LUCKSPENNY LIMITED | PRIVACY NOTICE – WEBSITE AND APP
(Last updated on [DATE])
1.
INTRODUCTION
1.1
LucksPenny Limited ("LucksPenny", "we", "us", "our") respect your right to privacy. We also comply with our obligations, as a controller of personal data, under the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), Irish Data Protection Acts 1988 – 2018, the GDPR as implemented into United Kingdom ("UK") law by virtue of section 3 of the European Union (Withdrawal) Act 2018, the UK Data Protection Act 2018, and all other applicable data protection and privacy laws (together the "Data Protection Laws").
1.2
This Privacy Notice sets out the basis on which any personal data we collect from you, or that is provided to us, will be processed by us, during the provision of our website, and the 'LucksPenny' app, to you (our "Sites").
2.
PROCESSING YOUR PERSONAL DATA
2.2
For the purposes of this Privacy Notice, "Personal Data" means any information from which a natural person (eg you) may be identified.
2.2
In order to provide you with access to and/or use of our Sites, we process the following categories of Personal Data:
•
name;
•
date of birth;
•
contact details (eg email address, phone number, home address, country);
•
username and password, IP address, browser type, device type, operating systems, user accounts which you visit and/or user accounts connected to user accounts which you visit , and geographical location information ("Account Information");
•
information relevant to vehicle ownership (eg vehicle and/or part(s) owner's details, contact details, the purchase/sale price paid by the owner, vehicle registration marks and numbers (when matched to an individual) and logbook details) ("Vehicle Ownership Information"); and
•
enquiries submitted through our Sites, communications between you and other users (eg sellers), customer support communications, and the content of these ("Enquiry Information").
2.3
We also collect and process Personal Data when you access our Sites. For further details on this, please refer to our Cookies Policy (see [here ]).
2.4
Additionally, third parties might provide us with your Personal Data through their use of our Sites, for instance, a third party seller with which you have shared your Personal Data in order to purchase a vehicle and/or vehicle part(s). Where this occurs, these third parties are responsible for providing you with information in relation to how they process your Personal Data (to the extent they are not simply a consumer selling vehicles, and/or vehicle parts for their own personal purposes), and you should therefore consult their privacy notices for further information on this.
3.
HOW AND WHY WE PROCESS YOUR PERSONAL DATA
3.1
We rely on various legal bases to process your Personal Data. We have set out these legal bases, and the purposes for which your Personal Data will be processed, as follows:
3.1
our legitimate business interests – we process certain of your Personal Data on the basis that it is necessary to provide, maintain, personalise, and improve our Sites, marketing, and your experience of these. This ensures that we can fulfil our legitimate business interests in effectively managing our relationship with you, in operating and providing our Sites to you, in communicating with you in the manner you wish/have requested, and in improving, personalising and efficiently running, our Sites for you. While accessing our Sites, we may also suggest other user accounts to you so that may follow them and/or the content which is uploaded to any such accounts.
The Personal Data we process to do this is your: (i) name, (ii) date of birth, (iii) contact details, (iv) Account Information, and (v) Enquiry Information. In addition to collecting, recording, and using this Personal Data for the purposes outlined above, we will also store this Personal Data (see 'How long do we keep your Personal Data?' below).
3.1.1
our legal obligations – we process certain of your Personal Data to enable us to comply with our legal and regulatory obligations under applicable Irish tax legislation, the Revenue Commissioners' rules, and to detect, prevent, and assist with the prevention of crime. The Personal Data we process to do this is your: (i) name, (ii) date of birth, (iii) contact details, (iv) Account Information, (v) Vehicle Ownership Information, and (vi) Enquiry Information.
In addition to collecting, recording, and using this Personal Data for the purposes outlined above, we also store this Personal Data (see 'How long do we keep your Personal Data?' below).
3.1.2
your consent – in addition to processing your Personal Data in reliance on one, or both, of the legal bases outlined above, we also rely on your explicit consent in order to process, and store images obtained from our optional vehicle analysis and search feature which may be accessed and used through our Sites. Additionally, where we want to send you marketing communications, we will only do so with your explicit consent, using your contact details to provide such communications.
4.
WHO DO WE SHARE YOUR PERSONAL DATA WITH?
4.1
In order to provide you with access to, and use of, our Sites, we may share your Personal Data (as set out under 'Processing Your Personal Data' above) with:
•
our clients - to facilitate their use of our Sites
•
third party suppliers/service providers - to facilitate the ongoing management and administration of our Sites, to receive technical support, and to ensure our Sites are built on an appropriate infrastructure (such as Google Cloud );
•
legal advisors - to receive legal advice, and to interpret the laws and regulations which are relevant to our Sites;
•
government bodies and law enforcement agencies (eg Revenue Commissioners) - to comply with our legal and regulatory obligations and requirements (as needed); and
•
third party organisations - in connection with any sale, transfer, or disposal of our business.
5.
HOW LONG DO WE KEEP YOUR PERSONAL DATA?
5.1
We will keep your Personal Data for as long as it is necessary to fulfil the purposes for which it was collected (as described above) and in accordance with our legal and regulatory obligations. This may mean that some information is held for longer than other information.
5.2
To determine the appropriate retention period for Personal Data, we consider:
5.2.1
the amount, nature, and sensitivity of the Personal Data and why it was collected and processed. We will retain your Personal Data only for as long as is necessary to provide you with access to, and use of, our Sites, and/or to manage and administer our business. Once these periods come to an end, we will delete your Personal Data; and
5.2.2
applicable legal requirements - we may retain Personal Data where it is necessary for reasons related to a legal claim or complaint, such as where we are engaged in legal proceedings for which the retention of certain Personal Data is required.
6.
TRANSFERS OF PERSONAL DATA
6.1
We process Personal Data at our operating offices in Ireland and utilise an instance of a cloud service provider to operate our servers located in the United Kingdom ("UK"). We also rely on third party suppliers/service providers located in the European Economic Area ("EEA"), the UK, and Sri Lanka.
6.2
6.3
Further, we may, from time to time, need to transfer Personal Data from Ireland to Sri Lanka for the purposes of [the further development and/or enhancement of our Sites, and to receive technical support services in relation to our Sites ]. Where we do so, we rely on the European Commission's standard contractual clauses for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914) ("EU SCCs") (see the controller to processor clauses of the EU SCCs under Schedule 1 and Schedule 2 of this Privacy Notice).
7.
VEHICLE ANALYSIS AND SEARCH FEATURE
7.1
We offer an optional visual analysis and search feature on our Sites which enables users to upload an image of their vehicle to help identify similar listings on our Sites.
7.2
This feature is powered by artificial intelligence, in particular image recognition technology which analyses the characteristics of a vehicle in the image, such as the brand, model, colour, and shape of the vehicle (data which is not Personal Data), and matches it to similar advertisements on our Sites (which will contain the Personal Data of sellers on our Sites).
7.3
Any image uploaded is processed solely for the purpose of enabling this vehicle analysis and search feature to enhance, and improve, the user experience. There are instances in which we may collect the timestamp and GPS data of the images which are uploaded to our Sites (where this is embedded in the image).
7.4
While we do not intend to process any Personal Data through the images which are uploaded to the vehicle analysis and search feature, there may be instances in which an uploaded image inadvertently captures Personal Data (for instance, a person's image who may be in the background). Where this occurs, this Personal Data is processed incidentally, and in accordance with this Privacy Notice, you represent and warrant that, by uploading such an image, you have obtained consent from the person featured in the image to be so featured, and you have directed them to this Privacy Notice and our Cookies Policy (see [here ]). The images users capture through their devices for this feature will be temporarily saved to our servers so as to provide the user with an immediate and relevant search result. These images will however be manually adjusted to ensure that any and all natural persons are removed prior to saving it to our servers.
7.5
While the above-described vehicle analysis and search feature processes Personal Data (in order to provide you with a selection of third party sellers from which you may wish to purchase a vehicle and/or vehicle parts), any images featuring a person's image will only be processed by our vehicle analysis and search feature in order to identify which entity is the vehicle in the image, and exclude all other information.
7.6
Further, this vehicle analysis and search feature may exclude certain sellers on our Sites from being returned by a user's search, but only where their vehicle and/or vehicle parts, do not match the criteria which are being searched for by the individual user of our Sites. As such, it will be entirely at the discretion of the user of our Sites as to what criteria they include in their search(es) in order to produce the results which are relevant to them. Any results produced by any such search(es) will not have any binding legal effect either on the users of our Sites, or on the sellers who are advertising on them.
8.
YOUR RIGHTS
8.1
You have various rights under Data Protection Laws. These rights (subject to certain conditions) are:
8.1.1
the right of access - to your Personal Data (commonly known as a "data subject access request"). This enables you to request access to the Personal Data we hold about you;
8.1.2
the right to request correction - of the data we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
8.1.3
the right to request erasure - of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it;
8.1.4
the right to object to processing - of your Personal Data, where we are relying on a legitimate interest for processing your Personal Data, and there is something which makes you want to object to our processing in reliance on this legal basis. You also have the right to object where we are processing your Personal Data for marketing purposes;
8.1.5
the right to request the restriction - of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data, for example if you want us to establish its accuracy, or the reason for processing it;
8.1.6
the right to request the transfer - of your Personal Data to another party, and request the receipt of your Personal Data in a structured, commonly-used, machine-readable format (in certain circumstances); and
8.1.7
the right to withdraw consent - to any processing of your Personal Data for which you have given your consent previously. However, this will not affect the lawfulness of any processing of your Personal Data which was carried out prior to the withdrawal of your consent.
8.2
8.3
Further information and advice about your rights can be obtained from the Data Protection Commission at 6 Pembroke Row, Dublin 2, D02 X963, by telephone at 1800 437 737, and/or by email to [email protected].
9.
CHANGES TO THIS PRIVACY NOTICE
9.1
We may need to make changes to this Privacy Notice at any time. If we make any material changes to how we process your Personal Data, we will update this Privacy Notice and notify you of these changes by email. As such, we recommend that you regularly check this Privacy Notice and our Cookies Policy (see [here ]) from time to time for any changes, modifications and/or updates.
SCHEDULE 1
EU SCCs - Controller to Processor
This EU SCCs Schedule ("Schedule 1") is appended to and made a part of the Privacy Notice subject to the European Union requirement for reliance on an approved transfer mechanism in order to effectuate transfers of Personal Data to countries outside of the EEA which are not the subject of an adequacy decision by the European Commission (ie third countries).
This Schedule 1 is entered into by and between the Parties (as set out below) solely to establish the data protection duties and obligations under the EU SCCs. In no event will [the software development team which is ] located in Sri Lanka (the "Processor"), or a Processor Affiliate, sell any Controller Personal Data.
This Schedule 1 applies to the extent that: (i) any Personal Data which the Controller instructs the Processor to process in connection with the LucksPenny Terms of Use, this Privacy Notice, and/or the LucksPenny Cookies Policy [(see here, here and here) ] is required to be Processed in accordance with the EU SCCs, and (ii) any Personal Data is transferred from Controller to a Processor Affiliate located in a third country, such third country not having received an adequacy determination from the European Commission ("Non-Adequate Third Country"). Any capitalised terms used, but not defined, in this Schedule 1, will have the meanings ascribed to them in the LucksPenny Terms of Use, this Privacy Notice, and/or the LucksPenny Cookies Policy (as above).
The Parties hereby agree as follows:
1.
Incorporation of the EU SCCs. Incorporation of the EU SCCs. To the extent that the Controller transfers any Personal Data in connection with the in the LucksPenny Terms of Use, this Privacy Notice, and/or the LucksPenny Cookies Policy, to Processor, or a Processor Affiliate, in a Non-Adequate Third Country, the Parties agree that the EU SCCs are incorporated herein by reference.
2.
Selection of Modules. Notwithstanding the foregoing, the Parties agree that the following modules of the EU SCCs are incorporated into the Agreement:
a.
Module Two: Transfer controller to processor.
3.
Options in the SCCs. The following optional provisions of the EU SCCs are brought into effect for the purposes of this Schedule 1:
| Module | Clause 7 (Docking Clause) | Clause 11 (Redress) | Clause 9a (Specific Prior Authorisation or General Written Authorisation) | Clause 9a (Time Period) | Clause 17 | Clause 18 |
|---|---|---|---|---|---|---|
| 2 | Not applicable | Not applicable | Option 2 - General Written Authorisation | 10 days | Option 1 - The laws of the Member State of Ireland | The Member State of Ireland |
4.
Order of Precedence. Except as modified by this Schedule 1, the terms of the LucksPenny Terms of Use, this Privacy Notice, and/or the LucksPenny Cookies Policy, shall remain in full force and effect. In the event of any inconsistencies between this Schedule 1 and the remainder of the LucksPenny Terms of Use, this Privacy Notice, and/or the LucksPenny Cookies Policy, this Schedule 1 shall control with respect to transfers of Personal Data from Controller to Processor located in a Non-Adequate Third Country.
EU SCCs - Schedule 1A
For Controller: David Mulrine
Signature
David Mulrine
Printed Name
Address
Position
Contact person's contact details
Date
Role:
Controller
Processor
Data Exporter:
LucksPenny Limited
Data Protection Officer:
N/A
Activities relevant to the data transferred under these Clauses
Processing of Personal Data in connection with the operation of the Sites (as defined under the Terms of Use (see [here ])).
For Processor:................................................................................
Signature
Printed Name
Address
Position
Contact person's contact details
Date
Role:
Controller
Processor
Data Importer:
[ ]
Data Protection Officer
[TBC ]
Activities relevant to the data transferred under these Clauses:
Processing of Personal Data in connection with the operation of the Sites (as defined under the Terms of Use (see [here ])).
EU SCCs – Schedule 1.B
DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
| Categories of data subjects whose personal data is transferred: | ☒ Customers and clients ☐ Controller's employees and partners ☒ Controller's clients, employees, and other Data Subjects where relevant and/or required in the provision and operation of the Sites |
| Categories of personal data transferred: | ☒ Advertising/Marketing Data ☒ Contact Data (including Names, Address, Email, Phone, etc.) ☐ Demographic Data ☐ Device Data ☒ User Data ☒ Coarse Location (Zip Code or Higher) ☒ Online or Other Account Data ☐ Professional, School, or Work Data ☐ Public Data (from governmental public records) ☒ User Input Data (information inputted or uploaded by users) ☐ Other Data (Describe): [TBC] |
| Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a records of access to the data, restrictions for onward transfers or additional security measures: | Is sensitive data transferred? ☐ Yes ☐ No If yes, please complete -- what type of sensitive information? ☐ Biometric data ☐ Non-public Criminal History ☐ Financial Data ☐ Governmental Identifiers ☐ Health and Medical Data ☐ Data about Children ☐ Precise Geo-Location ☐ Political, Religious, Union Beliefs ☐ Race / Ethnic Origin In relation to safeguards implemented to protect such sensitive data please see Schedule 2 |
| The frequency of the transfer (eg whether the data is transferred on a one-off or continuous basis): | ☐ One-off ☒ Continuous |
| Nature of the Processing: | Processing shall be carried out in connection with and for the purpose of the provision and operation of the Sites (as defined under the Terms of Use). |
| Purpose(s) of the data transfer and further processing: | • To provide users of the Sites with access to them • To further develop and/or fix the Sites to ensure that they continue to operate as required by the Controller (as needed) • As further instructed by the Controller ☐ Other (describe) |
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | Please refer to the 'How Long Do We Keep Your Personal Data?' section of the above Privacy Notice. |
| For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Same as above. | Same as above. |
EU SCCs - Schedule 1.C
MODULE TWO: Transfer controller to processor
The competent supervisory authority for the purposes of these EU SCCs will be the Irish Data Protection Commission.
SCHEDULE 2
TECHNICAL AND ORGANISATION MEASURES
[TO BE COMPLETED ]
