Halfords Group
Privacy Notice

If your complaint is in relation to Halfords Motoring Club, you will need to contact our dedicated Motoring Club support team by going to the ‘Rewards & Benefits’ section of your account (https://www.halfords.com/benefits) and clicking ‘Chat with an Expert’.

If your complaint or query is in relation to Halfords Retail, Autocentres, Autocare or Garage Services, you will need to visit our website and click on contact us and then select the live chat feature.

I want to contact the Data Protection Officer (the “DPO”)

You can find the contact details for the DPO at the bottom of this notice but please have a look at these FAQ’s first as they may be able to assist you with your problem.

“I would like a copy of my personal data”

No problem, this is called a “Subject Access Request” or SAR. But first we need some information from you to ensure we only disclose your personal data to you, or your representative. To make sure we have all the information from you that we need to fulfil your request, we have created a form here. The form is simple to complete, is free and allows you to access your personal data securely.

The Legal - By law we have one month to provide you with a copy of your personal data which starts from the moment you have provided proof of your identity. We may extend the time limit by a further two months if the request is complex or if we receive a number of requests from you.

“I would like you to delete my personal data”

You have a right to erasure also known as the” right to be forgotten” but this doesn’t always apply. We will always review each request for erasure on a case-by-case basis. However, if you have bought something from us, we will be unable to erase your personal data because we need to keep records of transactions for business purposes. This data will automatically delete 7 years from the date of your last transaction with us. If you still want to ask us to delete your personal data, please follow the link here. The Legal - we have one month to respond to your request which starts from the moment you have provided proof of your identity.

“I think you may have the wrong data about me, and I would like you to correct it”

This is your right to rectification. Tell us what you think we have that’s wrong, such as the wrong vehicle registration number, a previously owned vehicle registration number, or a booking error. We will check it and if the data we hold is wrong, we will change it. We have a duty to ensure all personal data we hold is accurate. You can ask us to rectify your data here. The Legal - we have one month to respond to your request which starts from the moment you have provided proof of your identity.

“I would like to opt out of receiving marketing information”

Marketing emails and text messages have an opt out or unsubscribe button at the bottom of the email/text. This is the quickest and easiest way for you to unsubscribe. If you have already deleted the email or text, then you can send us a request to unsubscribe you here. If the email/text does not contain an opt out or unsubscribe button it’s because it’s a service message not a marketing message. A service message may be an MOT reminder or an invitation to provide feedback, or a product review request. If you no longer wish to receive any communications from Halfords, then please go here.

“I would like a copy of any CCTV images you may have captured of me during my recent visit to your premises”

Yes, we can do that as CCTV images are personal data, however, please be aware that we only retain CCTV images for 30 days from when they were recorded, after which they are deleted by the system and we are unable to recover them. To request a copy of your CCTV images go here. The Legal - we have one month to provide you with a copy of your personal data which starts from the moment you have provided proof of your identity. We may extend the time limit by a further two months if the request is complex or if we receive a number of requests from you.

As an essential part of our business, we collect and manage customer data. In doing so, we observe all relevant data protection legislation, and are committed to protecting and respecting customers’ privacy and rights. Specifically, Halfords acts as “Data Controller” in respect of the information gathered and processed by this website, when customers visit one of our stores or autocentres or use one of our mobile services.

In order that you are reliably informed about how we collect, process, store and share your information, we have developed this Privacy notice. This notice also advises how you can have control over how we use your data.

We collect information about you so that we can:

Provide you with our services in our stores, autocentres, mobile services and online sales. We use cookies on our websites to collect your data, you can find out more about how we use cookies to collect your data here.

Collecting information from you:

The information that we collect from our customers is known as “personal data” and may include your name, home address, e-mail address, telephone number and vehicle registration number.

We collect this information in various ways.

This could be when you fill in a form on a website, or when you correspond with us by telephone, e-mail, webchat, or letter, when you buy something from one of our stores or websites or visit one of our Autocentres.

We don’t store your payment card details as we use a third-party payment processor, so we never see your payment card information.

We will share your personal data with other companies within the Halfords Group, to help us provide you with products and services we think you will be interested in.

We also use third party service providers who help us provide our products and services to you. These third parties include:

• Advertising companies
• Social media providers
• Market research partners
• Companies that work with us on email campaigns
• Financial services such as Klarna purchase payments
• IT services
• Logistics and delivery services
• Security and fraud prevention service providers
• Contact centres for customer support
• Companies who assist us in administering competitions and promotions

Whenever we process your personal information, we must have something called a “legal basis” for what we do. The different legal bases we rely on are:

• Consent: You have told us you are happy for us to process your personal information for a specific purpose (s).
• Legitimate interests: The processing is necessary for us to conduct our business, but not where our interests are overridden by your interests or rights.
• Performance of a contract: We must process your personal information in order to be able to provide you with one of our products or services.
• Vital interests: The processing of your personal information is necessary to protect you or someone else’s life.
• Legal obligation: We are required to process your personal information by law.

We may use your information in the following ways:

• To provide our products and services - we need to use your personal information to make our products and services available to you.
• To improve your shopping/service experience - Learn more about our customers and their preferences. To identify patterns and trends amongst our customers.
• For safety and security - we use your personal information to help provide safe and secure environments for our customers to shop in, our colleagues to work in and for our businesses to be conducted.
• Analytics and profiling - we use your personal information for statistical analysis and to help us understand more about our customers. That includes understanding the products and services you buy, how you shop across the Halfords Group and by creating profiles about you. This helps us to serve you better and to find ways to improve our services, stores, apps and websites. These profiles help us to send you offers that are more relevant to you.
• Contacting you - we use your personal information to contact you. This may be in relation to a service update, an issue you have raised with us, to conduct market research or to ask for your feedback.
• Marketing and advertising - we use your personal information to provide relevant marketing communications (including by email, phone, SMS, post or online advertising), relating to our products and services, and those of our suppliers and the Halfords Group. As part of this, online advertising may be displayed on websites across the Halfords Group and online media channels. We may also use information about how you shop with us to measure the effectiveness of these campaigns.

Third parties such as Google Analytics, may drop cookies on your computer or mobile devices. These cookies may use information about your visits to our websites to provide relevant advertisements about goods and services that you may be interested in. They may also employ technology used to measure the effectiveness of our advertising using cookies to collect information about your visits to our sites in order to provide relevant advertisements about goods and services you may be interested in. The information collected through this process doesn’t let us, or them, collect your name, contact details or other personally identifying details unless you choose to provide them. We have cookie controls in place on all of our websites that allow you to choose how much, if any, personal data you provide. For more information about cookies go to our Cookie Notice.

We use CCTV across the Halfords Group for the protection of our colleagues, customers, and business. This includes investigating accidents, incidents, criminal activities, and breaches of our policies. Some car parks are run by third parties, so please check the local notice.

Some of our colleagues also wear body worn video (cameras) devices. These are only activated in high-risk situations. These devices record both audio and video. We can share CCTV with public or regulatory authorities or in response to requests from individuals seeking to protect their rights, the rights of others or helping to prevent crime and nuisance. We will only share CCTV if we consider a request to be appropriate.

Card payments

We use a secure third-party payment processor for all digital payments. This means we do not store your financial data and cannot see payment card information when you enter it as part of a transaction. We do retain the last four digits of your card number which allows us to identify transactions and help prevent fraud.

Sharing your information with Law Enforcement Agencies or public bodies

Law enforcement agencies (e.g., the police) may also ask us for access to information about our customers for the prevention and detection of crime. We will only provide personal information to these agencies where:

• you have told us you are happy for us to do so.
• for the prevention and detection of crime.
• there is a threat to your life or the life of another customer/individual.
• the law enforcement agency or public body has been given authority by a Court to ask for this information; or
• legislation(s) mandates the sharing of the information (e.g., the Inland Revenue Department under the Tax Administration Act 1994)

Some of our trusted suppliers and service providers are based outside the EEA for the purposes described in this privacy notice (please see the “Who we share your personal data with.” section above for further details). If we do this, your personal information will continue to be protected by appropriate safeguards as set out in the UK/EU GDPR. These will be transfer mechanisms approved by regulators.

We would like to tell you about our great offers, promotions, products, and services for the Halfords Group. Where we have consent or it is in our legitimate interests to do so, communication is via post, by email, text message, phone, or through online advertising or by any other electronic means.

We will stop sending you marketing messages if you tell us to stop. However, we will continue to send you service messages and surveys as these not marketing messages, although we have provided an opt out option in the survey message.

If you wish to amend your marketing preferences, you can do so by logging into your Halfords loyalty or online account.

Please note that it can take up to 48 hours for all electronic marketing to stop once you either withdraw your consent or tell us you’d like to opt out of marketing. This is because some marketing may have been identified as relevant to your interests and may already be in transit, it cannot therefore be immediately stopped. Direct marketing (postal) this can take up to 28 days to stop once you either withdraw your consent or tell us you’d like to opt out of marketing.

You have a number of rights under data protection legislation which, in certain circumstances, you may be able to exercise in relation to the personal information we process about you.

• the right to be informed; about how we collect and use your personal data.
• the right to access; a copy of the personal information we hold about you.
• Right to rectification; of inaccurate personal information we hold about you.
• Right to be forgotten;
• Right to object; to our use of your personal information.
• Right to restrict; processing.
• the right of data portability; and

Where we rely on consent as the legal basis on which we process your personal information, you may also withdraw that consent at any time.

If you are seeking to exercise any of these rights, please submit a request here. Please note when submitting a request, you will be asked to provide valid photo identification so that we can verify your identity before we can fulfil any of your rights under data protection law. This helps us to protect the personal information belonging to our customer against fraudulent requests.

We will keep your personal information for the purposes set out in this privacy notice and in accordance with the law and relevant regulations. We will never retain your personal information for longer than is necessary. In most cases, our retention period will come to an end 7 years after the end of your relationship with us.

Retention Schedule

Halfords Group PLC maintains a data retention schedule in which we list in detail how long we keep categories of data. If you would like more information about our retention schedule, contact the data protection officer at Halfords. dataprotectionofficer@halfords.co.uk

At Halfords, we maintain a comprehensive data management work programme, which includes processes for ensuring that data protection is a key consideration of all new and existing IT systems that hold customers’ personal data. Where any concerns, risks or issues are identified, we conduct relevant impact assessments in order to determine any actions that are necessary to ensure optimum privacy.

We also maintain an active information security work programme which seeks to protect the availability, confidentiality, and integrity of all physical and information assets. Specifically, this helps us to:

• protect against potential breaches of confidentiality
• ensure all IT facilities are protected against damage, loss, or misuse
• increase awareness and understanding of the requirements of information security and the responsibility of our colleagues to protect the confidentiality and integrity of the information that they handle and ensure the optimum security of this website

We recognise that the security of data and transactions on this website is of primary importance. We therefore ensure that all connections to secure parts of the website (such as when you login) are encrypted and authenticated using strong protocols, key exchanges and ciphers.

Questions and comments regarding this Privacy Notice are welcomed and should be sent to our Data Protection Officer at dataprotectionofficer@halfords.co.uk. You can also contact our Data Protection Officer if you have any concerns or complaints about the way in which your personal data has been handled or if you think we’ve done something wrong. But first check the FAQ’s as you may find the answer to your question.

Alternatively, if you still feel we have not handled your personal data correctly, you have the right to ask the Information Commissioner’s Office (“ICO”) to look at how we handled your personal data.

The ICO can be found at Wycliffe House, Water Lane, Wilmslow SK9 5AF or https://ico.org.uk if you’re in the U.K or the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland if you’re in the Republic of Ireland How to contact us | Data Protection Commissioner