Fully electric Volvo XC40

Save up to £8,000 and 0% APR representative 

Save up to £8,000 and enjoy 0% APR representative PCP finance on our fully electric Volvo XC40.

View Our XC40 Model Information

Keep in Touch

We would like to keep in touch with our latest product news, offers and marketing services. All information provided will be used and processed in accordance with our Privacy Policy.

Yes, I want to receive product news, offers and marketing services by:

Cambridge Garage (Portsmouth) LTD Privacy Policy

Cambridge Garage (Portsmouth) Ltd

Data Protection Privacy Policy (GDPR)
The General Data Protection Regulation 2018 (GDPR)
This policy sets out how Cambridge Garage aim to ensure data protection compliance with the General Data Protection Regulation and ensure that all employees of the company understand the rules that govern the use of personal and sensitive data to which they have access to in the course of their work.
Cambridge Garage collects and holds personal data about its employees, customers, contractors, suppliers and other individuals for business purposes only.
This policy notice also requires all managers and employees to ensure that the Data Protection Officer (DPO) if required, is consulted before any significant new data is collected and/or processed so as to ensure that relevant compliance procedures are, so far as is reasonably practicable, addressed.
This policy is applicable to everyone within the Company and all persons with access to data in any format must be familiar with this policy notice and comply with its content.
This policy is in addition to, and supports all policies or notices relating to information security and data loss. We reserve the right to amend this notice in the light of any new regulations or guidance that may come in force in the future. All staff shall be informed of any modified policy notices for consultation prior to it being implemented.
Personal Data
Information relating to identifiable individuals, such as job applicants, current and former employees, customers, contractors, suppliers and any relevant agencies
Sensitive Personal Data
Personal data about an individual's racial or ethnic origin, political opinions, religious or non-religious beliefs, trade union memberships, physical or mental health issues, criminal offences or proceedings
Data Subject
Refers to the person or third party to which the data identifies or relates to
Data Protection Officer as appointed by the company (if required)to oversee the processing of all data
Business purposes
All personal data shall only be collected and processed for operations reasons in connection with the running of the company continued;
The main principles of the General Data Protection Regulation are;
1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Adequate and necessary:
4. Accurate:
5. Not kept longer than needed:
6. Integrity and confidentiality:
Rights of Access to Information
Under the Data Protection Act 1998 and the Freedom of Information Act 2000, individuals are entitled to request access to information held about them. This includes the right to;
speak to the DPO(if required) directly about data held about them ask what personal data is held about them and why it held request access to their own personal data and to receive it within 40 days of their request prevent the processing of the personal data if the data is incorrect or; if processing of the data is likely to cause distress or damage to the individual or other persons have any incorrect data changed so as to be correct to be informed of any data losses or breaches that may affect them directly or indirectly request that the data held on them is erased from the company records
Any subject data access requests received from an individual will be referred immediately to the DPO who will deal with the request. The DPO may ask that individual to help the Company comply with the request
The DPO will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within 1 month for access to records and 21 days to provide a reply.
Data Protection Officer
The Company has made all managers responsible for data protection for their department with overall responsibility with the Head of business, this encompasses; keeping the Company Management updated about data protection responsibilities, risks and issues
Reviewing of data protection procedures and policies on a regular basis
Arranging data protection training for all relevant members of staff
Answering questions on data protection from other senior management and staff members or other relevant persons
Responding to individuals who request what data is being held on them
Checking that data being handled by third parties such as contracts or agreements meets the requirement of this policy
Ensure all systems, services, software and equipment meet acceptable security standards
Checking and scanning security hardware and software regularly to ensure it is functioning properly
Researching third-party services, such as cloud services the company is considering using to store or process data
Managers & Supervisors
All Managers and Supervisors are responsible for ensuring that any personal or sensitive data which they hold or have access to; is kept securely and; that personal information is not disclosed either verbally, in written or electronic format including emails, texts and social media; to any unauthorised third party
In addition; where a manager or supervisor is responsible for collecting personal data, he/she must ensure it is collected with the consent of the data subject, is necessary and accurate
If, as part of their duties, other employees not being managers or supervisors, need to collect information about customers or other employees they must comply with this policy
All employees are responsible for ensuring that any personal data they collect or have access to; is kept securely and; that personal information is not disclosed either verbally, in written or electronic or in digital format including emails, texts and social media; to any unauthorised third party. In addition; each employee is responsible for:
ensuring their own personal data that he/she provides to the Company is accurate and up to date informing the DPO of any relevant changes to information previously provided i.e.; address change where any employee is required to collect data from or about a customer or any other person, they must have prior consent from the data subject ensuring that the data is necessary and is accurate
All Management & employees are reminded that the General Data Protection Regulation (GDPR) does not only apply to records held relating to Company employees, but also to customer files and records. All documents whether hand written or stored in electronic format (including emails) are potentially disclosable in the event of a request from an employee or customer.
All Management & employees must, so far as is reasonably practicable, ensure that they carry out their duties in a manner that enables the company to comply with its obligations under the GDPR
Note: Should an employee change roles during his/her employment or; should they terminate/have terminated their employment with the Company; they shall still be bound by the terms of this policy under the General Data Protection Regulation
The business purposes for which we may collect and use personal data include the following;
Employees & Contractors
Personal data collected and processed may include individuals contact details, education details, National insurance and pay details, training certificates and diplomas regards education and skills, previous work history, checking of references, marital status and nationality and, any relevant medical and emergency contact details
Payroll & General Administration
Person data may be used in connection with employees, payroll, general administration of the company’s undertaking as a vehicle repairer and any relevant financial activities
Compliance with Regulations & Statutes
We may be required to collect and hold personal data in order to comply with certain regulations and statutes as imposed upon us and to meet corporate governance and good practice. We may also need to gather personal data & information in the event of any investigations in to our business by regulatory bodies or upon any legal proceedings

Operational Reasons
Personal & where necessary sensitive data; may be collected and processed for operational reasons that include;
Employee welfare
Disciplinary matters
Implementation of safe working practices
Quality control
Security vetting
Recording of financial transactions
Investigating complaints
Ensuring the confidentiality of commercially sensitive information through monitoring and managing employees access to systems
Business Development
In certain circumstances, it may also be necessary to gather & use data in relation to the marketing of our business and improving our services. Where this is relevant, the processing of the data will be in line with and; be in compliance with the GDPR and this policy
Company Policies
It may be necessary to hold certain personal data in respect to our employees, customers and contractors in order to adhere to our own company policies
The Company will process personal data in accordance with the principles of data protection in GDPR as follows;
In a lawful, fair and transparent manner
All data including an individual’s personal and sensitive data, will be processed in a fair, lawful and transparent manner in relation to each individuals’ rights. No personal data will be processed without the consent of the individual to whom the data identifies or relates to
With the consent of individuals
Any data Personal data collected is subject to active consent by the data subject. This consent can be revoked at any time. The data held shall be used for business purposes only
Processing of data limited to legitimate reasons
Personal data will be collected for specified, explicit and legitimate purposes only and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
Data collected to be adequate and necessary
The DPO and Senior Management will ensure, so far as is reasonably practicable that Personal data collected will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Should it be necessary to collect any sensitive personal data, this shall be strictly controlled in accordance with this policy
Data processed to be accurate
The DPO and Senior Management will ensure, so far as is reasonably practicable that personal data held will be accurate and, where necessary, kept up to date; all reasonable steps will be taken to ensure that any inaccurate personal data is erased or rectified as soon as is practicable
The Company will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has given their consent to do so
Personal data not be kept any longer than needed
Personal data will be kept in a format that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
With integrity and confidentiality
Personal data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Data kept securely
The need to ensure that data is kept securely means that precautions will be taken against physical loss or damage, and that both access and disclosure will be restricted. This will be overseen by the DPO who will ensure that personal and sensitive data held will be kept secure in line with the company's Information Security and Data Loss policy
Where personal and sensitive data is kept electronically on computers, access will be password protected as appropriate to security levels. Printed and written personal and sensitive data will be kept secured within a lockable cabinet or room to prevent unauthorised access
At the end of each working day or when leaving the office for any considerable time, Company personnel involved with admin work are instructed to tidy their desk and remove any documents that may contain personal, sensitive or confidential data. Lockable filing cabinets are made available for this purpose also; where any software programs have been in use, these will be closed down so as to prevent unauthorised access
Software Password Security
All passwords used in connection with data protection will adhere to the company's Password Protection
Safe Disposal of data
Where required, personal and sensitive data will disposed of in a secure manner ensuring that it is not available in any format to any persons. Personal and sensitive data in electronic or digital format including emails, texts and social media content will be deleted and removed so far as is practicable, from equipment and servers.
Any personal and sensitive data in paper format required to be removed will be disposed of by means of shredding or if found necessary; via the appointment of a vetted secure data disposal operator
Upon request, the company will demonstrate that compliance with the principles of the GDPR are; so far as is reasonably practicable, being met
This policy is not contractual but indicates how the company intends to meet its legal responsibilities for
Data Protection. Any breach will be taken seriously and may result in formal disciplinary action
Any individual who considers that the policy has not been followed in respect of personal data about themselves should raise the matter with their immediate supervisor or directly with the DPO
Review of the policy:
This policy shall be reviewed at least once every year or in the event of any suspected breach or data loss.

Rgalloway DPO 2019