top of page

Policies

CCTV Policy

​

1. Lawful Purpose

CCTV is in use at the site of Clifford Car Sales to enhance security by protecting our premises, vehicles, and assets from theft or damage. In instances of theft, vandalism or other illegal behaviour, the footage from the CCTV can be used to assist with the investigation. The CCTV will not be used for any purpose other than those described in this policy and will not be shared with third parties unless there is a necessity and a lawful basis to do so.

​

2. Proportionality

CCTV is considered necessary due to:

  • The size of the site,

  • The value of the stock held at the site, and

  • The easy access to the site from Havre des Pas.

Alternative means of monitoring the site were considered; however, these were deemed inadequate as they did not provide sufficient coverage of the site, nor did they allow for monitoring of the site after business hours.

 

3. Access

Access to CCTV recordings is restricted to only those staff who require it. The footage is stored on a secure network, access to which is password-protected in accordance with the Password Policy.

The CCTV system and saved videos are checked monthly to ensure that the cameras are working and that the data remains protected from unauthorised access.

​

4. Locations

There are three CCTV cameras in operation at the site of Clifford Care Sales. These are strategically placed in areas where there is a need for surveillance:

  • Garage forecourt and parking bays: To monitor vehicle maintenance and repairs.

  • Reception and customer areas: To ensure customer safety and service quality.

  • Storage and parts rooms: To prevent theft and ensure inventory control.

Cameras are not installed in areas where individuals have a reasonable expectation of privacy, such as toilets and changing rooms.

​

5. Retention

Footage is retained for a maximum of 30 days, after which it is securely deleted unless required for ongoing investigations. Deletion is automatically carried out by the system.

Checks are conducted monthly to ensure that the footage has been deleted in accordance with this retention policy.

​

6. Notification

There is clear signage in multiple locations at the Clifford Car Sales site, which explains that CCTV is in use. 

Supporting documentation is maintained and available should it be requested:

  • Privacy Policy

  • Data Protection Policy

  • Data Retention Policy

  • CCTV Policy

​

7. Employee and Visitor Rights

Employees and visitors have the right to request access to CCTV footage that features them via a Data Subject Access Request. Requests should be submitted in writing and will be processed in accordance with the Data Subject Access Request Policy.  

Individuals can raise concerns about the use of CCTV at the Clifford Car Sales site with the directors of Clifford Car Sales, or the JOIC. 

​

​

Data Breach Policy

​

A personal data breach (loss, theft, unauthorised access, etc.) must be contained, assessed, and reported promptly.  In line with DPJL, if a breach risks individuals’ rights or freedoms, we will notify JOIC without undue delay and within 72 hours of discovery. Staff must:

  • Immediately report any confirmed or suspected data breach to a Director. 

  • Contain the incident (e.g. secure accounts, recover devices) and assess which data were affected.

  • Document every breach in the internal breach log, whether or not it is reportable, including cause and mitigation steps.

  • Notify the JOIC via the official breach report form on the JOIC website within 72 hours if personal data was exposed or lost and there is a risk to the individual(s). A breach report must describe the breach, affected data, and measures taken.

  • If the breach poses a high risk (e.g. financial harm or identity theft), we will promptly inform affected customers so they can protect themselves. If the risk is low, notification to individuals is not mandatory; a Director must decide whether to notify in these instances, recording their decision and justification on the internal breach log.

  • In the instance of a data breach, a review will be conducted to identify the root cause or causes of the breach and where possible, remedial measures will be applied to improve security to prevent recurrence. The results of the review and any remedial measures must be recorded on the internal breach log.

 

Data Storage Policy (Digital)

​

Electronic data which contains the personal information of staff, customers and suppliers is stored securely:

  • We use reputable third-party software (cloud services) that comply with Jersey law. A written contract or agreement ensures the provider processes our data only per our instructions and maintains strong security. We check that the vendor meets JOIC requirements (for example, is based in an “adequate” jurisdiction or uses EU-standard clauses).

  • All systems and databases require MFA for access, and user permissions follow the least-privilege principle. Only the owner/employee has administrative access. Accounts are disabled immediately when no longer needed.

  • Sensitive data (e.g. credit information or personal identifiers) is encrypted at rest and in transit whenever possible.

  • Regular backups are made and tested.  Backup copies are stored securely (with access control and encryption) to allow recovery after hardware failure or attack.

  • Any personal data held by external service providers is treated as if it were ours: we only transfer it with appropriate safeguards.  We will not send personal data to a third country unless a legal transfer mechanism is in place, as required by DPJL.

​

Data Storage Policy (Physical)

​

Paper records (such as printed sales agreements or customer forms) are protected as follows:

  • All confidential files are kept in locked cabinets or a secure office at all times.  Cabinets should be fire-resistant if possible. Keys or access cards are controlled; only the authorised employee holds them.

  • Access to physical records is strictly limited.  For example, filing cabinet keys are held by specific individuals only, under the “least privilege” principle.

  • When records are in use (e.g. during a sale), they must be supervised.  Do not leave sensitive papers unattended on desks or in public view.

  • We consider disposal early: documents no longer needed are shredded or burned rather than simply thrown away, to prevent data leaks.  Storage areas (office or cabinet) are locked when not in use.

​

Data Retention Policy

​

We keep personal data only as long as required for its purpose, and also meet any legal retention obligations:

  • The DPJL principle is “no longer than necessary”. For each category of data (e.g. customer files, CCTV footage, accounting records), we define a retention period.  For example, customer contact records and sales history may be kept for as long as a customer relationship lasts, plus any warranty period, then deleted or anonymised.

  • Jersey law requires longer retention of business records. For instance, as a Jersey company, we retain accounting records for 10 years.  Similarly, documentation related to payments, taxes, or legal obligations is kept for the full minimum period imposed by law or contracts.

  • In all cases, we review data periodically. When the retention period expires or data is no longer needed (e.g. old customer leads, obsolete financial records), we securely destroy it.  Paper records are shredded or incinerated; digital files are permanently erased (not just “deleted”).

  • These retention rules cover all personal data regardless of format (electronic or paper). We document our retention schedule and review it at least annually to ensure compliance with both DPJL and any other local requirements (e.g. tax laws).

​

Privacy Policy

​

1. Introduction

Clifford Car Sales (“we”, “us”, “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and disclose your personal data, and your rights in relation to that data, under the DPJL

​

2. Who we are

  • Name: Clifford Car Sales

  • Registered address: 14 Havre des Pas, St Helier, Jersey JE2 4PU

  • Contact email: info@cliffordcarsales.je

  • Telephone: 07797 786271

  • Data Controller: Clifford Car Sales is the Data Controller under DPJL. We determine the purposes for which and the means by which personal data are processed.

​

3. What personal data do we collect

We may collect and process the following data about you, depending on the services we provide:

  • Identity information: name, date of birth, driving licence details, proof of identity

  • Contact information: address, telephone number(s), email address

  • Vehicle and transaction data: vehicle preferences, finance information, vehicle history details, credit checks (if applicable)

  • Payment data: bank or credit card details, financial account information

  • Communications data: correspondence, enquiries, feedback, complaints

  • Marketing and profiling data: if you opt in, preferences, history of communications

​

4. How we collect personal data

We obtain your personal data:

  • Directly from you (e.g., when you make enquiries, purchase or lease a vehicle, request services, or subscribe to our mailing list)

  • From third parties (where you have provided your details to them and permitted sharing,

e.g., finance providers, credit reference agencies)

  • Through other lawful sources (e.g., from publicly available records, or from your authorised agent)

​

5. Legal basis for processing

Under DPJL, we will only process your personal data where there is a lawful basis, which may include:

  • For the performance of a contract to which you are a party (e.g., vehicle purchase or financing)

  • To comply with legal obligations (e.g., anti‑money laundering, tax laws, record‑keeping)

  • Where necessary for our legitimate interests (provided not overridden by your rights), for example, for marketing, business planning, and preventing fraud

  • With your consent, where required (e.g., for direct marketing)

 

6. Use of your personal data

We use your personal data for purposes including, but not limited to:

  • Processing vehicle sales, finance or lease agreements

  • Arranging delivery, servicing or maintenance

  • Verifying identity and conducting necessary checks (e.g., credit, background checks)

  • Managing and responding to enquiries, complaints

  • Keeping records as required by law

  • Marketing our products and services, if you opt in

  • Improving our services and customer experience

  • Fraud prevention, ensuring the security of our systems

​

7. Data sharing/disclosure

Your personal data may be shared with:

  • Our employees, agents, contractors, and service providers (for example, for vehicle servicing, finance, insurance, and delivery)

  • Third parties required by law (e.g., regulatory or law enforcement authorities)

  • Third parties to whom we outsource certain functions (e.g., credit referencing agencies, background checks), under appropriate contracts to protect your data

  • Other organisations, if necessary, in the event of sale or transfer of business

We will never share your personal data for marketing purposes with other companies without your explicit consent.

​

8. International transfers

If we transfer your personal data outside Jersey, we will ensure that the transfer is lawful under DPJL. We will ensure that appropriate safeguards are in place (e.g., contractual clauses, ensuring the recipient provides adequate protection).

​

9. Data security

We will take all reasonable technical and organisational measures to protect your personal data from unauthorised or unlawful processing and against accidental loss, destruction or damage, in accordance with the principles of the law.

​

10. Data retention

We will keep your personal data only for as long as is necessary for the purposes for which it was collected, including to comply with legal, accounting or reporting requirements. After that, it will be securely deleted or anonymised. Specific retention periods include:

  • Sales and transaction records: [e.g., 6 years]

  • Warranty, servicing data: [e.g., length of warranty + 1 year]

  • Marketing consents/preferences: until withdrawn

​

11. Your rights

Under DPJL, you have rights in relation to your personal data, including:

  • The right to be informed about what data we hold, and how it is used

  • The right of access (“subject access request”) to your personal data

  • The right to rectification of inaccurate or incomplete data

  • The right to erasure (“right to be forgotten”) in certain circumstances

  • The right to restrict processing in certain circumstances

  • The right to object to processing (including for direct marketing)

  • The right to data portability, in certain situations

If you want to exercise any of these rights, please contact us using the contact details above. We may ask for proof of identity. We will respond to your request in accordance with the timeframes required by law.

​

12. Consent and opt‑in / opt‑out

Where we rely on consent (for example, for marketing communications), you will be asked to give consent in a clear, affirmative manner. You may withdraw your consent at any time by contacting us. Withdrawal of consent will not affect the lawfulness of any processing carried out before you withdrew consent.

​

13. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to improve your browsing experience, analyse site traffic, and support our marketing activities.

Cookies are small text files placed on your device when you visit a website. They help us remember your preferences and understand how you use our website.

Cookies collect information such as your IP address, browser type, device information, pages visited, and time spent on the site. This data is typically anonymised or aggregated.

 

You can manage or disable cookies by adjusting your browser settings. However, please note that disabling certain cookies may affect the functionality of our website. Additionally, when you visit our website, you may see a cookie consent banner allowing you to accept or decline non-essential cookies.

• Types of cookies we use:

  • Essential cookies: Necessary for the website to function properly (e.g., login, shopping cart).

  • Analytics cookies: Help us understand how visitors interact with our website (e.g., Google Analytics).

  • Marketing cookies: Used to deliver relevant adverts to you based on your interests.

​

14. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “last updated” date at the top and, where appropriate, notify you of the changes (for example, via our website or by email if you are a customer).

​

15. How to make a complaint

If you believe that Clifford Car Sales has not complied with this Privacy Policy, or with the DPJL, you have the right to lodge a complaint with the JOIC:

  • Address: 2nd Floor, 5 Castle Street, St. Helier, Jersey, JE2 3BT

  • Email: enquiries@jerseyoic.org

  • Telephone: +44 (0)1534 716530

​

16. Registration with JOIC

As required by the Data Protection Authority (Jersey) Law 2018, Clifford Car Sales is registered as a Controller with the JOIC. Registration Number: 100915.

 

Data Subject Access Request Policy

​

1. Purpose

This policy explains how individuals may request access to personal data held by Clifford Car Sales, and ensures compliance with the Data Protection (Jersey) Law 2018 and guidance issued by the Jersey Office of the Information Commissioner (JOIC).

​

2. Scope

This policy applies to all personal data held or processed by Clifford Car Sales, whether stored electronically or in paper form. It covers requests by data subjects (or persons authorised to act on their behalf) to access their personal data.

​

3. Legal Rights / Basis

Under the Data Protection (Jersey) Law 2018, data subjects have the right to:

  • Be informed whether Clifford Car Sales processes their personal data;

  • Access their personal data and receive information such as the purpose of processing, categories of data, recipients or categories of recipients, retention periods, sources (if not collected directly), and whether automated decision‑making is used;

  • Be notified of any redactions or exemptions applied.

​

4. Making a Request

• Requests may be made in any reasonable manner — by email, by letter/post, or verbally (in person or by phone).

  • The request must include sufficient information to identify the requester (name, contact details) and to describe the data sought (for example, timeframe, departments, type of records).

  • If someone other than the data subject submits the request, they must supply proof of authority to act on that person’s behalf (for example, written authorisation or power of attorney).

​

5. Verifying Identity

• To protect individual privacy, Clifford Car Sales may request proof of identity where reasonably necessary.

  • In the case of a third‑party acting on behalf of the individual, proof of authority will also be required.

  • Only the minimum verification required to confirm identity will be requested.

​​

6. Timescales for Response

  • A valid access request will be responded to by Clifford Car Sales without undue delay and in any event within four weeks of receipt.

  • If the request is complex or involves a large volume of data, the period may be extended by a further eight weeks. In such cases, the requester will be notified by Clifford Car Sales before the end of the initial four‑week period, and reasons for the extension will be given.

​

7. Fees

  • There is generally no fee for providing access to personal data.

  • However, for additional copies or in cases where a request is manifestly unfounded or excessive, a reasonable administrative fee may be charged by Clifford Car Sales. The requester will be informed of any such fee in advance.

​

8. Exemptions, Redaction & Withholding

  • Certain categories of data may be exempt from disclosure under the law (for example, personal data about others, legally privileged material, or data whose disclosure would prejudice a legal process).

  • Where partial disclosure is possible, exempt material will be redacted, and what may lawfully be disclosed will be supplied by Clifford Car Sales.

  • Reasons (to the extent permitted) will be provided when exemptions or redactions are applied.

​

9. Format & Delivery

  • Where the request is made electronically, the data will be provided in a structured, commonly used, machine‑readable format, unless otherwise requested.

  • The method of delivery (e.g., secure electronic file, printed copy) will be agreed with the requester, and secure transmission (e.g., password protection, encryption) will be used by Clifford Car Sales as appropriate.

​

10. Process & Responsibilities

  • Any access request received by Clifford Car Sales must be forwarded promptly to the designated DPO (or other responsible person).

  • The DPO / responsible person is responsible for verifying identity, locating relevant data across departments, applying exemptions/redactions, preparing the response, and ensuring compliance with timescales.

  • A log of all requests will be maintained by Clifford Car Sales, recording at least:

    • date of receipt;

    • requester identity or verification steps;

    • departments involved;

    • whether an extension was used (and rationale);

    • date of response;

    • any fees charged;

    • any refusals or partial refusals.

​

11. Clarification & Narrowing

  • If a request is vague, overly broad, or unclear, the requester may be contacted by Clifford Car Sales to ask for clarification or refinement.

  • The four‑week response period commences once the request is sufficiently clear for Clifford Car Sales to identify and process it.

​

12. Complaints

  • If you are dissatisfied with how your request has been handled, a complaint may be raised internally with the DPO of Clifford Car Sales.

  • You also have the right to complain to the JOIC.

​

13. Review & Audit

The handling of access requests (timeliness, correct application of exemptions, identity verification, etc.) will be audited by Clifford Car Sales, and improvements will be implemented where needed.

  • Facebook

©2025 by Clifford Car Sales Jersey

bottom of page