- This IoT Privacy Notice provides guidance and information to GDC Group Ltd (registered in England and Wales No.01313016) trading as Glen Dimplex Heating and Ventilation (“GDHV”) customers regarding the processing of their personal data.
- GDHV ("us", "we" or "our") is committed to protecting and respecting your privacy. This IoT Privacy Notice sets out the basis on which any personal data we collect from you or that you provide to us will be processed by us. Please read this IoT Privacy Notice carefully to understand our treatment and use of personal data.
- In this IoT Privacy Notice, references to “you” means the person whose personal information we collect, use and process.
- We will use your personal data only for the purposes and in the manner set forth below, which describes the steps we take to ensure the processing of your personal data is in compliance with the Data Protection Acts 2018 and any subsequent data protection and privacy legislation, European Union Law including Regulation (EU) 2016/679, known as the General Data Protection Regulation or GDPR and any subsequent amendments (collectively referred to as “Data Protection Legislation”).
2. Identity of the controller of personal information
- For the purposes of Data Protection Legislation, the Data Controller is GDHV.
- GDHV and their affiliated companies will be referred to collectively as the “Glen Dimplex Group”.
3. Contact Us
4. Processing of your personal data
How and why do we process your personal data?
The personal data we collect from you or through our systems helps us manage our relationship with you, e.g. collection of appliance data to provide remote diagnostics service, but also to comply with our legal obligations or for the conduct of our business. The personal data we collect, the basis of processing and the purposes of processing are detailed below. Sometimes, these activities are carried out by third parties, including other members of the Glen Dimplex Group (see “Sharing of Personal Data” section below).
|Personal Data Processed||Legal Basis Of Processing||Purpose Of Processing|
Registration Data which is:
It is necessary for the performance of our contract with you, or to take steps for entering into our contract with you.
1. Provide a unique login account.
2. Linking of products to user accounts to provide remote Command & Control of appliances.
3. System Notification to individuals.
including Lan / internal IP address, external router Wifi SSID, external router LAN / internal IP Address, manual proxy settings.
4. Provision of support via service engineers for installation or in life operations.
5. Marketing email where specific consent has been provided.
Trial Data Which is:
The data as set out above
For the purposes of reviewing the services providing, analysing the information in order to determine whether any changes/improvement required for the service.
Where do we obtain my personal data from?
Most of the personal data we process is obtained from you when you enter into a contract with us, but we also obtain personal data about you in the course of the performance of your contract with us, including the collection of personal data in order to create an account and to provide device control functionality. We will also obtain your email address from another customer in the event that customer requests that you are added to a Dimplex Control account and such data will be processed in accordance with this document.
In some circumstances, we may request your explicit consent to process (specific types of) personal data. In these circumstances, you are able to withdraw your consent at any time by following the instructions provided when you gave consent or at the contact details below.
5. Sharing of personal data
Our Group Companies
Personal data will only be shared across the Glen Dimplex Group in certain circumstances and where lawful to do so, i.e. it may be necessary to share your personal data with other members of the Glen Dimplex Group, which includes our ultimate holding company and its subsidiaries for the purposes of our business management, including workforce management and administration, management information, forecasting and other related functions.
Access rights between members of the Glen Dimplex Group are limited and granted only on a need to know basis, depending on job functions and roles.
We use third party service providers who provide services e.g. Service Engineers and Installation Services Providers. In providing the services, your personal data will, where applicable, be processed by the service provider on our behalf.
We will check any third party that we use to ensure that they can provide sufficient guarantees regarding the confidentiality and security of your personal data. We will have written contracts with them which provide assurances regarding the protections that they will give to your personal data and their compliance with our data security standards and international transfer restrictions.
Disclosures to Third Parties
In certain circumstances, we share and/or are obliged to share your personal data with third parties outside the Glen Dimplex Group, for the purposes described above and in accordance with Data Protection Legislation.
These thid parties include:
- energy utility companies that provide your energy services
- regulatory authorities
- financial institutions
- tax authorities
- relevant industry bodies
- external professional advisors
- others, where it is permitted by law, or where we have your consent.
6. Transfers outside the European economic area
Your personal information may be transferred, stored and processed in one or more countries outside the European Economic Area (“EEA”), for example, when one of our service providers use employees or equipment based outside the EEA. For transfers of your personal data to third parties outside of the EEA, we take additional steps in line with Data Protection Legislation. We have put in place adequate safeguards with respect to the protection of your privacy, fundamental rights and freedoms, and the exercise of your rights, e.g. we establish an adequate level of data protection through EU Standard Contractual Clauses based on the EU commission’s model clauses.
If you would like to see a copy of any relevant provisions, please contact the data protection officer (see “Contact Us” section above).
7. How is my personal data secured
We operate and use appropriate technical and physical security measures to protect your personal data.
We have in particular taken appropriate security measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access, in connection with the customer relationship. Access is only granted on a need-to-know basis to those people whose roles require them to process your personal data. In addition, our service providers are also selected carefully and required to use appropriate protective measures.
We will keep your personal data for as long as it is necessary to fulfil the purposes for which it was collected as described above and in accordance with our legal and regulatory obligations. This may mean that some information is held for longer than other information.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
9. Your rights
You may have various rights under data protection legislation in your country (where applicable).
These may include (as relevant):
|Your right||What does it mean?||How do I execute this right?||Conditions to exercise?|
|Right of access||Subject to certain conditions, you are entitled to have access to your personal data which we hold (this is more commonly known as submitting a “data subject access request”).||Requests for such information should be made in writing to the address set out in the Contact Us section under ‘Privacy’. If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations.||We must be able to verify your identity. Your request may not affect the rights and freedoms of others, e.g. privacy and confidentiality rights of other customers. Data solely retained for data backup purposes is principally excluded.|
|Right of data portability||Subject to certain conditions, you are entitled to receive the data which you have provided to us and which is processed by us by automated means, in a commonly-used machine readable format.||Requests for such information should be made in writing to the address set out in the Contact Us section under ‘Privacy’. If possible, you should specify the type of information you would like to receive to ensure that our disclosure is meeting your expectations.||The GDPR does not establish a general right to data portability. This right only applies if the processing is based on your consent or on our contract with you and when the processing is carried out by automated means (e.g. not for paper records). It affects only personal data that was “provided” by you. Hence, it does, as a rule, not apply to personal data that was created by the Glen Dimplex Group.|
|Rights in relation to inaccurate personal or incomplete data||You may challenge the accuracy or completeness of personal data which we process about you. If it is found that personal data is inaccurate, you are entitled to have the inaccurate data removed, corrected or completed, as appropriate.||We encourage you to notify us of any changes regarding your personal data as soon as they occur, including changes to your contact details, telephone number, immigration status. Please always check first whether selfhelp tools are available. If no such tools are available, requests for such information should be made in writing to the address set out in the Contact Us section under 'Privacy'.||This right only applies to your own personal data. When exercising this right, please be as specific as possible.|
|Right to object to or restrict our data processing||Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data.||Requests for such information should be made in writing to the address set out in the Contact Us section under ‘Privacy’.||This right applies only if the processing of your personal data is explicitly based on our so-called “legitimate interests” (see “basis of processing” above). Objections must be based on grounds relating to your particular situation. They must not be generic so that we can demonstrate that there are still lawful grounds for us to process your personal data.|
|Right to have personal data erased||Subject to certain conditions, you are entitled, on certain grounds, to have your personal data erased (also known as the “right to be forgotten”), e.g. where you think that the information we are processing is inaccurate, or the processing is unlawful.||Requests for such information should be made in writing to the address set out in the Contact Us section under ‘Privacy’.||There are various lawful reasons why we may not be in a position to erase your personal data. This may apply (i) where we have to comply with a legal obligation, (ii) in case of exercising or defending legal claims, or (iii) where retention periods apply by law or our statutes.|
|Right to withdrawal||You have the right to withdraw your consent to any processing for which you have previously given that consent.||Requests should be made in writing to the address set out in the Contact Us section under ‘Privacy’.||If you withdraw your consent, this will only take effect for the future.|
10. Your right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy you might have, you may have the right under data protection legislation in your country (where applicable) to lodge a complaint with the relevant data protection supervisory authority in your country if you consider that we have infringed applicable data protection legislation when processing your personal data. This means the country where you are habitually resident, where you work or where the alleged infringement took place.
The UK Information Commissioners Office contact details can be found here.
11. Changes to this information
We reserve the right to change this IoT Privacy Notice at any time. If we make changes we will notify you of such changes so that you can see what information we gather, how we might use that information and in what circumstances we may disclose it.
Last updated: 26th November 2018