1. INTRODUCTION
We take your privacy very seriously and want you to be familiar with how and why we collect, use and disclose your personal data.
This privacy notice (“Notice”) explains how we collect, use, disclose, and protect your personal information and has been drafted as to be applied to our operations and personal information processing activities globally.
Our personal data processing activities may be more limited in some jurisdictions due to restrictions imposed under local laws. For example, the laws of a particular country may limit the types of personal data we can collect or the manner in which we process that personal data. In those instances, we may adjust our internal policies and/or practices to adapt to the requirements of the relevant local law.
This Privacy Notice applies regardless of where you are located when accessing our Website. We process your personal data for specific, lawful purposes including the provision, maintenance, improvement, and security of our Website in accordance with the applicable legal basis under relevant privacy laws. We do not collect, use, or share your personal information beyond what is necessary for those purposes, unless we are legally required to do so or you have given your explicit consent where required.
We ask that you read this Notice carefully, along with any other privacy notice or fair processing notice we may provide to you on specific occasions when we are collecting or processing personal data about you. We want you to be fully aware of how and why we are using your personal data.
This Notice supplements other notices and privacy notices and is not intended to override them.
2. WHO WE ARE
We are the Cosworth group of companies, which consists of the following companies:
The registered address for each of the companies listed above is:
We also have entities operating in the US as follows:
The Cosworth group of companies (“Cosworth”, “we”, “us” and “our”) is a worldwide group of engineering companies specialising in the delivery of propulsion and intelligent solutions for the automotive, aerospace, motorsport and marine industries.
3. WHO IS THE CONTROLLER OF YOUR PERSONAL DATA?
The website www.cosworth.com (the “Website”) is operated by Cosworth Group Holdings Limited. This means that Cosworth Holding Company Limited acts as the controller for personal data collected through the Website and determines what data will be collected via the Website as well as how that information will be used and protected.
Cosworth Group Holdings Limited may use trusted third-party service providers to help host and manage the Website and related services, however, where this is the case, any such provider acts only as a data processor and is not permitted to use your personal information for their own purposes.
Cosworth comprises the entities listed in section 2 of this Notice. Depending on the nature of your relationship with us, your personal data may be shared with and separately controlled by the relevant company within the group. Each of our companies located in the UK is registered with the Information Commissioner’s Office (ICO) as a controller in its own right. If you are unsure which company within the group is responsible for your personal data, you can contact us using the details below, and we will direct your request to the appropriate controller.
We determine the purposes and means of processing your personal information in compliance with applicable data protection laws, including (but not limited to) the UK General Data Protection Regulation (UK GDPR), the General Data Protection Regulation (EU) 2016/679 (EU GDPR), the California Privacy Rights Act (CPRA) and other U.S. state laws.
4. HOW TO CONTACT US
You can contact us at:
Email: dataprotection@cosworth.com
Telephone: +44 (0) 1954 253600
Postal address: The Octagon, St. James Mill Road, Northampton, Northamptonshire, NN5 5RA, UK
5. OUR DATA PROTECTION OFFICER
We have appointed GRCI Law as our Data Protection Officer (DPO). The DPO is responsible for overseeing questions in relation to this Notice. If you have any questions about this Notice, our privacy practices or how we handle your personal data, please contact our DPO at:
Email: dpoaas@grcsolutions.io
Telephone: +44 (0) 333 800 7000
Postal address: Unit 3 Clive Court, Bartholomew’s Walk, Cambridgeshire Business Park, Ely, Cambridgeshire CB7 4EA, UK
6. OUR EU REPRESENTATIVE
We have appointed IT Governance Europe Limited to act as our EU Representative. If you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR), or have any queries in relation to your rights or general privacy matters, please email our EU Representative at eurep@itgovernance.eu.
Please ensure to include our company name in any correspondence you send to our EU Representative. Please note, if you are located in the United Kingdom our EU Representative does not apply.
7. WHAT IS MEANT BY "PERSONAL DATA" OR "PERSONAL INFORMATION"
Personal data (sometimes also referred to as "personal information") is information which identifies you as an individual. Examples of personal data include (but are not limited to) anything which may identify you, such as your name, address, payment information, internet protocol (IP) address, username or another identifier.
Some personal data is unique to you or may also be of a more sensitive nature and therefore requires greater protection. This type of personal data is referred to as sensitive or special category data and includes information regarding your health, genetic or biometric information, religious or philosophical beliefs, race, or ethnicity to provide a few examples.
Further information about sensitive or special category data is given at section 11 of this Notice.
8. HOW WE COLLECT PERSONAL DATA ABOUT YOU
8.1 We may collect personal data from or about you:
A. Directly: We may collect personal information about you when you:
enter, provide or send us information, such as when you register for a Cosworth Toolbox product user account with us and / or log in to the customer area on our Website;
B. Indirectly: We collect information through your behaviour and interactions with us:
In some circumstances we may also receive information from: your employer where you access our service under a corporate subscription;
We will also collect information relating to your browsing activity while on our Website; we will usually collect such information indirectly using the technologies explained in the “COOKIES AND OTHER TRACKING TECHNOLOGIES” section of this Notice and in our Cookie Notice.
8.2 If you are providing personal information on behalf of someone else, you must have the consent of that person to provide their personal information to us to be collected, used, and disclosed in accordance with this Notice. It is your responsibility to ensure that you have the authority to share personal data about third parties with us.
9. CHILDREN
Our Website is not directed to children under the age of 18, and we do not knowingly collect or process personal data from children. If we become aware that we have inadvertently collected personal information from a child without appropriate parental or guardian consent, we will take steps to delete the information as soon as possible. If you believe we may have inadvertently collected data from a child, please contact us using the details given in the “HOW TO CONTACT US” section of this Notice.
10. THE PERSONAL DATA WE COLLECT
We may collect, use, store and/or transfer different kinds of personal data about you depending on our relationship with you and the jurisdiction in which you are located.
The personal information we may collect may include:
Category | Data Types |
Business Contact Data | Includes business contact details including business email address, postal address and telephone number, relevant occupation, job role, team and / or department. |
Candidate Data | Includes information you have provided to us in your curriculum vitae, covering letter and/or application form, including name, title, address, telephone number(s), personal email address, date of birth, job title, job role, location, employment history, educational background and qualifications, areas of specialisms and registrations with professional bodies. |
Clickstream Data | The virtual breadcrumb trail that a user leaves behind while browsing. We may record paths you have taken through our Website (e.g. sections or area clicked and the order in which it is done) and use this information to provide customised content. |
Communications Data | Includes information such as records of your contact with us including enquiries about our products and services submitted via our Website, together with any other information you voluntarily provide when contacting us. |
Contact Data | Includes email address, postal address and / or telephone number. |
Identity Data | Includes name (including first name, last name, maiden name), date of birth, username or similar identifier, marital status, title, occupation and gender. |
Images | Includes photographs on identification documents, such as passports and driving licences. |
Location Data: | Including country, state, county, region and / or local authority location data as well as other geolocational data. |
Log In Data | including your username and information relating to the time and frequency of log-in to our Website, products and services. |
Marketing Data | Includes your preferences in receiving marketing from us, including in relation to our events, and your communication preferences. |
Payment Data | Includes card payment details including cardholder name, Contact Details and / or Business Contact Details, billing address, credit/debit card long number, expiry date, and security code. |
Professional Information | Includes information about areas of professional interest and specialism. |
Publicly Available Data | Includes information freely available on the internet and social media platforms such as LinkedIn and other social media platforms. |
References | Reference information (including, but not limited to, referee contact details) from previous and current employers and other relevant references. |
Special Category Data | Including information relating to gender, ethnicity, health and disability status. |
Technical Data | Includes IP address, network activity across our platforms including our Website, Login Data, browser type and version, time zone setting and location, browser plugin types and versions, searches site visit information, operating system and platform, and other technology on the devices you use to access our Website. |
Transactional Data | Information about the products and service purchased from us. |
Usage Data | Includes statistical information about how you use our Website and / or our online products and services, your searches on the Website and your online activity based on your engagement with our Website and interaction with us. May include information such as your product registration details, username or other identifiers and the nature of any problem you are experiencing with our Website, the Cosworth Toolbox and / or other products and / or service. |
In certain cases, we may also collect other information, including information about third parties, and any other information, when you provide that to us.
11. SENSITIVE OR SPECIAL CATEGORY DATA
Sensitive or special category data is personal data that needs more protection because it is sensitive. In connection with our operations, including in relation to our recruitment activities, we may collect and process sensitive or special category personal data, as defined under applicable data protection laws, including (but not limited to) the UK GDPR, EU GDPR, and relevant local privacy laws where processing is necessary, for example to fulfil our legal obligations (e.g., compliance with employment or health and safety laws).
This data may include:
We will only process personal data of this nature where:
We have implemented appropriate policies and safeguards, as required by law, to ensure the secure and lawful processing of sensitive or special category data. For more information on these safeguards, or to request further details about how we handle this type of data, please contact us using the details provided at the “HOW TO CONTACT US” section of this Notice.
12. HOW AND WHY WE PROCESS AND USE YOUR PERSONAL INFORMATION
We need your personal information to conduct our business activities and provide you with our Website, products and services.
Most commonly we will use your personal information in the following circumstances:
We will only collect, process and/or use the personal information where we are satisfied that we have an appropriate legal basis to do so.
Where we ask you for your consent to enable us to process your personal information, you are not required to provide that consent. However, where such consent is not provided, we may may not be able to collect and process certain personal data about you which may limit or prevent our ability to interact with you.
EEA and UK residents: For more information on how and why we use and process your personal information see the section called “ADDITIONAL INFORMATION FOR UK AND EEA RESIDENTS” below.
US Residents: For more information on how and why we use and process your personal information see the section called “SUPPLEMENTAL INFORMATION FOR U.S. RESIDENTS” below.
13. WITHDRAWING CONSENT
If we rely on your consent to process your personal information you have the right to withdraw that consent at any time. You can withdraw your consent by contacting us at dataprotection@cosworth.com.
Please note that this will not affect the lawfulness of processing which has occurred before the point at which you withdraw your consent nor, when applicable law allows, will it affect the processing of your personal information on the basis of any other lawful ground other than consent.
For more information on Consent in US states see: “Consent Requirements Regarding Targeted Advertising, Sale of Personal Information, and Sensitive Data Processing” below in this Notice.
14. KEEPING YOUR PERSONAL INFORMATION SECURE
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We will review, monitor and update these security measures to meet our business needs, changes in technology and regulatory requirements. We limit access to your personal information to those employees, agents, contractors and other third parties that have a business need to know it. They will only process your personal information in authorised manner and are subject to a duty of confidentiality.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we do not have any control over what happens between your device and the boundary of our information infrastructure. You should be aware of the many information security risks that exist (including, but not limited to, when you contact us by email) and take appropriate steps to safeguard your own information.
We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
15. HOW LONG DO WE HOLD PERSONAL DATA FOR
We will keep your personal information, in line with applicable laws and for no longer than is necessary to fulfil the purposes we collected it for as outlined in this Notice, or to comply with applicable legal, accounting, regulatory, contractual or reporting requirements.
The time periods for which we will retain personal data are determined by reference to a number of factors including but not limited to the nature, type and sensitivity of the personal data in question, the nature of the activity to which the personal data involved relates, the product or service to which it relates and any applicable legal or regulatory requirements.
Retention periods vary depending on such factors, as well as in respect of jurisdictional requirements. For example, personal data may be retained longer where required by laws in the United States (e.g., tax or employment laws) or the United Kingdom (e.g., data protection and employment regulations). Our retention periods may also be subject to change from time to time based on commercial, legal or regulatory requirements.
If you require further details on specific retention periods, please contact us at dataprotection@cosworth.com
16. SHARING YOUR PERSONAL DATA
In so far as reasonably necessary for us in carrying out and delivering our products and services to you and for the purposes set out in this Notice, we may share your personal data with the below parties that help us manage our business and deliver our products and services:
Other companies within the Cosworth group of companies;
This list is non-exhaustive, and there may be other situations where we need to share your personal data with further third parties in order to effectively provide our products and services to you.
We only allow those parties / organisations to handle your personal data if we are satisfied, they take appropriate measures to protect it. We also impose contractual obligations on them to ensure they can only use your personal data to provide services to us and, where applicable, to you.
We or the third parties mentioned above may occasionally also share personal data with:
We will not share your personal data with any other third party without your consent.
The specific kind of information we share will depend on your activities with us and only to the extent as required or permitted by law, and/or with your consent.
Please note that this Notice does not apply to sharing of personal information by third party providers who may collect personal information from you and may share it with us. In these situations, we strongly advise you to review the applicable the relevant third party provider’s privacy notice before submitting your personal information to them.
17. TRANSFERRING YOUR PERSONAL DATA OVERSEAS
Cosworth operates globally, and certain aspects of our information processing and data storage may be centralised in countries outside your own. We may also need to provide your personal information to other entities within our group or contractors located outside of the United Kingdom (UK) and/or the European Economic Area (EEA) in the course of our relationship with you. This means that we may have to share and transfer your personal information from one country to another including the UK and the US. Your personal information may therefore be subject to privacy laws that are different from those in the country where the personal information is collected or those in your country of residence.
To safeguard your personal information, we ensure that all international transfers comply with applicable data protection laws, including the UK GDPR, EU GDPR, and relevant U.S. privacy regulations. We undertake thorough due diligence and risk assessments before any data transfer, ensuring your information has an appropriate level of protection. Where required, we implement legal safeguards such as Standard Contractual Clauses (SCCs) or other approved mechanisms to ensure your data is handled securely and lawfully.
You can find more details of the protection given to your information when it is transferred overseas by contacting us at dataprotection@cosworth.com
18. THIRD PARTY SERVICES, WEBSITE AND LINKS
Our Website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. Cosworth does not control these third-party websites, plug-ins or applications and are not responsible for their privacy statements, content or practices. Where we provide third party links on our Website, we do so only for your convenience. When you leave our Website, we encourage you to read the privacy notice of every website you visit.
You should also be aware that information about your use of our Website (including your IP address) may be retained by your ISP (Internet Service Provider), the hosting provider and any third party that has access to your internet traffic activities.
19. AUTOMATED DECISION MAKING
We do not use automated decision-making or profiling.
20. MARKETING AND OPTING OUT
Where you have agreed, we may contact you for marketing purposes concerning our products or services and/or to send you updates and / or our newsletter. This may include information concerning promotions or offers which could benefit you. We will only contact you using the methods that you agree when you provide your information to us. We will only contact you by post, email, phone or SMS about our products, services or promotions if you have asked us to do so.
If you have changed your mind and would prefer us not to contact you, then you can opt out at any time by contacting at dataprotection@cosworth.com or by accessing the unsubscribe link on the email sent to you and updating your preferences. We will process any such request promptly in accordance with applicable data protection laws, including the UK GDPR, the EU GDPR, and relevant U.S. privacy laws such as the CAN-SPAM Act and CCPA, where applicable. Please note that opting out of marketing communications does not affect transactional or service-related communications necessary for the performance of a contract or other legitimate purposes.
We will not provide your information to third parties other than as set out in this Notice.
21. COOKIES AND OTHER TRACKING TECHNOLOGIES
Each time you interact with our Website, we may, depending on the consent provided and your jurisdiction, automatically collect personal information, including technical data about your device, your browsing actions and patterns, content and usage data. We collect this data using Cookies, server logs and other similar technologies like pixels, tags and other identifiers in order to remember your preferences, to understand how our Website is used. You can access additional information about our use of Cookie and other tracking technologies by accessing our Cookie Notice here.
22. DATA ACCURACY
We are committed to maintaining the accuracy and relevance of the personal data we hold and process. Accordingly, it is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Under applicable privacy laws, including the UK GDPR, the EU GDPR and the CPRA, you have the right to request that we correct or update inaccurate or incomplete personal data we hold about you. Accordingly, if you require to request that we update or correct the personal information we hold about you please contact us at dataprotection@cosworth.com.
23. PAYMENT PROCESSING
We may provide paid products and/or services via our Website. We use third-party services for payment processing (e.g. payment processors). We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their own privacy notice.
These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort between brands such as Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.
24. YOUR RIGHTS
In some regions and states such as the EEA, UK and states of the US you have rights that allow you greater control of and access to your personal information.
These rights may include the right:
In certain circumstances you may also have the right to object to the processing of your personal data. You can make a request to exercise your rights by contacting us at dataprotection@cosworth.com.
We will consider and act upon any requests in accordance with applicable data protection laws. For more information about your rights in specific locations, please refer to sections 25, and 26 below.
25. SUPPLEMENTAL INFORMATION FOR U.S. RESIDENTS
This section applies to individuals residing in the United States, with specific provisions for residents of states with enacted privacy laws.
This Notice outlines how we process personal information, including our practices related to consent, and the rights granted to residents under various state laws, including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, New York, Nevada, Oregon, Rhode Island, Tennessee, Texas, Utah, Vermont, and Virginia
25.1 US Residents’ Rights
US residents in certain states have specific rights regarding their personal information. These rights vary depending on the state, as indicated below.
25.2 Consent Requirements Regarding Targeted Advertising, Sale of Personal Information, and Sensitive Data Processing
In accordance with various state privacy laws, we provide consumers with the right to opt out of the use of their personal information for targeted advertising or its sale to third parties. While these laws do not always require upfront consent, they ensure that consumers have control over how their data is used for these purposes. Additionally, certain states require explicit consent to process "sensitive" personal information, which may include data such as race, ethnicity, health information, biometric data, and, in some cases, precise geolocation. We are committed to respecting these rights, providing options to manage the use of your personal information, and ensuring that your sensitive data is only processed in compliance with applicable legal requirements.
25.3 Shine the Light Law and Similar Requirements
Under California’s Shine the Light law (California Civil Code Section § 1798.83), California residents are entitled to request and receive information regarding certain types of personal information that we share with third parties for their direct marketing purposes.
In addition to California, the following states have similar, though narrower, laws concerning data transparency or opt-out rights:
To make a Shine the Light request or exercise similar rights under Nevada or Vermont law, please contact us at dataprotection@cosworth.com including “Shine the Light Request” or “Data Sharing Request” in your subject line.
Please specify the nature of your request (e.g., Shine the Light, Nevada Opt-Out, or Vermont Disclosure Request) and include sufficient details in your request to help us identify your records. We will process and respond to your request within the required timeframes.
Please note that we may require additional information to verify your identity before processing certain requests. Once verified, we will respond within the timeframe specified by the relevant state law.
26. FURTHER INFORMATION FOR EEA AND UK RESIDENTS
26.1 Applicable laws
We are subject to the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR) in relation to the services we offer to individuals and our wider operations in the UK and European Economic Area (EEA).
26.2 Details about our processing of your personal data
The table below describes the ways we plan to use your personal data, and which lawful basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Purpose |
Types of information requested | Lawful basis | Explanation of legitimate interest |
To register new customers: Including setting up customer accounts for supply of our products (including, but not limited to, the Cosworth Toolbox) and to determine your requirements to tailor service provision as required |
|
Performance of a contract | N/A |
To provide our services: Including management of user accounts, fulfilment of transactions, and / or performance a contract with you or at your request |
|
Performance of a contract | N/A |
To prospect potential new supplier relationships: Including to analyse and discuss the suitability of the offering before entering into a transactional relationship |
|
Performance of a contract | N/A |
To manage, provide and improve our Website: Including Monitoring, troubleshooting, carrying out data analysis and network security and system testing |
|
Legitimate Interest (Website effectiveness and integrity) |
Necessary to maintain the useability, security and integrity of our Website and networks as well as to inform areas of improvement to that. |
Managing and monitoring our business and services: Including (but not limited to) the provision of administration and IT services, network security, fraud prevention and / or in the context of a business reorganisation or group restructuring exercise. |
|
Legitimate Interest (service improvement) |
Managing, protecting and administering our business to enable us to maintain, monitor and improve the services we offer to our customers and users. Maintaining the integrity of our service provision. |
Managing payments, fees and charges: Managing payments, fees and charges in relation to the services we provide. |
|
Performance of a contract | N/A |
Assessing the quality of our products, services and the delivery of same |
|
Legitimate Interest (service delivery) |
Ensuring the provision of high quality services. Necessary to inform the making of changes and improvements to our services and service delivery processes as appropriate. |
Service updates and support: Contacting individuals regarding services, updates (including updates to purchased products, services and software), and client support |
|
Legitimate Interest (communication and support) |
Processing is necessary to maintain communication and provide assistance to users and clients in order to ensure efficient and responsive service, continuity of service fulfilment of customer expectations. |
Recruitment and job applications: Including registering job applicants and processing applications, scheduling interviews, and assessing candidate suitability for roles |
|
Legitimate Interest (recruitment) |
Processing is necessary to assess and manage job applications and recruit suitable candidates for organisational needs. |
Recruitment and job applications: Including the collection and processing of sensitive data related to diversity, health, or background checks |
|
Compliance with a legal obligation |
Processing is necessary to enable compliance with applicable laws for certain roles or for voluntary diversity monitoring purposes. |
Recruitment and job applications: Including the collection and processing sensitive data for voluntary diversity monitoring |
|
Consent |
Explicit consent is obtained for voluntary participation in diversity monitoring initiatives.
|
Product Enquiries: Receiving and managing product enquiries submitted via the Website. |
|
Consent |
N/A |
Cookies: Collection and analysis of information about website usage to improve user experience and functionality(non-essential cookies) |
|
Consent Obtained where required by law for non-essential cookies via appropriate cookie opt-in mechanism. |
N/A |
Cookies: Collection and analysis of information about website usage to improve user experience and functionality |
|
Legitimate interests (website analytics)
|
Processing is necessary to analyse website performance, improve user experience, and maintain functionality.
|
Data Analytics: Including to improve our Website, client relationships and experiences through research, statistical analysis and behavioural analysis. |
|
Legitimate interest |
Ensuring the provision of a high quality online offering and services. Necessary to inform the making of changes and improvements to our services and service delivery processes as appropriate and to ensure the quality of customer experience. |
Rights and claims |
|
Legitimate Interest (enforcement of legal rights) |
Processing is necessary to allow us to enforce or apply our website terms of use, our terms and conditions of business, or other contract, and to enable us to exercise our rights, to defend ourselves from claims and to keep to laws and regulations that apply to us and the third parties we work with. |
Data Transfers: Transfers of personal data across jurisdictions to support global operations and services |
|
Legitimate interests (global operations) |
Processing is necessary to facilitate our global operations and to enable us to comply with applicable international transfer mechanisms, including Standard Contractual Clauses or other approved safeguards. |
Marketing: Provision of promotional information about services and updates (general marketing) |
|
Consent |
N/A |
Marketing: Promotion of services and updates to existing customers or users |
|
Legitimate Interest (marketing) |
Necessary to promote services to existing customers or users who have a reasonable expectation of receiving such communications |
Data Subject Rights: Processing and verifying identity of the requester |
|
Legal Obligation |
N/A |
Data Subject Rights: Including processing and responding to the exercise of a Data Subjects Rights Request |
All data types are potentially in scope. |
Legal Obligation |
N/A |
Record Keeping: Keeping appropriate internal records about our business and services. |
|
Legal Obligation |
N/A |
Legal Requirements: Processing as necessary for compliance with legal obligations, such as, but not limited to, with security requirements and / or to comply with applicable law, for example in response to a request from a court or regulatory body, where such request is made in accordance with the law and / or to detect fraudulent or criminal activity. In such instances, we may share information with law enforcement organisations such as the police. |
All data types are potentially in scope. |
Legal Obligation |
Legitimate Interest Necessary for the purposes of detecting unusual activity including (but not limited to) fraud. |
26.3 Details about transfers of personal data overseas
The EEA, UK and other countries outside the EEA and the UK have differing data protection laws, some of which may provide lower levels of protection of privacy.
It is sometimes necessary for us to transfer your personal data to countries outside the UK and EEA. In those cases, we will comply with applicable UK and EEA laws designed to ensure the privacy of your personal data.
Under data protection laws, we can only transfer your personal data to a country outside the UK/EEA where:
Where we transfer your personal data outside the UK, we do so on the basis of an adequacy regulation or (where this is not available) legally approved standard data protection clauses recognised or issued further to Article 46(2) of the UK GDPR. In the event we cannot, or choose not to, continue to rely on either of those mechanisms at any time, we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this Notice.
Where we transfer your personal data outside the EEA, we do so on the basis of an adequacy decision or (where this is not available) legally approved standard data protection clauses issued further to Article 46(2) of the EU GDPR. In the event we cannot, or choose not to ,continue to rely on either of those mechanisms at any time we will not transfer your personal data outside the EEA unless we can do so based on an alternative mechanism or exception provided by applicable data protection law and reflected in an update to this Notice.
26.4 Your rights
Please see more details about your rights in the table below. In most circumstances, you do not need to pay any charge for exercising your rights. We have one month to respond to you.
Your right | Details |
Right to be informed | We have a legal obligation to provide you with concise, transparent, intelligible, and easily accessible information about your personal information and our use of it. We have written this Notice to do just that, but if you have any questions or require more specific information, please contact us. |
Right of access | You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information. When you request this data, this is known as making a data subject access request (DSAR). In most cases, this will be free of charge; however, in some limited circumstances, for example repeated requests for further copies, we may apply an administration fee. |
Right to rectification | You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. |
Right to erasure |
You have the right to ask us to erase your personal information in certain circumstances. We have the right to refuse to comply with a request for erasure if we are processing the relevant personal information for one of the following reasons:
|
Right to restriction of processing |
You may ask us to stop processing your personal information. We will still hold the data but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies, you may exercise the right to restrict processing:
|
Right to object to processing |
You have the right to object to processing in certain circumstances. You can also object if the processing is for a task carried out in the public interest, the exercise of official authority vested in you, or your legitimate interests (or those of a third party). |
Right to data portability |
This right only applies if we are processing information based on your consent or for the performance of a contract and the processing is automated. |
To exercise your rights or get more information about exercising them, please contact us at dpoaas@grcsolutions.io giving us enough information to identify you. Where you wish to exercise any of your said rights, we ask that you:
If you have any concerns about our handling of your personal information or believe your privacy rights have been infringed, you have the right to make a complaint. We are committed to resolving privacy-related complaints promptly and effectively.
We encourage you to contact us directly at dataprotection@cosworth.com so that we can address any issues promptly. However, if you are not satisfied with our response, you may also have the right to file a complaint directly with your local privacy regulator. We have provided some contact details for your reference below:
United Kingdom: You can file a complaint with the Information Commissioner’s Office (ICO) via www.ico.org.uk.
28. UPDATES TO THIS PRIVACY NOTICE
We may modify or amend this Notice from time to time at our discretion to reflect changes in our practices, legal requirements, or for other operational reasons.
When we make material changes to this Notice, we will post the updated Notice on our Website and shall amend the revision date at the top of this page. If required by applicable law, we will also notify you directly or request your consent before the changes take effect. The modified or amended Notice shall be effective as to the personal information governed by it as of the revision date.
We encourage periodic review of this Notice to view any updates so that you may stay informed about how we protect your personal information.