4 Who has access to your personal data
3.5 How we safeguard your personal data
3.6 Cross border transfers of your personal data
3.7 How long we retain your personal data
3.8 Your rights as a consumer
3.9 Challenging compliance and exercising your rights
3.10 Country specific information
3.11 Challenging compliance and exercising your rights
3.12 CCTV
3.13 Cookies
3.1 The personal data we collect
Personal data marked with an asterisk (*) may be considered a special category or sensitive data.
We collect and processes a range of data about you. This may include:
Basic personal data like your name and if you are a business client your employer and job title.
Contact data like your telephone number and shipping, billing or email address. It may also include any records related to your contact with us, such as the phone number or email address you contacted us from.
Transaction data related to activities you carry out at our physical locations, online services or in the course of carrying out other services we provide to you.
Digital data like your Internet Protocol (IP) address, preferences, operating system and browser type, behavioural and browsing data.
Website usage and other technical data, like details of your visits to our websites, marketing communications and whether you open them or click on links, or data collected through cookies and other tracking technologies.
Our insights like information about products or services we think you may be interested in based on our analytics and customer profiling.
Special Category Data
Financial data* like payment related data, bank account details or data required to perform a credit check if you have payment terms with us.
Biometric data* like a recording of your image that may be captured on CCTV if you visit one of our stores or your voice if we record a call when you contact us.
Any other personal data relating to you that you may provide in the course of your business interactions with us.
We are committed to collecting only the personal data that is strictly necessary for the purposes outlined in this Notice. We ensure that all data collection is relevant, adequate, and limited to what is needed in relation to the specific purposes for which it is processed. This means we will not ask for, collect, or store any personal data beyond what is required to:
Fulfil your orders,
Provide customer support,
Improve our services,
Meet our legal obligations.
We periodically review the data we collect to ensure that we are not holding unnecessary information and take steps to safely delete or anonymize any data that is no longer needed for the original purpose of collection.
3.2 How we collect your personal data
We may collect or receive your personal data in a number of ways:
From you directly during the account sign up or application process, or when you interact with us.
From you indirectly when you use our products and services and interact with our website and other online platforms.
From other people like your employer, business associates or beneficiaries of our products and services if you are conducting a business to business interaction with us.
From monitoring devices like CCTV, telephone logs and recordings. We will do our best to make it clear to you that your data is being collected at that time.
From publicly available sources, like company websites or other public platforms like LinkedIn where you have made your data available.
From sources outside our business, which may include other business entities within our group of companies or other strategic business partners
3.3 How we use your personal data
We will only use your personal data where we are permitted to do so by applicable law.
If you live or do business in the United Kingdom (UK) or European Economic Area (EEA), the use of personal data must be justified under one of a number of legal bases. The principal legal bases that justify our use of your personal data are:
Contract performance: Where your data is necessary to enter into or perform our contract with you
Legal obligation: Where we need to use your data to comply with our legal obligations
Legitimate interests: Where we use your data to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights
Legal claims: Where your data is necessary for us to defend, prosecute or make a claim against you, us or a third party
Consent: Where you have consented to our use of your data
Regardless of where you live or do business, we may use your data for the following purposes:
To communicate with you
- To contact you for your views on our products and services
- To notify you about important changes or development to our business, products or services
- Where available, to communicate with you in your preferred language
UK/EEA Legal bases: Contract performance, legitimate interests
To provide our products and services to you and otherwise conduct our business
- To process your order and manage your account
- To provide you with personalized online experience and tailored communications
- For record keeping purposes
UK/EEA Legal bases: Contract performance, legal claims, legitimate interests
To ensure we are paid
- To process credit card, e-transfer, cheque or other types of direct payments made to us
- To assess the risk of extending you credit through a payment plan
- If you fail to pay us per our contractual terms, to recover what we are owed through debt collection agencies or taking other legal action
- To issue payments or credit to you as required
UK/EEA Legal bases: Contract performance, legal claims, legitimate interests
For marketing and loyalty programs
- To allow you to participate in our reward programs or loyalty schemes
- To allow us to manage our warranty program
- To keep you informed about the products and services that we offer
UK/EEA Legal bases: Contract performance, legitimate interests; consent
We will provide you with the option to unsubscribe from or opt-out of further marketing communication on any electronic communication sent to you.
For research and development
- To understand how you interact with our stores, shops or website so that we can make improvements and service you better
- To understand what you and people or businesses like you require so that we can meet your needs as a consumer
UK/EEA Legal bases: Legitimate interests
We will provide you with the option to unsubscribe from or opt-out of further use of your data for research purposes, or will anonymise your data so that you are unidentifiable.
To address claims, issues or concerns
- To investigate concerns or complaints about or from our employees or customers
- To respond to and defend against legal claims
UK/EEA Legal bases: Legitimate interests, legal obligations, legal claims
For safety and security
- We may use CCTV and other location and recording devices for safety purposes
- We conduct monitoring to protect our customers, employees, authorised visitors, and property
- We may use server log data for security purposes, like detecting intrusions into our network
UK/EEA Legal bases: Legitimate interests, legal obligations, legal claims
To comply with legal or regulatory obligations
- To comply with lawful requests by public authorities, disclosure requests, or where otherwise required or authorized by applicable laws, court orders, government regulations, or
regulatory authorities whether within or outside your country
UK/EEA Legal bases: Legal obligations; legal claims; legitimate interests
To make changes to our business
- At any time, we may sell, transfer or assign any or all of our rights to any part of our business, including our interests, rights or obligations regarding your account with us. If we do so, we may share your personal data with prospective purchasers, transferees or assignees.
UK/EEA Legal bases: Legitimate interests.
There may be unique circumstances where we must process your personal data in the vital interest of you or another person, or in the public interest. Where we process special categories of data, we will ensure that we do so only for the allowed legal bases.
3.5 Who has access to your personal data
Personal data will be stored in a range of different places, like your account file and other IT systems. Access to files and systems is limited to our employees and the employees of service providers who have a need to access them to perform their role.
Internal access
We take the security of your personal data seriously. We have appropriate policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed by our employees except as required for their job.
Our group of companies may share your personal data internally to any legal entity within our group of companies
Sales and Marketing team members who may require access to your personal data to perform general sales, marketing and account management functions
Front Line Workers who may interact with you in person if you visit one of our stores or call our customer service numbers
Information Technology team members who may require access to your personal data to perform general information technology functions, such as to provide IT support to you, administration of IT systems and monitoring, analytics, to support the investigation of consumer or employee concerns, or for other purposes as described in this Notice.
Others, like employees supporting the finance, audit, legal, or other functions, if access to the data is necessary for the performance of their job
Service providers
Where we engage service providers to process personal data on our behalf, we only use service providers who limit their processing to the purpose described in the agreement and implement appropriate technical and organizational measures to meet the privacy requirements of the jurisdiction in which they are providing the service, and our requirements.
IT platforms who own or manage the platforms that we use, like for customer management and sales management
IT services who may perform data analytics and infrastructure provisioning
Website service providers who perform web hosting, web analytics and integration and other website activities necessary for the purposes described in this Notice
Order fulfillment service providers from who we ship products you have purchased direct to you, or the couriers used to make the delivery or otherwise fulfill our obligations set out in our agreement with you
Customer Service providers may be used to support our web chat (where available), issue ticketing or other customer support as required to meet the needs of our customers
Marketing providers may manage marketing emails, opt-outs or other marketing related activities
Payment networks who manage our secure payment platform and credit card processing
Third parties
We may share your personal data with our affiliates and partner networks to enable them to serve you better. We may also share your data with a third party in the context of a sale of some or all our business. In those circumstances the data will be subject to confidentiality arrangements.
If you are a business, we may share your contact data like company phone and address (but not your email) with the third parties with which we have a relationship, so they may offer you the services they already provide to us, like uniforms or stationary. We do not sell your data.
You can opt-out of this disclosure of your personal data by contacting us as described in Section 10 – Challenging Compliance and Exercising Your Rights, but it may mean that we can’t provide you with the service you are requesting.
3.6 How we safeguard your personal data
We have technical and organisational measures in place, including but not limited to policies, physical, and technical safeguards, all designed to protect the personal data collected from accidental or unlawful destruction, loss, alteration, unauthorized disclosure and access.
You can also help us to protect your personal data. If you receive an email that looks like it is from us asking for your personal data, do not respond. We will never request your password, username, credit card data through email. You should never share your login credentials or password with anyone. Even though we have put mechanisms and procedures in place for the protection of your personal data that are considered effective, because there are bad actors out there, no data transmission (including over the internet or on any website) can be guaranteed to be secure.
3.7 Cross-border transfers of your personal data
Where your personal data is being transferred to countries outside the UK either by us or by third party service providers acting on our behalf, we will ensure that those transfers are adequately protected, by putting in place the necessary organisational and technical measures, and guarantee the lawful processing of your personal information in accordance with the relevant law.
If you are based in the UK or EEA, your data may be transferred to countries outside the UK or EEA, only if we are confident that the same data protection safeguards that we deploy will be deployed, for example we may take contractual or other measures to ensure that your personal data is protected in accordance with applicable data protection laws.
3.8 How long we retain your personal data
Unless a longer retention period is required by law, we will keep your personal data for only as long as we need to in order to fulfil the purposes outlined in this Notice. Generally, this means we will keep your personal data so we can respond to your requests when you interact with us in any way, to provide you with products and services or to send you updates on our products and services for as long as you want us to. We are required to keep some records for a longer period of time to meet our legal obligations. When we have no ongoing legitimate business need to process your personal data, we will either delete or anonymise it in accordance with our retention processes wherever possible. We will only use anonymisation where we have a reasonable need to retain the data
3.9 Your rights as a consumer
We have summarised your rights in this section. You may have the right to require us to:
- Provide you with further details on how we use your data
- Provide you with a copy of data that we hold about you
- Transfer certain pieces of your data to another company in a common machine readable electronic format
- Correct any inaccuracies or incompleteness in the personal data we hold
- Delete any personal data that we no longer have a requirement to use
- Restrict or object to how we use your data
- not subject you to decisions based solely on automated processing, including profiling, which significantly affects you
- withdraw the consent for processing of your personal data
- lodge a complaint with the Information Commissioner’s Office (ICO), which is the UK supervisory authority. You can contact the ICO at https://ico.org.uk/ or call them at +44 (0)303 123 1113
3.10 Security
We take all appropriate technical and organisational measures to ensure that your personal information is protected, in compliance with our legal obligations. We protect your information using measures that reduce the risks of loss, misuse, unauthorised access, disclosure and alteration.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
3.11 Challenging compliance and exercising your rights
You can make a request to exercise your privacy rights, ask any questions about this Notice or challenge our compliance with applicable privacy laws by contacting the GSF Privacy and Data Protection Officer at [email protected] or in writing to: Attn: GSF Privacy and Data Protection Officer – 15th Floor 6 Bevis Marks, Bury Court, London, EC3A 7BA.
You have the right to contact the UK regulatory authority, but we would like to have the opportunity to address your concern before you do.
If you need more information on your rights as a data subject, or if you want to lodge a complaint to the Information Commissioner’s Office, please visit https://ico.org.uk/.
3.12 CCTV
When visiting our stores or distribution centres we capture your images through the use of CCTV.
The reasons we record CCTV are for:
security
health & safety
crime prevention and detection.
You may request information concerning what personal data we process on you and request a copy of that personal data (see paragraph 3.9).
We retain your personal data for as long as required to meet our legal and regulatory obligations. Where retention is based on other reasons, we will retain it for no more than 30 days, in line with our data retention policy.
3.13 Cookie Policy
When you log onto or browse one of our websites, we may collect data about your general internet usage by using a cookie file. Cookies help us to improve our website and to deliver a better and more personalized experience to you. This data is used to analyse trends, to administer the website you are visiting, to track movement around the website and to gather general demographic data about our visitor base. You can find more information on the cookies page.
4. CHANGES WE MAKE
We may update this Notice periodically and will revise the date at the bottom of this Notice to reflect the date when such update occurred. If we make any material changes in the way we collect, use, and/or share the personal information that you have provided, we will endeavour to provide you with notice before such changes take effect.
Effective Date: December 2024