Back to Home

  1. Home
  2. Data Protection Policy

Data Protection Policy

1. Introduction
B&B Vehicle Contracts Ltd needs to gather and use certain information about individuals. This can include customers, suppliers, business contacts, employees, and other people the organisation has a relationship with or may need to contact. This policy describes how this personal data must be collected, handled, and stored to meet the company’s data protection standards — and to comply with the law.

2. Why this policy exists
This data protection policy ensures B&B Vehicle Contracts Ltd:

  • complies with data protection law and follows good practice;
  • protects the rights of all individuals’ data;
  • is open about how it stores and processes individuals’ data in line with individuals’ rights;
  • protects itself from the risks of a data breach.

3. Data protection law
The General Data Protection Regulations describe how organisations — including B&B Vehicle Contracts Ltd — must collect, handle, and store personal information. These rules apply regardless of whether data is stored electronically or otherwise.

To comply with the law, personal information must be:
(a) processed lawfully, fairly, and in a transparent manner in relation to individuals;
(b) collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes;
(c) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date;
(e) kept in a form permitting identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organisational measures.

4. Record Keeping
B&B Vehicle Contracts Ltd ensures that records of processing activities are kept and updated accordingly. Individuals’ data is kept on file for 6 years in line with the Financial Conduct Authorities record-keeping rules, after which personal data is anonymised and used for statistical purposes only.

Records include:

  • Name and details of the organisation.
  • Details of other data controllers, the organisation’s representative, and data protection officer, if appropriate.
  • Purposes of processing data.
  • Categories of individuals and categories of personal data.
  • Categories of recipients of personal data.
  • Details of transfers of data to third parties or abroad, including safety mechanisms.
  • Retention schedules.
  • Technical and organisational security measures.

5. Lawful Basis for Processing Data
Under GDPR, B&B Vehicle Contracts Ltd must document a valid lawful basis for processing data. The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever B&B Vehicle Contracts Ltd processes personal data:

(a) Consent: The individual has given clear consent for processing their data for a specific purpose.
(b) Contract: Processing is necessary for a contract with the individual or steps they request before entering a contract.
(c) Legal obligation: Processing is necessary to comply with the law (not including contractual obligations).
(d) Public task: Processing is necessary for a public interest task or function with a legal basis.
(e) Legitimate interests: Processing is necessary for legitimate interests unless overridden by the individual’s rights.

Special categories of data, such as race, ethnic origin, religion, biometrics, or health, require both a lawful basis for general processing and an additional condition for processing this type of data.

6. Responsibilities
B&B Vehicle Contracts Ltd acts as both a Data Controller and Data Processor. All staff are responsible for ensuring the highest data standards and best practices are met on a continual basis. Although a Data Protection Officer (DPO) has not been appointed, as B&B Vehicle Contracts Ltd does not fall within the scope, the Directors are accountable and responsible for compliance with GDPR.

7. Data Protection Impact Assessments (DPIA)
B&B Vehicle Contracts Ltd conducts DPIAs when considering new technologies. DPIAs include:

  • A description of processing operations and purposes.
  • An assessment of processing necessity and proportionality.
  • An assessment of risks to individuals.
  • Measures in place to address risks and demonstrate compliance.

8. Individuals’ Rights
Under GDPR, individuals have the following rights:
(a) The Right to be Informed.
(b) The Right of Access.
(c) The Right to Rectification.
(d) The Right to Erasure.
(e) The Right to Restrict Processing.
(f) The Right to Data Portability.
(g) The Right to Object.
(h) Rights in relation to automated decision-making and profiling.

B&B Vehicle Contracts Ltd provides every customer with a Privacy Notice explaining how data is processed and stored.

9. Subject Access Requests (SAR)
Individuals are entitled to:
(a) Confirmation that their data is being processed.
(b) Access to their personal data.
(c) Supplementary information corresponding to the Privacy Notice.

Requests are processed within 1 month (or 2 months for complex requests). A reasonable fee may apply for excessive or repetitive requests.

10. Complaints
Complaints about data processing can be raised through B&B Vehicle Contracts Ltd’s complaints procedure. Unresolved complaints can be referred to the Information Commissioner’s Office (ICO).

11. Data Security and Storage
Personal data must be securely stored, whether on paper or electronically:

  • Paper records should be kept in a locked drawer or filing cabinet when not in use and shredded when no longer needed.
  • Electronic data must be protected with strong passwords, encryption, and secure backups.
  • Data should not be transferred outside the EEA unless adequate safeguards are in place.

For inquiries, email info@bandbltd.co.uk or call 01246 557080 and ask for Tony Dent.