[MCFA] Platform Privacy Policy

EEA Appendix

This Appendix applies if you are based in the European Economic Area (the EEA) during your interactions with us (other than where you are in the EEA solely for travel purposes).

1

Why we collect your data, and who we disclose it to

1.1

The legal basis or “grounds” for our use of your personal data are set out below, as required under European data protection law (EU DP Law) or the laws of the EU member state in which you are based. In the table below, we have linked each purpose mentioned in section [4] of our Privacy Policy to the relevant legal ground/s. For more details on each of the legal grounds, please see the table below.

EU use bases table

Purposes of the data processing Use bases
(The specified ground may vary depending on the specific processing activity and particular personal data being processed)
To provide our products and services to you (4.1(a))
  • contract performance
  • legitimate interests (to allow us to perform our obligations and provide services to you)
To provide customer support (4.1(b))
  • contract performance
  • legal obligation
  • legitimate interests (to allow us to correspond with you in connection with our services)
For marketing purposes (4.1(c))
  • consent (which can be withdrawn at any time)
  • legitimate interest (to keep you updated with news in relation to our products and services)
To improve our products and services (4.1(d))
  • legitimate interests (to allow us to maintain and improve the quality of our services and products)
To comply with our legal obligations (4.1(e))
  • legal obligation
  • legal claims
  • legitimate interests (to cooperate with law enforcement and regulatory authorities)
For legal and administrative purposes (4.1(f))
  • contract performance
  • legal obligation
  • legal claims
  • legitimate interests (to allow us to guard against fraud and other unlawful activity)
To reorganise or make changes to our business (4.1(g))
  • legitimate interests (in order to allow us to change our business)

 


2

Legal grounds for use of Personal Data

2.1

The legal grounds for our use of personal data are as follows:

(a)

Consent: where you have consented to our use of your personal data. You may withdraw your consent to the use of your personal data through the My Privacy tab on the Platform or by contacting us as set out in paragraph [7] of the Privacy Policy.

(b)

Contract performance: where we are required to collect and handle your personal data in order to provide you with the services that we have contractually agreed to provide to you

(c)

Legal obligation: where we need to use your personal data to comply with our legal obligations.

(d)

Legitimate interests: where we have a legitimate interest in using your information. [We will only rely on this legal ground if we consider that our interest in using your personal data for the relevant purpose is not outweighed by any interests that you may have, or any prejudice that you may suffer, from the relevant use of your personal data.

 

3

Profiling

3.1

In connection with our marketing activities, we analyse some of the information that we collect about our dealers and customers to determine what offers are most likely to be of interest to different categories of dealers and customers in different circumstances and at different times. We call this the creation of “segments”. To do this, we combine personal data that we have collected from our dealers and customers directly together with personal data that we have collected from our affiliates and other partners about our customers’ purchase history and interactions with us. From time to time, we will assess the personal data that we hold about you in order to assign you to a particular segment. We will use the segment that you have been assigned to in order to tailor our marketing communications to include offers and content that are relevant to you.

3.2

You have the right to opt out of our direct marketing, and the underlying analysis of your personal data that we use to tailor the direct marketing that we send to you, at any time. You can exercise this right through the Update Contact Information tab on the Platform, by contacting us in accordance with section [7] of the Privacy Policy.

 

4

Our decision-making processes

4.1

In connection with our business, we will use your personal data to make various decisions about you and your eligibility to access our services, to prevent abusive use of our services, to ensure security of our systems, or to detect fraud. Some of these decisions may be taken on an automated basis including, by matching your personal data against information in certain risk models that we have created based on the behaviour of other individuals and using your personal data to further enhance such models.

 

5

Export outside the EEA

5.1

Your personal data may be accessed by staff or suppliers, transferred, and/or stored outside the EEA, including to countries which may have a lower level of data protection than under EU DP law.

5.2

We must comply with specific rules when we transfer personal data from inside the EEA to outside the EEA. When we do this, we will use appropriate safeguards to protect any personal data being transferred.

5.3

We will transfer your personal data subject to European Commission approved contractual terms that impose different data protection obligations directly on the recipient, or as otherwise permitted under EU DP Law.

5.4

Please contact us as set out in paragraph 7 of the Privacy Policy if you would like to see a copy of the specific safeguards we apply to the export of your personal data.

 

6

Retention period

 

Our retention periods for personal data are based on business needs and legal requirements. We will retain your personal data for as long as is necessary for the processing purpose(s) for which it was collected and any other permitted linked purpose. For example, we may retain: (i) certain transaction details and correspondence until the time limit for claims arising from the transaction with us has expired (which is typically 6 years after the relevant transaction occurred, and in some cases much less than this); or (ii) certain data to comply with regulatory requirements regarding the retention of such data. Where personal data is no longer needed, we either irreversibly anonymise the data (in which case we may further retain and use the anonymised data) or securely destroy the data.

 

7

Your rights

7.1

In addition to paragraph 7 of the Privacy Policy, in certain circumstances, you may have the rights under EU DP Law to ask us to:

(a)

provide you with further details on the use we make of your personal data;

(b)

provide you with a copy of personal data that you have provided to us;

(c)

update any inaccuracies in the personal data we hold;

(d)

delete any personal data that we no longer have a lawful ground to use;

(e)

where processing is based on consent, to withdraw your consent so that we stop that particular processing;

(f)

to ask us to transmit the personal data you have provided to us and we still hold about you to a third party electronically;

(g)

object to any processing based on the legitimate interests ground unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights; and

(h)

restrict how we use your personal data while a complaint is being investigated.

7.2

You may exercise these rights by contacting us at the contact details in section 7 of the Privacy Policy or the My Privacy tab on the Platform. Please note that we will not charge a fee when we deal with your requests in the exercise of these rights.

7.3

These rights are subject to certain exemptions to safeguard the public interest (e.g., the prevention or detection of crime) and our interests (e.g., the maintenance of legal privilege). We will aim to respond to requests within 30 days.

7.4

If we are unable to resolve an inquiry or a complaint, you have the right to contact the data protection regulator in the country in which you are based.