Data protection

Data, including personal data, is at the heart
of everything we do and for that reason we
take the protection of it very seriously. We
comply with the Data Protection Act 2018
(‘DPA 2018’), the UK General Data Protection
Regulation (‘UK GDPR’) and the Privacy and
Electronic Communications Directive 2002/58/EC
(as updated by Directive 2009/136/EC) and the
Privacy and Electronic Communications
Regulations 2003 (SI 2003/2426).

When it comes to collecting, processing and storing
personal data — be that for consumers, customers
or our employees — we have policies which comply
with the relevant privacy legislation.

Data privacy

We ensure personal information that we collect, store and process is used for the appropriate purposes. All personal information is used in accordance with our privacy notices.

We are registered as a data controller with the Information Commissioner’s Office.

We record all instances of data loss and have a rigorous incident management process in the unlikely event a breach occurs. This includes reporting notifiable breaches to the relevant regulatory authorities without undue delay and within stipulated deadlines. Where required we take remedial action as soon as possible.

Our privacy policies can be viewed in full below:

plc.autotrader.co.uk privacy policy

Autotrader.co.uk privacy policy

To ensure we are meeting our compliance obligations we have a dedicated team that is responsible for data privacy, data breach prevention and reporting, policy compliance, record keeping and data subject rights. We have an assurance framework in place to monitor compliance with data privacy laws and to ensure any breaches are dealt with in a robust manner. We hold GDPR Steering meetings bimonthly, attended by data owners from all business areas. The meeting is a central point of communication and coordination and provides guidance on the governance of our data strategy and ongoing compliance with relevant data security and privacy regulations.

All Auto Trader employees, including part-time employees, contractors and all Board members, are required to complete annual data privacy and security training and we have established processes to cover all aspects of the GDPR: Data Protection Impact Assessments (‘DPIAs’). These are conducted to help identify and minimise any data protection risks for new or changed products or services; and all processes are recorded and records of processing activity (‘ROPAs’) are reviewed quarterly by data owners. These include the lawful basis for processing and data retention periods; our privacy notices are reviewed and updated regularly. We have separate notices for consumers, employees and retailers; and we have processes in place to respond to Subject Access Requests (‘SAR’) and Erasure requests. Where required, Auto Trader obtains consent from consumers to gather personal data to service their enquiries for products, services or vehicles advertised on the site. Explicit consent (gathered separately) is also obtained to contact consumers for marketing purposes. Where we pass personal data to third-party service providers contracted to Auto Trader in the course of dealing with customers or employees, we carefully vet any third parties that we share data with, and they are obliged to keep it securely, and use it only to fulfil the service they provide on our behalf.

Also in this section

Cyber security

Attempts to breach our systems pose a significant and perpetual threat. Having an effective cyber security risk and governance framework help to significantly reduce the impact of such events.

A trusted marketplace

As a leading online marketplace, we strive to provide a marketplace that is relevant, reliable and fair.

Compliance

To ensure that high standards are embedded across the business and form part of our culture, we have compliance frameworks in place, consisting of policies, processes, guidance and training focused on a number of core compliance topics.