Alexander Dennis Limited (‘Alexander Dennis’, ‘we’, ‘our’ or ‘us’) collect, use and are responsible for certain personal data about you. This means that we are a “controller” under data protection legislation, and we are subject to the UK General Data Protection Regulation (UK GDPR). We are also subject to the EU General Data Protection Regulation (EU GDPR) in relation to goods and services we offer to individuals and our wider operations in the European Economic Area (EEA).
This privacy notice contains important information on how and why we collect, store, use and share your personal data in connection with our business operations and your use of our website (https://www.alexander-dennis.com/). Please refer to the document ‘How and why we use your personal data’ linked below, which forms part of this privacy notice and explains the most common situations in which we would be processing your personal data, and the reason (legal basis) for doing so.
The Data Protection Officer (DPO) is responsible for data protection compliance within Alexander Dennis. If you have any questions or comments about the content of this privacy notice or if you need further information regarding data protection and personal data, you should contact the DPO on DataProtectionOfficer@alexander-dennis.com.
Key data protection terms
|Personal data||Data relating to a data subject (sometimes known as personal information).|
|Data subject||The individual to whom the personal data relates and who can be identified (directly or indirectly) from that data.|
What Personal Data do we collect?
The personal data we collect about you depends on the particular goods and services we provide, and the particular activities carried out through our website. The types of personal data we collect may include:
- Identity: name, title, job title, date of birth, username or similar identifier, signature;
- Contact: billing and delivery address, email address and telephone numbers;
- Financial: bank and payment card details, credit checks where applicable;
- Transaction: details about payments, details about products and services purchased by you;
- Technical: IP and MAC address, login data, browser information, time zone setting and location;
- Profile: username and password, feedback, and survey responses;
- Usage: details about how you use our website, products, and services; and
- Marketing: your preferences for marketing and other communications.
We may also collect and use statistical or demographic data about you, but this data does not reveal your identity. If such statistical or demographic data about could be used to identify you, we treat that combined data as personal data which will be used in accordance with this privacy notice.
If you choose not to supply certain information to us, we may not be able to provide our services, communicate with you, or comply with our legal obligations. You may also not be able to access our marketing promotions or websites.
How do we collect your Personal Data?
We may receive information about you, which may include personal data, when we provide you with goods or services, or when you visit our website. Most of this personal data will be collected directly from you – for example when you contact us to make enquiries or place orders via phone, email, or online.
In addition, we may collect information:
- when you engage with us through forums such as open days, trade shows, conferences, events, meetings, entering competitions and our social media platforms;
- from publicly accessible sources, e.g., your own website or social media pages, or from Companies House;
- directly from a third party, e.g., credit reference agencies or customer due diligence providers;
- via our IT systems, e.g., CCTV, door entry systems, and reception logs; or through monitoring of our websites and other systems.
Using Your Personal Data
Under data protection law, we can only use your personal data if we have a proper reason, e.g.:
- where you have given consent;
- to comply with our legal and regulatory obligations;
- for the performance of a contract with you; or
- for our legitimate interests or those of a third party.
A legitimate interest is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own
Marketing and Press releases
We may use your personal data to send you direct marketing material and press releases (by email, text message, telephone, or post) relating to our products and services, as well as other events and activities we think may be of interest to you.
You can withdraw your consent for this at any time. This can be done by contacting us on firstname.lastname@example.org, or see ‘How to contact us’ below.
Special category personal data
Certain personal data we collect is treated as a special category to which additional protections apply under data protection law. This includes personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, genetic data, biometric data (where used for identification purposes), and data concerning health, sex life or sexual orientation. We do not routinely collect special category data. However, where we do process special category personal data, we will also ensure we are permitted to do so under data protection laws.
Who do we share your information with?
We routinely share personal data with:
- companies within the Alexander Dennis’ group;
- third parties we use to help deliver our products and/or services to you and to help us run our business;
- third parties approved by you;
- credit reference agencies;
- our insurers and brokers;
- our bank;
We or the third parties mentioned above occasionally also share personal data with:
- our and their external auditors;
- our and their professional advisors;
- law enforcement agencies, courts, tribunals, and regulatory bodies to comply with our legal and regulatory obligations;
- other parties that have or may acquire control or ownership of our business (and our or their professional advisers).
Personal data will be anonymised where possible. Anyone we share your data with may only use it in accordance with this privacy notice and is required to take appropriate security and organisational measures to protect your personal data. We also impose contractual obligations on them to ensure they can only use your personal data to provide services to us and to you. If you need further information on these measures, please contact us. We do not sell your data to any third-party organisations.
In some circumstances, we may need to send your data outside the UK, or the EEA see below: ‘Transferring your personal data out of the UK and EEA’.
Transferring your Personal Data out of the UK and EEA
The EEA and the UK, as well as other countries outside the EEA and the UK, have differing data protection laws, some of which may provide lower levels of protection of privacy.
We may transfer your personal data:
- to the EEA,
- to the UK, and
- from the EEA or the UK to countries outside the UK and EEA.
Alexander Dennis is part of NFI Group who are based in Canada meaning we may transfer your personal data from the UK and EEA to Canada.
Under data protection laws, we can only transfer your personal data to a country outside the UK or the EEA where there is an ‘adequacy regulation’ (under the UK GDPR) or ‘adequacy decision’ (under the EU GDPR) in place for that country, meaning that particular country ensures an adequate level of protection of personal data. We rely on adequacy regulations for transfers to Canada and New Zealand.
Where we cannot rely on an adequacy regulation or adequacy decision, we may choose to transfer personal data outside the UK or outside the EEA on the basis of standard data protection clauses recognised or issued under the GDPR. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time, we will not transfer your personal data outside the UK or outside the EEA unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this privacy notice.
Any changes to the destinations to which we send personal data or in the transfer mechanisms we rely on to transfer personal data internationally will be notified to you in accordance with the section on ‘Changes to this privacy notice’ below.
If you would like further information about data transferred outside the UK/EEA, please contact us or our Data Protection Officer(see ‘How to contact us’ below).
Storing your Personal Data
Where your personal data is held
Personal data may be held at our offices and those of our group companies, third party agencies, service providers, representatives and agents as described above (see above: ‘Who we share your personal data with’).
Some of these third parties may be based outside the UK/EEA. For more information, including on how we safeguard your personal data when this happens, see below: ‘Transferring your personal data out of the UK and EEA’.
How long your personal data will be kept
We only retain your data as long as is necessary for the purpose for which we collected it. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal data (so that you are no longer personally identifiable from it) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Keeping your personal data secure
We have appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. These rights are:
- Access. The right to be provided with a copy of your personal data.
- Rectification. The right to require us to correct any mistakes in your personal data.
- Restriction of processing. The right to require us to restrict processing of your personal data.
- Data portability. The right to receive the personal data you provided to us.
- Object. The right to object at any time to your personal data being processed.
- Not to be subject to automated individual decision making. The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or significantly affects you.
- Withdraw consent. If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time.
Exercising your rights
If you would like to exercise any of those rights (including withdrawing any consent you may have provided for the use of your personal data) or require more information, please email, call, or write to us—see below: ‘How to contact us’; and
- provide enough information to identify yourself and any additional identity information we may reasonably request from you; and
- let us know what right you want to exercise and the information to which your request relates.
Any withdrawal of consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn.
You also have the right to raise a complaint to the UK Information Commissioner’s Office, the data protection regulator for the UK. You can do so by visiting https://ico.org.uk/ or calling 0303 123 1113. The UK Information Commissioner’s Office also has online guidance on individuals’ rights which can be found on their website.
Changes to this Privacy Notice
This notice was published on 13 July 2023 and last updated on 13 July 2023.
We may change this privacy notice from time to time—when we do an updated version will be posted on our website.
How to contact us
You can contact us and/or our Data Protection Officer by post, email, or telephone if you have any questions about this privacy notice or the information we hold about you, to exercise a right under data protection law or to make a complaint.
Our contact details are:
Alexander Dennis Limited, 9 Central Boulevard, Central Park, Larbert, FK5 4RU, United Kingdom
+44 1324 621672
Data Protection Officer: DataProtectionOfficer@alexander-dennis.com