Data protection

Data privacy

We ensure personal information that we collect, store and process is used for the appropriate purposes. All personal information is used in accordance with our privacy notices.

We act as data processor for our customers and a data controller for the personal data of our people.

We record all instances of data loss and have a rigorous incident management process in the unlikely event a breach occurs. This includes reporting notifiable breaches to the relevant regulatory authorities without undue delay and within stipulated deadlines. Where required we take remedial action as soon as possible.

Our privacy policies can be viewed in full below:

plc.autotrader.co.uk privacy policy

Autotrader.co.uk privacy policy

To ensure we are meeting our compliance obligations we have a dedicated team that is responsible for data privacy, data breach prevention and reporting, policy compliance, record keeping and data subject rights. We have an assurance framework in place to monitor compliance with data privacy laws and to ensure any breaches are dealt with in a robust manner. We hold GDPR Steering meetings bimonthly, attended by data owners from all business areas. The meeting is a central point of communication and coordination and provides guidance on the governance of our data strategy and ongoing compliance with relevant data security and privacy regulations.

All Auto Trader employees, including part-time employees, contractors and all Board members, are required to complete annual data privacy and security training and we have established processes to cover all aspects of the GDPR: Data Protection Impact Assessments (‘DPIAs’). These are conducted to help identify and minimise any data protection risks for new or changed products or services; and all processes are recorded and records of processing activity (‘ROPAs’) are reviewed quarterly by data owners. These include the lawful basis for processing and data retention periods; our privacy notices are reviewed and updated regularly. We have separate notices for consumers, employees and retailers; and we have processes in place to respond to Subject Access Requests (‘SAR’) and Erasure requests. Where required, Auto Trader obtains consent from consumers to gather personal data to service their enquiries for products, services or vehicles advertised on the site. Explicit consent (gathered separately) is also obtained to contact consumers for marketing purposes. Where we pass personal data to third-party service providers contracted to Auto Trader in the course of dealing with customers or employees, we carefully vet any third parties that we share data with, and they are obliged to keep it securely, and use it only to fulfil the service they provide on our behalf.

Also in this section

Cyber security

We are committed to the security of our services and protecting our customers from cybercrime and fraud. Attempts to breach our systems to access our data and the threat of an unauthorised malicious attack on our systems pose a significant and perpetual threat.

A trusted platform

As a leading online platform, we strive to provide a platform that is relevant, reliable and fair.

Compliance

To ensure that high standards are embedded across the business and form part of our culture, we have compliance frameworks in place, consisting of policies, processes, guidance and training focused on a number of core compliance topics.