GDPR Compliance

GDPR Compliance Document for www.rhautos.co.uk |

1. Introduction

This document outlines the General Data Protection Regulation (GDPR) compliance framework for RH Auto’s (www.rhautos.co.uk), a used car dealership operating in the United Kingdom. It covers how personal data is collected, processed, stored, and protected in accordance with the UK GDPR and the Data Protection Act 2018.

2. Data Controller Information

Field Details
Organisation Name
RH Autos
Website
www.rhautos.co.uk
Address
[ONLINE]
Data Protection Contact
webmaster@rhautos.co.uk

3. Types of Personal Data Collected

RH Auto’s may collect and process the following categories of personal data:

Customer & Enquiry Data

  • 1. Full name
  • 2. Contact details (phone number, email address, postal address)
  • 3. Vehicle preferences and purchase history
  • 4. Payment and financing information
  • 5. Driving licence details (for test drives)
  • 6. Part-exchange vehicle details

Website Data

  • 1. IP addresses
  • 2. Browser type and device information
  • 3. Pages visited and time spent on site
  • 4. Cookie identifiers

CCTV & Premises Data

  • 1. Footage from security cameras on premises

4. Lawful Bases for Processing

RH Auto’s relies on the following lawful bases under Article 6 of the UK GDPR:

Lawful Basis Examples of Use
Contract
Processing purchases, arranging finance, completing sales documentation
Legal Obligation
Retaining records for HMRC, complying with consumer protection laws
Legitimate Interests
Marketing to existing customers, fraud prevention, CCTV security
Consent
Sending promotional emails or SMS to prospective customers

5. How Personal Data Is Used

Personal data is used to:

  • 1. Respond to vehicle enquiries and arrange viewings/test drives
  • 2. Complete vehicle sales, part-exchanges, and financing applications
  • 3. Provide after-sales support and warranty services
  • 4. Send marketing communications (where consent is given)
  • 5. Comply with legal and regulatory requirements
  • 6. Maintain site security through CCTV monitoring

6. Data Retention Periods

Data Type Retention Period
Sales and finance records
6 years from transaction date
General enquiries (no sale)
2 years from last contact
Marketing consent records
Until consent is withdrawn
CCTV footage
30 days (unless required for investigation)
Website analytics
26 months

7. Data Sharing and Third Parties

RH Auto’s may share personal data with:

  • 1. Finance providers – to process credit applications
  • 2. DVLA – for vehicle registration and transfer
  • 3. Insurance companies – for warranty or GAP insurance products
  • 4. IT service providers – for website hosting and CRM systems
  • 5. Marketing platforms – for email/SMS campaigns (where consent is given
  • 6. Legal and regulatory authorities – when required by law

All third parties are required to process data in compliance with GDPR, and appropriate contracts or data processing agreements are in place.

8. Data Subject Rights

Under UK GDPR, individuals have the right to:

  • 1. Access – Request a copy of their personal data
  • 2. Rectification – Correct inaccurate or incomplete data
  • 3. Erasure – Request deletion of data ("right to be forgotten")
  • 4. Restriction – Limit how their data is processed
  • 5. Portability – Receive data in a portable format
  • 6. Object – Object to processing, including direct marketing
  • 7. Withdraw Consent – Withdraw consent at any time (where consent is the basis)

To exercise any of these rights, contact: webmaster@rhautos.co.uk Requests will be responded to within one calendar month.

9. Data Security Measures

RH Auto’s implements appropriate technical and organisational measures to protect personal data, including:

  • 1. Secure, password-protected systems with role-based access
  • 2. Encryption of sensitive data in transit and at rest
  • 3.Regular software updates and security patches
  • 4.Staff training on data protection responsibilities
  • 5. Secure disposal of physical documents containing personal data
  • 6. Locked storage for paper records

10. Data Breach Procedures

In the event of a personal data breach:

  • 1. The breach is reported internally to the Data Protection Contact immediately
  • 2. An assessment is made of the risk to individuals' rights and freedoms
  • 3. If a high risk exists, the Information Commissioner's Office (ICO) is notified within 72 hours
  • 4. Affected individuals are informed without undue delay where required
  • 5. The breach is documented in an internal breach register

11. Cookies and Website Tracking

RH Auto’s uses cookies on its website. A Cookie Policy is displayed on first visit, allowing users to:

  • 1. Accept all cookies
  • 2. Reject non-essential cookies
  • 3. Manage cookie preferences

Essential cookies (required for site functionality) do not require consent. Analytics and marketing cookies require explicit user consent.

12. Marketing Communications

Marketing emails and SMS are sent only with explicit consent, unless the individual is an existing customer and the communication relates to similar products or services (soft opt-in).Every marketing communication includes a clear unsubscribe option. Opt-out requests are processed within 48 hours.

13. International Transfers

RH Auto’s does not routinely transfer personal data outside the UK. If international transfers become necessary (e.g., cloud services with non-UK servers), appropriate safeguards such as Standard Contractual Clauses or UK Adequacy Regulations will be applied.

14. Staff Training and Accountability

  • 1. All staff handling personal data receive GDPR awareness training upon induction and annually thereafter
  • 2. Access to personal data is restricted based on job role
  • 3. Staff are required to report suspected breaches or data protection concerns immediately

15. Document Review

This GDPR compliance document is reviewed annually or when significant changes occur to business operations, legislation, or ICO guidance.

Type your paragraph here

Version Date Reviewed By
1.0
20/05/2026
webmaster@rhautos.co.uk

16. Contact and Complaints

For any data protection queries or to exercise your rights, contact:

Data Protection Contact: webmaster
Email: [webmaster@rhautos.co.uk]
Phone: [+447807952836]
Address: [ONLINE]

If you are not satisfied with how your data is handled, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: Information Commissioner's Office