Privacy policy

1. INTRODUCTION

We take your privacy very seriously and want you to be familiar with how and why we collect, use and disclose your personal data.  
This privacy notice (“Notice”) explains how we collect, use, disclose, and protect your personal information and has been drafted as to be applied to our operations and personal information processing activities globally. 

Our personal data processing activities may be more limited in some jurisdictions due to restrictions imposed under local laws. For example, the laws of a particular country may limit the types of personal data we can collect or the manner in which we process that personal data. In those instances, we may adjust our internal policies and/or practices to adapt to the requirements of the relevant local law. 

This Privacy Notice applies regardless of where you are located when accessing our Website. We process your personal data for specific, lawful purposes including the provision, maintenance, improvement, and security of our Website in accordance with the applicable legal basis under relevant privacy laws. We do not collect, use, or share your personal information beyond what is necessary for those purposes, unless we are legally required to do so or you have given your explicit consent where required.

We ask that you read this Notice carefully, along with any other privacy notice or fair processing notice we may provide to you on specific occasions when we are collecting or processing personal data about you. We want you to be fully aware of how and why we are using your personal data. 

This Notice supplements other notices and privacy notices and is not intended to override them.

2. WHO WE ARE 

We are the Cosworth group of companies, which consists of the following companies:

• Cosworth Group Holdings Limited, a company registered in England and Wales with company number 06442393;
• Cosworth Limited, a company registered in England and Wales with company number 05177945;
• Delta Cosworth Limited, a company registered in England and Wales with company number 05481053; and
• Cosworth Electronics Limited, a company registered in England and Wales with company number 05276665.

The registered address for each of the companies listed above is:

• The Octagon, St. James Mill Road, Northampton, Northamptonshire, England, NN5 5RA. 

We also have entities operating in the US as follows:  

• Cosworth Electronics LLC, USA 5355 W, 86th St. Indianapolis, IN 46268, United States. 

The Cosworth group of companies (“Cosworth”, “we”, “us” and “our”) is a worldwide group of engineering companies specialising in the delivery of propulsion and intelligent solutions for the automotive, aerospace, motorsport and marine industries.

3. WHO IS THE CONTROLLER OF YOUR PERSONAL DATA?

The website www.cosworth.com (the “Website”) is operated by Cosworth Group Holdings Limited. This means that Cosworth Holding Company Limited acts as the controller for personal data collected through the Website and determines what data will be collected via the Website as well as how that information will be used and protected.  

Cosworth Group Holdings Limited may use trusted third-party service providers to help host and manage the Website and related services, however, where this is the case, any such provider acts only as a data processor and is not permitted to use your personal information for their own purposes.

Cosworth comprises the entities listed in section 2 of this Notice. Depending on the nature of your relationship with us, your personal data may be shared with and separately controlled by the relevant company within the group. Each of our companies located in the UK is registered with the Information Commissioner’s Office (ICO) as a controller in its own right. If you are unsure which company within the group is responsible for your personal data, you can contact us using the details below, and we will direct your request to the appropriate controller.

We determine the purposes and means of processing your personal information in compliance with applicable data protection laws, including (but not limited to) the UK General Data Protection Regulation (UK GDPR), the General Data Protection Regulation (EU) 2016/679 (EU GDPR), the California Privacy Rights Act (CPRA) and other U.S. state laws.

4. HOW TO CONTACT US

You can contact us at: 
Email: dataprotection@cosworth.com 
Telephone: +44 (0) 1954 253600
Postal address: The Octagon, St. James Mill Road, Northampton, Northamptonshire, NN5 5RA, UK

5. OUR DATA PROTECTION OFFICER

We have appointed GRCI Law as our Data Protection Officer (DPO). The DPO is responsible for overseeing questions in relation to this Notice. If you have any questions about this Notice, our privacy practices or how we handle your personal data, please contact our DPO at: 
Email: dpoaas@grcsolutions.io  
Telephone: +44 (0) 333 800 7000
Postal address: Unit 3 Clive Court, Bartholomew’s Walk, Cambridgeshire Business Park, Ely, Cambridgeshire CB7 4EA, UK

6. OUR EU REPRESENTATIVE 

We have appointed IT Governance Europe Limited to act as our EU Representative. If you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR), or have any queries in relation to your rights or general privacy matters, please email our EU Representative at eurep@itgovernance.eu.

Please ensure to include our company name in any correspondence you send to our EU Representative. Please note, if you are located in the United Kingdom our EU Representative does not apply.

7. WHAT IS MEANT BY "PERSONAL DATA" OR "PERSONAL INFORMATION"

Personal data (sometimes also referred to as "personal information") is information which identifies you as an individual. Examples of personal data include (but are not limited to) anything which may identify you, such as your name, address, payment information, internet protocol (IP) address, username or another identifier.

Some personal data is unique to you or may also be of a more sensitive nature and therefore requires greater protection. This type of personal data is referred to as sensitive or special category data and includes information regarding your health, genetic  or biometric information, religious or philosophical beliefs, race, or ethnicity to provide a few examples.

Further information about sensitive or special category data is given at section 11 of this Notice.

8. HOW WE COLLECT PERSONAL DATA ABOUT YOU

8.1 We may collect personal data from or about you: 

A. Directly: We may collect personal information about you when you: 
enter, provide or send us information, such as when you register for a Cosworth Toolbox product user account with us and / or log in to the customer area on our Website;

• enquire about engaging with or receiving services or information from us;
• request information about us and / or our products and services;
• register for updates or marketing information from us;
• request and / or purchase services from us;
• download products including software from our Website;
• participate in surveys or promotions run via the Website [or our social media pages];
• use our online customer support forums and / or contact forms;
• contact us (including via our online contact forms, via SMS or social applications (such as LinkedIn), by post or telephone), for example, to access customer
• support services or to make an enquiry or provide us with feedback.
• apply for a vacancy with us online, for example, via the current opportunities pages on our Website.

B. Indirectly: We collect information through your behaviour and interactions with us:

• when you interact with our Website, we may automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies;
• information we learn about you through our relationship and the way you interact with us

In some circumstances we may also receive information from: your employer where you access our service under a corporate subscription;

• other companies supplying services to us;
• data analytics to improve our Website, products/services, marketing, customer relationships and experiences
• publicly accessible social media networks such as Facebook, Instagram, LinkedIn, Google, and Twitter
• providers of technical, payment and delivery services
• publicly availably sources such as Companies House and LinkedIn

We will also collect information relating to your browsing activity while on our Website; we will usually collect such information indirectly using the technologies explained in the “COOKIES AND OTHER TRACKING TECHNOLOGIES” section of this Notice and in our Cookie Notice.

8.2 If you are providing personal information on behalf of someone else, you must have the consent of that person to provide their personal information to us to be collected, used, and disclosed in accordance with this Notice. It is your responsibility to ensure that you have the authority to share personal data about third parties with us.

9. CHILDREN

Our Website is not directed to children under the age of 18, and we do not knowingly collect or process personal data from children. If we become aware that we have inadvertently collected personal information from a child without appropriate parental or guardian consent, we will take steps to delete the information as soon as possible. If you believe we may have inadvertently collected data from a child, please contact us using the details given in the “HOW TO CONTACT US” section of this Notice. 

10. THE PERSONAL DATA WE COLLECT

We may collect, use, store and/or transfer different kinds of personal data about you depending on our relationship with you and the jurisdiction in which you are located.

The personal information we may collect may include:

Category	Data Types
Business Contact Data	Includes business contact details including business email address, postal address and telephone number, relevant occupation, job role, team and / or department.
Candidate Data	Includes information you have provided to us in your curriculum vitae, covering letter and/or application form, including name, title, address, telephone number(s), personal email address, date of birth, job title, job role, location, employment history, educational background and qualifications, areas of specialisms and registrations with professional bodies.
Clickstream Data	The virtual breadcrumb trail that a user leaves behind while browsing. We may record paths you have taken through our Website (e.g. sections or area clicked and the order in which it is done) and use this information to provide customised content.
Communications Data	Includes information such as records of your contact with us including enquiries about our products and services submitted via our Website, together with any other information you voluntarily provide when contacting us.
Contact Data	Includes email address, postal address and / or telephone number.
Identity Data	Includes name (including first name, last name, maiden name), date of birth, username or similar identifier, marital status, title, occupation and gender.
Images	Includes photographs on identification documents, such as passports and driving licences.
Location Data:	Including country, state, county, region and / or  local authority  location data as well as other geolocational data.
Log In Data	including your username and information relating to the time and frequency of log-in to our Website, products and services.
Marketing Data	Includes your preferences in receiving marketing from us, including in relation to our events, and your communication preferences.
Payment Data	Includes card payment details including cardholder name, Contact Details and / or Business Contact Details, billing address, credit/debit card long number, expiry date, and security code.
Professional Information	Includes information about areas of professional interest and specialism.
Publicly Available Data	Includes information freely available on the internet and social media platforms such as LinkedIn and other social media platforms.
References	Reference information (including, but not limited to, referee contact details) from previous and current employers and other relevant references.
Special Category Data	Including information relating to gender, ethnicity, health and disability status.
Technical Data	Includes IP address, network activity across our platforms including our Website, Login Data, browser type and version, time zone setting and location, browser plugin types and versions, searches site visit information, operating system and platform, and other technology on the devices you use to access our Website.
Transactional Data	Information about the products and service purchased from us.
Usage Data	Includes statistical information about how you use our Website and / or our online products and services, your searches on the Website and your online activity based on your engagement with our Website and interaction with us. May include information such as your product registration details, username or other identifiers and the nature of any problem you are experiencing with our Website, the Cosworth Toolbox and / or other products and / or service.

In certain cases, we may also collect other information, including information about third parties, and any other information, when you provide that to us.

11. SENSITIVE OR SPECIAL CATEGORY DATA

Sensitive or special category data is personal data that needs more protection because it is sensitive. In connection with our operations, including in relation to our recruitment activities, we may collect and process sensitive or special category personal data, as defined under applicable data protection laws, including (but not limited to) the UK GDPR, EU GDPR, and relevant local privacy laws where processing is necessary, for example to fulfil our legal obligations (e.g., compliance with employment or health and safety laws).

This data may include:

• Information about your race, ethnicity, or nationality, religious beliefs, and/or sexual orientation.
• Information about your health, including medical conditions, disabilities, and health or sickness records.
• Information about criminal convictions and offences where required by law, such as for certain roles where background checks are appropriate and legally permitted.

We will only process personal data of this nature where:

• It is necessary to fulfil our legal obligations (for example, in order to enable us to comply with our responsibilities under applicable employment laws); or
• You have provided your explicit consent (for example in relation to voluntary diversity monitoring).

We have implemented appropriate policies and safeguards, as required by law, to ensure the secure and lawful processing of sensitive or special category data. For more information on these safeguards, or to request further details about how we handle this type of data, please contact us using the details provided at the “HOW TO CONTACT US” section of this Notice.

12. HOW AND WHY WE PROCESS AND USE YOUR PERSONAL INFORMATION

We need your personal information to conduct our business activities and provide you with our Website, products and services. 

Most commonly we will use your personal information in the following circumstances:

• Where you have consented to our use of your personal information before the processing.
• Where we need to perform a contract we are about to enter or have entered with you, for example, to fulfil a transaction or provide our products and / or services to you.
• Where processing of your personal data is necessary for our legitimate interests (or those of a third party) and your interests and fundamental legal rights do not override those interests.
• Where we need to comply with a legal or regulatory obligation.

We will only collect, process and/or use the personal information where we are satisfied that we have an appropriate legal basis to do so. 

Where we ask you for your consent to enable us to process your personal information, you are not required to provide that consent. However, where such consent is not provided, we may may not be able to collect and process certain personal data about you which may limit or prevent our ability to interact with you. 

EEA and UK residents: For more information on how and why we use and process your personal information see the section called “ADDITIONAL INFORMATION FOR UK AND EEA RESIDENTS” below.

US Residents: For more information on how and why we use and process your personal information see the section called “SUPPLEMENTAL INFORMATION FOR U.S. RESIDENTS” below.

13. WITHDRAWING CONSENT

If we rely on your consent to process your personal information you have the right to withdraw that consent at any time. You can withdraw your consent by contacting us at dataprotection@cosworth.com. 

Please note that this will not affect the lawfulness of processing which has occurred before the point at which you withdraw your consent nor, when applicable law allows, will it affect the processing of your personal information on the basis of any other lawful ground other than consent.

For more information on Consent in US states see: “Consent Requirements Regarding Targeted Advertising, Sale of Personal Information, and Sensitive Data Processing” below in this Notice.

14. KEEPING YOUR PERSONAL INFORMATION SECURE

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We will review, monitor and update these security measures to meet our business needs, changes in technology and regulatory requirements.  We limit access to your personal information to those employees, agents, contractors and other third parties that have a business need to know it. They will only process your personal information in authorised manner and are subject to a duty of confidentiality.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we do not have any control over what happens between your device and the boundary of our information infrastructure. You should be aware of the many information security risks that exist (including, but not limited to, when you contact us by email) and take appropriate steps to safeguard your own information. 

We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

15. HOW LONG DO WE HOLD PERSONAL DATA FOR

We will keep your personal information, in line with applicable laws and for no longer than is necessary to fulfil the purposes we collected it for as outlined in this Notice, or to comply with applicable legal, accounting, regulatory, contractual or reporting requirements. 

The time periods for which we will retain personal data are determined by reference to a number of factors including but not limited to the nature, type and sensitivity of the personal data in question, the nature of the activity to which the personal data involved relates, the product or service to which it relates and any applicable legal or regulatory requirements. 

Retention periods vary depending on such factors, as well as in respect of jurisdictional requirements. For example, personal data may be retained longer where required by laws in the United States (e.g., tax or employment laws) or the United Kingdom (e.g., data protection and employment regulations). Our retention periods may also be subject to change from time to time based on commercial, legal or regulatory requirements.

If you require further details on specific retention periods, please contact us at dataprotection@cosworth.com 

16. SHARING YOUR PERSONAL DATA  

In so far as reasonably necessary for us in carrying out and delivering our products and services to you and for the purposes set out in this Notice, we may share your personal data with the below parties that help us manage our business and deliver our products and services:

Other companies within the Cosworth group of companies;

• Business partners: including business partners and other organisations whose products incorporate Cosworth products and features (in some cases, you may be presented with an option to have your personal information shared with these organisations to receive additional information about certain products and services);
• Service providers: including providers of distribution services in relation to the distribution of our products, order processing and management services and those providing ancillary services to support our business operations, including those offering IT, system administration, and software services;
• Payment service providers: involved in the processing and completion of payment transactions;
• Marketing services partners: including parties engaged in managing our marketing activities and forwarding marketing materials to you.
• Analytics providers: such as Google Analytics, to assist us with insight analytics.
• Suppliers and administrative support: third parties, employees, agents, subcontractors, and professionals who provide products, services, and administrative or other business support to us.
• Other parties (with your permission): We may share data with other third parties explicitly authorised by you.

This list is non-exhaustive, and there may be other situations where we need to share your personal data with further third parties in order to effectively provide our products and services to you.

We only allow those parties / organisations to handle your personal data if we are satisfied, they take appropriate measures to protect it. We also impose contractual obligations on them to ensure they can only use your personal data to provide services to us and, where applicable, to you.

We or the third parties mentioned above may occasionally also share personal data with:

• our and / or their external auditors, e.g., in relation to the audit of our or their accounts, in which case the recipient of the information will be bound by confidentiality obligations;
• our and / or  their professional advisors, in which case the recipient of the information will be bound by confidentiality obligations, for example (but not limited to circumstances) where reasonably necessary for the establishment, exercise or defence of a legal claim;
• law enforcement agencies, courts, tribunals, and regulatory bodies to comply with our legal and regulatory obligations, for example where we are required to disclose information under a subpoena, court order or other mandatory reporting requirements;
• other parties that have or may acquire control or ownership of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency. In such circumstances, information will usually be anonymised, but this may not always be possible. The recipient of any of your personal data will be bound by confidentiality obligations.

We will not share your personal data with any other third party without your consent.

The specific kind of information we share will depend on your activities with us and only to the extent as required or permitted by law, and/or with your consent.

Please note that this Notice does not apply to sharing of personal information by third party providers who may collect personal information from you and may share it with us. In these situations, we strongly advise you to review the applicable the relevant third party provider’s privacy notice before submitting your personal information to them.

17. TRANSFERRING YOUR PERSONAL DATA OVERSEAS

Cosworth operates globally, and certain aspects of our information processing and data storage may be centralised in countries outside your own. We may also need to provide your personal information to other entities within our group or contractors located outside of the United Kingdom (UK) and/or the European Economic Area (EEA) in the course of our relationship with you. This means that we may have to share and transfer your personal information from one country to another including the UK and the US. Your personal information may therefore be subject to privacy laws that are different from those in the country where the personal information is collected or those in your country of residence.

To safeguard your personal information, we ensure that all international transfers comply with applicable data protection laws, including the UK GDPR, EU GDPR, and relevant U.S. privacy regulations. We undertake thorough due diligence and risk assessments before any data transfer, ensuring your information has an appropriate level of protection. Where required, we implement legal safeguards such as Standard Contractual Clauses (SCCs) or other approved mechanisms to ensure your data is handled securely and lawfully.

You can find more details of the protection given to your information when it is transferred overseas by contacting us at dataprotection@cosworth.com

18. THIRD PARTY SERVICES, WEBSITE AND LINKS

Our Website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. Cosworth does not control these third-party websites, plug-ins or applications and are not responsible for their privacy statements, content or practices. Where we provide third party links on our Website, we do so only for your convenience. When you leave our Website, we encourage you to read the privacy notice of every website you visit.

You should also be aware that information about your use of our Website (including your IP address) may be retained by your ISP (Internet Service Provider), the hosting provider and any third party that has access to your internet traffic activities.

19. AUTOMATED DECISION MAKING

We do not use automated decision-making or profiling.

20. MARKETING AND OPTING OUT

Where you have agreed, we may contact you for marketing purposes concerning our products  or services and/or to send you updates and / or our newsletter. This may include information concerning promotions or offers which could benefit you. We will only contact you using the methods that you agree when you provide your information to us. We will only contact you by post, email, phone or SMS about our products, services or promotions if you have asked us to do so.

If you have changed your mind and would prefer us not to contact you, then you can opt out at any time by contacting at dataprotection@cosworth.com or by accessing the unsubscribe  link on the email sent to you and updating your preferences. We will process any such request promptly in accordance with applicable data protection laws, including the UK GDPR, the EU GDPR, and relevant U.S. privacy laws such as the CAN-SPAM Act and CCPA, where applicable.  Please note that opting out of marketing communications does not affect transactional or service-related communications necessary for the performance of a contract or other legitimate purposes.

We will not provide your information to third parties other than as set out in this Notice.

21. COOKIES AND OTHER TRACKING TECHNOLOGIES

Each time you interact with our Website, we may, depending on the consent provided and your jurisdiction, automatically collect personal information, including technical data about your device, your browsing actions and patterns, content and usage data. We collect this data using Cookies, server logs and other similar technologies like pixels, tags and other identifiers in order to remember your preferences, to understand how our Website is used. You can access additional information about our use of Cookie and other tracking technologies by accessing our Cookie Notice here.

22. DATA ACCURACY

We are committed to maintaining the accuracy and relevance of the personal data we hold and process. Accordingly, it is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Under applicable privacy laws, including the UK GDPR, the EU GDPR and the CPRA, you have the right to request that we correct or update inaccurate or incomplete personal data we hold about you. Accordingly, if you require to request that we update or correct the personal information we hold about you please contact us at dataprotection@cosworth.com.

23. PAYMENT PROCESSING

We may provide paid products and/or services via our Website. We use third-party services for payment processing (e.g. payment processors). We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their own privacy notice. 
 
These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort between brands such as Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.

24. YOUR RIGHTS

In some regions and states such as the EEA, UK and states of the US you have rights that allow you greater control of and access to your personal information.

These rights may include the right:

• To request and obtain a copy of your personal information
• To request rectification and/or erasure 
• To restrict processing of your personal information
• Data portability (if applicable)

In certain circumstances you may also have the right to object to the processing of your personal data. You can make a request to exercise your rights by contacting us at dataprotection@cosworth.com.

We will consider and act upon any requests in accordance with applicable data protection laws. For more information about your rights in specific locations, please refer to sections 25, and 26 below.

25. SUPPLEMENTAL INFORMATION FOR U.S. RESIDENTS

This section applies to individuals residing in the United States, with specific provisions for residents of states with enacted privacy laws.

This Notice outlines how we process personal information, including our practices related to consent, and the rights granted to residents under various state laws, including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, New York, Nevada, Oregon, Rhode Island, Tennessee, Texas, Utah, Vermont, and Virginia

25.1 US Residents’ Rights

US residents in certain states have specific rights regarding their personal information. These rights vary depending on the state, as indicated below.

• Right to Know: The right to request information on the categories and specific pieces of personal information we have collected, used, disclosed, or shared, as well as the sources, purposes, and third parties involved.
(California, Colorado, Connecticut, Iowa, Utah, Virginia)
• Right to Access: The right to access copies of personal information held by us.
(California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, New York, Nevada, Oregon, Rhode Island, Tennessee, Texas, Utah, Vermont, Virginia)
• Right to Correct: The right to request corrections to inaccurate personal information.
(California, Colorado, Connecticut, Iowa, Utah, Virginia)
• Right to Delete: The right to request deletion of personal information, subject to legal limitations and exceptions.
(California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, New York, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia)
• Right to Opt-Out of Sale or Sharing: The right to opt-out of the sale or sharing of personal information for purposes such as targeted advertising or profiling.
(California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Vermont, Virginia)
• Right to Limit Use of Sensitive Personal Information: California residents have the additional right to limit the use and disclosure of their sensitive personal information to purposes specified under the CPRA.
(California)
• Universal Opt-Out Mechanism: The right to use a universal opt-out mechanism to signal privacy preferences across platforms (where applicable).
(California, Colorado, Connecticut, Iowa)

25.2  Consent Requirements Regarding Targeted Advertising, Sale of Personal Information, and Sensitive Data Processing

In accordance with various state privacy laws, we provide consumers with the right to opt out of the use of their personal information for targeted advertising or its sale to third parties. While these laws do not always require upfront consent, they ensure that consumers have control over how their data is used for these purposes. Additionally, certain states require explicit consent to process "sensitive" personal information, which may include data such as race, ethnicity, health information, biometric data, and, in some cases, precise geolocation. We are committed to respecting these rights, providing options to manage the use of your personal information, and ensuring that your sensitive data is only processed in compliance with applicable legal requirements.

25.3 Shine the Light Law and Similar Requirements

Under California’s Shine the Light law (California Civil Code Section § 1798.83), California residents are entitled to request and receive information regarding certain types of personal information that we share with third parties for their direct marketing purposes.

In addition to California, the following states have similar, though narrower, laws concerning data transparency or opt-out rights:

• Nevada: Nevadan law allows residents to opt-out of the sale of their personal information to third parties. While this law does not require detailed disclosures about data sharing for direct marketing, Nevada residents may request that we refrain from selling their personal data. For opt-out requests, please contact us at dataprotection@cosworth.com.
• Vermont: Vermont’s law requires data brokers to disclose certain data-sharing practices and allows residents to opt-out of the sale of personal information if their data is collected by a data broker. Vermont residents may contact us at dataprotection@cosworth.com for more details on our data-sharing practices.

To make a Shine the Light request or exercise similar rights under Nevada or Vermont law, please contact us at dataprotection@cosworth.com including “Shine the Light Request” or “Data Sharing Request” in your subject line.

Please specify the nature of your request (e.g., Shine the Light, Nevada Opt-Out, or Vermont Disclosure Request) and include sufficient details in your request to help us identify your records. We will process and respond to your request within the required timeframes.

Please note that we may require additional information to verify your identity before processing certain requests. Once verified, we will respond within the timeframe specified by the relevant state law.

26. FURTHER INFORMATION FOR EEA AND UK RESIDENTS

26.1 Applicable laws

We are subject to the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR) in relation to the services we offer to individuals and our wider operations in the UK and European Economic Area (EEA).

26.2 Details about our processing of your personal data 

The table below describes the ways we plan to use your personal data, and which lawful basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Purpose	Types of information requested	Lawful basis	Explanation of legitimate interest
To register new customers: Including setting up customer accounts for supply of our products (including, but not limited to, the Cosworth Toolbox) and to determine your requirements to tailor service provision as required	Business Contact Data; Contact Data; Communications Data; Identity Data; Payment Data	Performance of a contract	N/A
To provide our services: Including management of user accounts, fulfilment of transactions, and / or performance a contract with you or at your request	Business Contact Data; Contact Data; Identity Data; Transactional Data; Technical Data	Performance of a contract	N/A
To prospect potential new supplier relationships: Including to analyse and discuss the suitability of the offering before entering into a transactional relationship	Business Contact Data;	Performance of a contract	N/A
To manage, provide and improve our Website: Including Monitoring, troubleshooting, carrying out data analysis and network security and system testing	Clickstream Data  Location Data; Log In Data; Technical Data; Usage Data	Legitimate Interest (Website effectiveness and integrity)	Necessary to maintain the useability, security and integrity of our Website and networks as well as to inform areas of improvement to that.
Managing and monitoring our business and services: Including (but not limited to) the provision of administration and IT services, network security, fraud prevention and / or in the context of a business reorganisation or group restructuring exercise.	Business Contact Data; Clickstream Data; Contact Data; Identity Data; Technical Data	Legitimate Interest (service improvement)	Managing, protecting and administering our business to enable us to maintain,  monitor and improve the services we offer to our customers and users. Maintaining the integrity of our service provision.
Managing payments, fees and charges: Managing payments, fees and charges in relation to the services we provide.	Business Contact Data; Contact Data; Communications Data; Payment Data Transactional Information	Performance of a contract	N/A
Assessing the quality of our products, services and the delivery of same	Business Contact Data; Clickstream Data; Contact Data; Identity Data; Marketing Data; Transactional Data; Usage Data	Legitimate Interest (service delivery)	Ensuring the provision of high quality services. Necessary to inform the making of changes and improvements to our services and service delivery processes as appropriate.
Service updates and support: Contacting individuals regarding services, updates (including updates to purchased products, services and software), and client support	Business Contact Data; Contact Data: Communication Data; Location Data; Transactional Data	Legitimate Interest (communication and support)	Processing is necessary to maintain communication and provide assistance to users and clients in order to ensure efficient and responsive service, continuity of service fulfilment of customer  expectations.
Recruitment and job applications: Including registering job applicants and processing applications, scheduling interviews, and assessing candidate suitability for roles	Candidate Data: Communication Data; Contact Data; Identity Data; Images Location Data; References	Legitimate Interest (recruitment)	Processing is necessary to assess and manage job applications and recruit suitable candidates for organisational needs.
Recruitment and job applications: Including the collection and processing of sensitive data related to diversity, health, or background checks	Special Category Data (inclusive, as required by legal requirement, of health data, race and ethnicity information)	Compliance with a legal obligation	Processing is necessary to enable compliance  with applicable laws for certain roles or for voluntary diversity monitoring purposes.
Recruitment and job applications: Including the collection and processing sensitive data for voluntary diversity monitoring	Special Category Data (inclusive of data relating to gender, race and ethnicity)	Consent	Explicit consent is obtained for voluntary participation in diversity monitoring initiatives.
Product Enquiries: Receiving and managing product enquiries submitted via the Website.	Business Contact Details Communications Data Contact Details Professional Information	Consent	N/A
Cookies: Collection and analysis of information about website usage to improve user experience and functionality(non-essential cookies)	Technical Data; Usage Data	Consent Obtained where required by law for non-essential cookies via appropriate cookie opt-in mechanism.	N/A
Cookies: Collection and analysis of information about website usage to improve user experience and functionality	Technical Data; Usage Data	Legitimate interests (website analytics)	Processing is necessary to analyse website performance, improve user experience, and maintain functionality.
Data Analytics: Including to improve our Website, client relationships and experiences through research, statistical analysis and behavioural analysis.	Clickstream Data Communications Data; Location Data Technical Data Transactional Data Usage Data	Legitimate interest	Ensuring  the provision of  a high quality online offering and services.  Necessary to inform the making of changes and improvements to our services and service delivery processes as appropriate and to ensure the quality of customer experience.
Rights and claims	Business Contact Data; Clickstream Data Contact Data; Communications Data; Identity Data; Location Data; Transaction Data; Technical Data; Usage Data	Legitimate Interest (enforcement of legal rights)	Processing is necessary to allow us  to enforce or apply our website terms of use, our terms and conditions of business, or other contract, and to enable us to exercise our rights, to defend ourselves from claims and to keep to laws and regulations that apply to us and the third parties we work with.
Data Transfers: Transfers of personal data across jurisdictions to support global operations and services	Business Contact Data; Contact Data; Location Data; Transactional Data; Technical Data.	Legitimate interests (global operations)	Processing is necessary to facilitate our global operations and to enable us to comply with applicable international transfer mechanisms, including Standard Contractual Clauses or other approved safeguards.
Marketing: Provision of promotional information about services and updates (general marketing)	Business Contact Data; Contact Data; Identity Data; Marketing Data Professional Information	Consent	N/A
Marketing: Promotion of services and updates to existing customers or users	Business Contact Data; Contact Data; Identity Data; Marketing Data Professional Information	Legitimate Interest (marketing)	Necessary to promote services to existing customers or users who have a reasonable expectation of receiving such communications
Data Subject Rights: Processing and verifying identity of the requester	Business Contact Data; Candidate Data; Contact Data; Identity Data	Legal Obligation	N/A
Data Subject Rights: Including processing and responding to the exercise of a Data Subjects Rights Request	All data types are potentially in scope.	Legal Obligation	N/A
Record Keeping: Keeping appropriate internal records about our business and services.	Business Contact Data Contact Data Transactional Data Usage Data	Legal Obligation	N/A
Legal Requirements: Processing as necessary for compliance with legal obligations, such as, but not limited to, with security requirements and / or to comply with applicable law, for example in response to a request from a court or regulatory body, where such request is made in accordance with the law and / or to detect fraudulent or criminal activity. In such instances, we may share information with law enforcement organisations such as the police.	All data types are potentially in scope.	Legal Obligation	Legitimate Interest Necessary for the purposes of detecting unusual activity including (but not limited to) fraud.

 

26.3 Details about transfers of personal data overseas

The EEA, UK and other countries outside the EEA and the UK have differing data protection laws, some of which may provide lower levels of protection of privacy.
It is sometimes necessary for us to transfer your personal data to countries outside the UK and EEA. In those cases, we will comply with applicable UK and EEA laws designed to ensure the privacy of your personal data.

Under data protection laws, we can only transfer your personal data to a country outside the UK/EEA where:

• in the case of transfers subject to UK data protection law, the UK government has decided the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy regulation’) further to Article 45 of the UK GDPR. A list of countries the UK currently has adequacy regulations in relation to is available here.  
• in the case of transfers subject to EEA data protection laws, the European Commission has decided that the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy decision’) further to Article 45 of the EU GDPR. A list of countries the European Commission has currently made adequacy decisions in relation to is available here.
• there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you; or
• a specific exception applies under relevant data protection law.

Where we transfer your personal data outside the UK, we do so on the basis of an adequacy regulation or (where this is not available) legally approved standard data protection clauses recognised or issued further to Article 46(2) of the UK GDPR. In the event we cannot, or choose not to, continue to rely on either of those mechanisms at any time, we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this Notice.

Where we transfer your personal data outside the EEA, we do so on the basis of an adequacy decision or (where this is not available) legally approved standard data protection clauses issued further to Article 46(2) of the EU GDPR. In the event we cannot, or choose not to ,continue to rely on either of those mechanisms at any time we will not transfer your personal data outside the EEA unless we can do so based on an alternative mechanism or exception provided by applicable data protection law and reflected in an update to this Notice.

26.4 Your rights

Please see more details about your rights in the table below. In most circumstances, you do not need to pay any charge for exercising your rights. We have one month to respond to you. 

 

Your right	Details
Right to be informed	We have a legal obligation to provide you with concise, transparent, intelligible, and easily accessible information about your personal information and our use of it. We have written this Notice to do just that, but if you have any questions or require more specific information, please contact us.
Right of access	You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information. When you request this data, this is known as making a data subject access request (DSAR). In most cases, this will be free of charge; however, in some limited circumstances, for example repeated requests for further copies, we may apply an administration fee.
Right to rectification	You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
Right to erasure	You have the right to ask us to erase your personal information in certain circumstances. We have the right to refuse to comply with a request for erasure if we are processing the relevant personal information for one of the following reasons: To exercise the right of freedom of expression and information. To comply with a legal obligation. To perform a task in the public interest or exercise official authority. For archiving purposes in the public interest, scientific research, historical research or statistical purposes. For the exercise or defence of legal claims.
Right to restriction of processing	You may ask us to stop processing your personal information. We will still hold the data but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies, you may exercise the right to restrict processing: The accuracy of the personal information is contested. Processing of the personal information is unlawful. We no longer need the personal information for processing, but the personal information is required for part of a legal process. The right to object has been exercised and processing is restricted pending a decision on the status of the processing.
Right to object to processing	You have the right to object to processing in certain circumstances. You can also object if the processing is for a task carried out in the public interest, the exercise of official authority vested in you, or your legitimate interests (or those of a third party).
Right to data portability	This right only applies if we are processing information based on your consent or for the performance of a contract and the processing is automated.

To exercise your rights or get more information about exercising them, please contact us at dpoaas@grcsolutions.io giving us enough information to identify you.  Where you wish to exercise any of your said rights, we ask that you:

• Provide enough information to enable us to identify you;
• Let us have proof of your identity and address; and 
• Let us know the information to which your request relates.

If you have any concerns about our handling of your personal information or believe your privacy rights have been infringed, you have the right to make a complaint. We are committed to resolving privacy-related complaints promptly and effectively.

We encourage you to contact us directly at dataprotection@cosworth.com so that we can address any issues promptly. However, if you are not satisfied with our response, you may also have the right to file a complaint directly with your local privacy regulator. We have provided some contact details for your reference below:

United Kingdom: You can file a complaint with the Information Commissioner’s Office (ICO) via www.ico.org.uk.

• European Economic Area (EEA): If you are located in the EEA, you can  reach out to your local data protection authority. A list of EEA data protection authorities can be found here.
• United States: You may also reach out to the consumer protection agency in your state or contact the Federal Trade Commission (FTC) for general privacy concerns via www.ftc.gov.
• California Consumer Privacy Act (CCPA): Complaints can be directed to the California Attorney General's Office or, under the new California Privacy Rights Act (CPRA), to the California Privacy Protection Agency (CPPA). Website: https://oag.ca.gov/privacy/ccpa
• Colorado, Connecticut, Virginia, and Other States: States with privacy laws (e.g., Colorado Privacy Act, Virginia Consumer Data Protection Act) direct complaints to their respective Attorneys General. Check the specific Attorney General’s website for complaint procedures. u can find the contact information for each Attorney General's office through the National Association of Attorneys General (NAAG) directory: Find my AG - National Association of Attorneys General

28. UPDATES TO THIS PRIVACY NOTICE 

We may modify or amend this Notice from time to time at our discretion to reflect changes in our practices, legal requirements, or for other operational reasons.

When we make material changes to this Notice, we will post the updated Notice on our Website and shall amend the revision date at the top of this page.  If required by applicable law, we will also notify you directly or request your consent before the changes take effect. The modified or amended Notice shall be effective as to the personal information governed by it as of the revision date.  

We encourage periodic review of this Notice to view any updates so that you may stay informed about how we protect your personal information.