Data protection

Data privacy

We ensure personal information that we collect, store and process is used for the appropriate purposes. All personal information is used in accordance with our privacy notices.

We act as data processor for our customers and a data controller for the personal data of our people.

We record all instances of data loss and have a rigorous incident management process in the unlikely event a breach occurs. This includes reporting notifiable breaches to the relevant regulatory authorities without undue delay and within stipulated deadlines. Where required we take remedial action as soon as possible.

Our privacy policies can be viewed in full below:

plc.autotrader.co.uk privacy policy

Autotrader.co.uk privacy policy

To ensure we are meeting our compliance obligations we have a dedicated team that is responsible for data privacy, data breach prevention and reporting, policy compliance, record keeping and data subject rights. We have an assurance framework in place to monitor compliance with data privacy laws and to ensure any breaches are dealt with in a robust manner. We hold GDPR Steering meetings bimonthly, attended by data owners from all business areas. The meeting is a central point of communication and coordination and provides guidance on the governance of our data strategy and ongoing compliance with relevant data security and privacy regulations.

All Auto Trader employees, including part-time employees, contractors and all Board members, are required to complete annual data privacy and security training and we have established processes to cover all aspects of the GDPR: Data Protection Impact Assessments (‘DPIAs’). These are conducted to help identify and minimise any data protection risks for new or changed products or services; and all processes are recorded and records of processing activity (‘ROPAs’) are reviewed quarterly by data owners. These include the lawful basis for processing and data retention periods; our privacy notices are reviewed and updated regularly. We have separate notices for consumers, employees and retailers; and we have processes in place to respond to Subject Access Requests (‘SAR’) and Erasure requests. Where required, Auto Trader obtains consent from consumers to gather personal data to service their enquiries for products, services or vehicles advertised on the site. Explicit consent (gathered separately) is also obtained to contact consumers for marketing purposes. Where we pass personal data to third-party service providers contracted to Auto Trader in the course of dealing with customers or employees, we carefully vet any third parties that we share data with, and they are obliged to keep it securely, and use it only to fulfil the service they provide on our behalf.

Also in this section

Cyber security

As an online marketplace, a primary focus is on cyber security to maintain customer trust and support our shift to digital retailing.

A trusted marketplace

Auto Trader aims to offer a marketplace that is relevant, reliable and fair. We ensure that advertisements shown are accurate and genuine, which is important for both our consumers and customers.

Compliance

To ensure that high standards are embedded across the business and form part of our culture, we have compliance frameworks in place, consisting of policies, processes, guidance and training focused on a number of core compliance topics.