Introduction, who we are and who to contact
Lexus UK respects your privacy. Whether you deal with Lexus UK as a customer, a consumer, a member of the general public, a partner, supplier or staff member, you are entitled to the protection of your Personal Data.
This Policy applies to all the processing of your Personal Data across the services we deliver at Lexus UK and all of the different platforms we use to deliver those services such as online applications, websites, portals, sales and marketing activity and social media platforms. Data captured and processed at a Lexus Dealership is managed separately, which is further described below.
We’ve taken a layered approach to inform you how we deal with your data, as we recognise it can all be a little confusing at times. Therefore, this Policy is accompanied with privacy notices, which provide you with more specific and concise information on that particular area.
Capitalised terms refer to standard terms set out in within the General Data Protection Regulation (GDPR).
Who is responsible for the processing of your personal data?
Lexus UK of Great Burgh, Burgh Heath, Epsom, Surrey KT18 5UX is the Data Controller and responsible for the processing of your data.
However, please note that we also process your data, dependant on your relationship with us, to different data controllers, which form part of the Lexus UK Group but are separate legal entities and will have their own processes and procedures for handling your data. See Data Controllers Section.
Who can you contact in case you have questions or requests?
Lexus UK has appointed a Data Protection Officer (DPO) who is available to handle any questions or queries you may have relating to the processing of your data, this Policy and associated Privacy Notices.
The DPO can be contacted at email@example.com or alternatively by writing to the Data Protection Officer, Lexus UK, Great Burgh, Burgh Heath, Epsom, Surrey KT18 5UX.
What data we process, why and legal grounds
At Lexus UK we process your data based on the lawful grounds listed below:
• You have given us your consent for the purposes of the Processing (as described in the privacy notice related to that particular Processing). For the avoidance of doubt, you will always have the right to withdraw your consent at any time; or
• It is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering a contract; or
• With such Processing, we pursue a legitimate interest that is not outweighed by your privacy rights. Such legitimate interest will be duly communicated to you in the privacy notice related to that particular processing; or
• It is required by law.
The sources of data we collect
We collect information directly from you when you:
• choose to participate in our offers and programmes;
• create an account on our websites or in our mobile applications;
• call or email us, or otherwise provide information directly to us;
• interact with us on social media.
The processes we have in place and data we process can include;
Requesting a Test Drive, Brochure Request, Vehicle Valuation and forms completed on our websites means that data is often shared between Lexus entities and your local dealership, to provide you with the best possible products, services and offers based on your requirements and preferences. This includes:
• Personal identifying information: full name, title, address (private and/or professional), previous addresses, telephone number (residential, business), e-mail address, nationality
• Personal characteristics: age, gender, date of birth, place of birth, occupation, and marital status.
• Vehicle information: current and previous brand and type of vehicle, Vehicle Identification Number, Number plate, selected optional equipment, purchase, rental or leasing.
• Lifestyle: details of consumption of goods and services, media behaviour of the individual or family, social contacts, complaints, incidents or accidents, use of media and means of communication, incl. Facebook account, Twitter account, LinkedIn account, Instagram…
• Household Composition: Marriage or present form of cohabitation, name of the spouse or partner, details of other members of the family or household.
• Hobbies and interests: Leisure activities and interests: hobbies, sports and other interests.
• Affiliations: Affiliations to charitable or voluntary organisations, motability, clubs, associations and groups.
• Marketing Preferences: We will often ask whether you would be interested in the latest news, offers and events via email, post, SMS and telephone communications.
When we need to verify your ID or driver’s licence (e.g. test drives, replacement car) data that will be collected from you can include:
• IDs assigned by us, types of formal identification data such as passport, driving license and utility bills
Such data will only be used for the specified purpose at the point of collection
When interacting with Lexus through online channels (e.g. website) the following information can be captured (in accordance with the cookies policy):
• Electronic identification data, IP addresses, cookies, session cookies, your behaviours and usage of our website.
For connected and autonomous car services the following data can be collected:
• Electronic data location: GSM, GPS.
When purchasing or applying for financial service offering or insurance (including online), the following data can be collected;
• Financial features (only in relation with financial services offerings): Income/possessions of Data Subject and his/her partner, solvency, assessment of income, financial status, credit rating, details relating to insurance, professional activities of the data subject and their partner, conventions and agreements.
• Housing characteristics: Address of housing, housing type, own house or leased, length of stay at this address, rent, charges, classification of housing, valuation details, names of key holders.
When corresponding with you through our call centres (e.g. for customer queries) we might record the calls in order continuously improve the quality of our services:
• Sound recordings: Recording on tape, call recording.
For special events (e.g. reveal of new car) Lexus might take pictures and create video content containing featuring individuals in the area:
• Image recordings: Films, photographs, video recordings, digital photos.
How long we keep your data and how we secure it
At Lexus UK we only retain your data for as long as required by law or where we have an appropriate business justification.
For further information on how long Personal Data is likely to be kept before being removed from our systems and databases, please contact us via email at firstname.lastname@example.org or alternatively by writing to the Data Protection Officer, Lexus UK, Great Burgh, Burgh Heath, Epsom, Surrey KT18 5UX.
Protecting your personal data
We have implemented a set of technical and organisational security measures to protect your Personal Data against unlawful or unauthorised access, use of modification, in addition to protection against accidental loss or damage.
Your Personal Data will only be processed by a third-party Data Processor if that Data Processor agrees to comply with a set of agreed contractual clauses, in addition to appropriate technical and organisational security measures.
Appropriate security means ensuring controls are in place to protect the confidentiality, integrity and availability of your Personal Data:
• Confidentiality: we will protect your Personal Data from unlawful disclosure to third parties.
• Integrity: we will protect your Personal Data from being modified by unauthorised third parties.
• Availability: we will ensure that authorized parties are able to access your Personal Data when needed.
We’ve put together specific information on how we process cookies in a policy document for you, which is available here .
Disclosure of personal data
Depending on the purposes for which we collect your Personal Data, we may disclose it to the following categories of recipients, which will then process your Personal Data only within the framework of these purposes:
Within our organisations and our brand environment:
• Our authorised staff members;
• Our affiliates and subsidiary companies;
• Members of our Authorised Dealerships and Authorised Repairers network which you have indicated as preferred Authorised Dealerships or Authorised Repairers or which are located near you (based on your postcode, address) or which you have been in contact with;
• Toyota Motor Europe (TME) – For personalised marketing communications we share your information with TME, as they provide system support to us and allow us to manage your preferences. TME also manage certain systems on our behalf, request certain business-related information from us to undertake European wide analysis of our customers experience and satisfaction.
Third Party System Providers – We also use approved third-party system providers who help us deliver our services, such as manage your preferences, help us communicate to our customers and understand our demographics and customer preferences better. We ensure that there are contracts in place with these Data Processors that include appropriate security and privacy contractual clauses and controls to protect your personal data.
Third party business partners:
• Research, advertising, marketing and promotional agencies: to help us deliver and analyse the effectiveness of our advertising campaigns, promotions and products;
• Business partners: for example, trusted companies that may use your Personal Data to provide you with the services and/or the products you requested and/or that may provide you with marketing materials. We ask such companies to always act in compliance with applicable laws and this Policy and to pay high attention to the confidentiality of your personal information;
• Service providers of Lexus UK: companies that provide services for or on behalf of Lexus UK, for the purposes of providing such services (for example, Lexus UK may share your Personal Data with external providers of IT related services);
Other third parties:
When required by law or as lawfully necessary to protect Lexus UK
• To comply with the law, requests from authorities, court orders, legal procedures, obligations related to the reporting and filing of information with authorities, etc.;
• To verify or enforce compliance with Lexus UK’s policies and agreements; and
• To protect the rights, property or safety of Lexus UK and/or its customers;
• In connection with corporate transactions: in the context of a transfer or divestiture of all or a portion of its business, or otherwise in connection with a merger, consolidation, change in control, reorganisation or liquidation of all or part of Lexus UK's business.
Specific contact with our authorised dealerships and repairers
If you purchase a car or another product or service from one of our Authorised Dealerships or Authorised Repairers or if you give them your personal information, you will have a separate relationship with this Authorised Retailer or Authorised Repairer. In this case, they become the Data controller of your Personal Data, possibly together with us. For all questions or requests about the collection and use of your Personal Data by one of the Authorised Dealerships or Authorised Repairers, please contact them directly.
How is your preferred Authorised Retailer or Authorised Repairer identified?
The preferred Authorised Retailer or Authorised Repairer is chosen either by options you’ve chosen via the settings of your MyLexus account (which you can change at any time), automatically based on location (the nearest to you based on your postcode, address), or your historical contact with our network.
Use of social media
If you use on a Lexus UK tool (website, portal, blog) a specific login from your own social media (for example, your Facebook account), Lexus UK will record your Personal Data available on this social media and your use of such social media means that you have explicitly allowed the communication of your Personal Data recorded by Lexus UK through its tool.
Transfer outside the EEA
Your Personal Data will be transferred to recipients which may be outside the EEA, and will be processed by us and these recipients outside the EEA.
When your Personal Data is transferred to countries outside the EEA that do not generally offer the same level of data protection as in the EEA, Lexus UK will implement appropriate specific measures to ensure an adequate level of protection of your Personal Data.
Your choices and your rights
We want to be as transparent as possible with you, so that you can make meaningful choices about how you want us to use your Personal Data. To exercise your Rights under Data Protection Law, please use the DPO Contact Details.
Your choices on how you want to be contacted and withdrawing consent
You can make a variety of choices about how you want to be contacted by us, through which channel (for example, email, mail, SMS, phone), for which purpose and how frequently, by adjusting the privacy setting on the relevant device or updating your user or account profile or by following the unsubscribe instructions included in the communication.
Your Personal Data and Right to Access
You have the right to copies of Personal Data we have concerning you and its origin. Under certain conditions, you have the right to receive copies Personal Data which we hold about you. This can be done by providing details of your request to us, using the contact details provided.
Your corrections and Right to Rectification
If you find any mistake in your Personal Data or if you find it incomplete or incorrect, you may also require from us that we correct or complete it. This can be done by providing details of your request to us, using the contact details provided.
Your restrictions and right to Restriction of Processing
You have the right to request a restriction on the Processing of your Personal Data (for example, while the accuracy of your Personal Data is being checked). This can be done by providing details of your request to us, using the contact details provided.
Right to Object to Processing
You may also object to the use of your Personal Data for direct marketing purpose (if you prefer, you can also indicate to us through which channel and how frequently you prefer to be contacted by us) or to the sharing of your Personal Data with a third party for the same purpose.
You may withdraw your consent at any time to the continued Processing of the Personal Data that you have provided to us by unsubscribing to an email, changing your preferences in your account, visiting our Opt-Out form or by contacting our Data Protection Officer.
Your Right to Erasure
You may want us to erase your personal data and you are able to request this by providing details of your request to us, using the contact details provided. We will assess your request and either explain to you the reasons we are still required to retain your data, which will be due to a legal requirement or business justification to keep your data. If we are able to erase your data we will inform you of the outcome.
Your Right to Data Portability
You have the right to request that data you have provided is sent to you in a structured, commonly used and machine-readable format and have the right to transmit that data to another organisation. This can be done by providing details of your request to us, using the contact details provided in the 'Who can you contact in case you have questions or requests? The data protection contact point’ section.
Your Right to lodge a complaint
If you wish to make a complaint then we would encourage you to initially contact our Data Protection Officer . However, you also have the right to lodge a complaint directly with the relevant supervisory authority, which for Lexus UK and the United Kingdom is the Information Commissioners Officer (ICO) whose contact details are:
Postal Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
The ICO are also a public authority meaning that all the written material they hold, including any correspondence you send to them, may be considered for release following a request to them under the Freedom of Information Act, unless the information is exempt.
Changes to this policy
We may occasionally make alterations to this page, which will reflect how we process and look after your data. This is to ensure our commitment to being transparent with you, protecting your information and upholding your Rights. If significant changes are made to this Policy or the way in which we process your personal data, we will draw your attention to this either through updates to this Policy on our website, through our service lines or by another means of communication such as email. The online version of this Policy is also subject to version control and we are able to provide specific versions if required. This allows you to assess the changes and make an informed decision on how your data is processed.