Privacy Policy
Privacy Policy
Introduction
Ideal Heating Limited (referred to in this document as ‘Ideal Heating’, ‘data controller’, ‘we’, ‘our’ or ‘us’), is committed to protecting and respecting your privacy and the security of your personal data. We aim to be clear and transparent about what we do with the personal data we collect. (‘Personal data’ means any information relating to an identifiable person). This policy:
Sets out how we process your personal data. (‘Processing’ means anything we do with your data, and includes collecting, using, storing and deleting it);
Sets out where we might send your personal data to others, how we protect it and your privacy rights;
Who we are and how to contact us
Ideal Heating is part of Groupe Atlantic. With over 100 years’ experience in the UK heating industry, Ideal Heating is a market leader in the supply and servicing of domestic and commercial boilers.
In respect of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communication Regulations (PECR), the data controller is Ideal Heating Ltd, registered office, National Avenue, Hull, East Yorkshire, HU5 4JB.
If you have any questions, requests or comments regarding this privacy policy, you can email dpo@groupe-atlantic.co.uk. You can also contact us at the above postal address.
The personal data we collect from you
We may collect personal data from you in the following circumstances, when you:
Fill in a form on our site www.idealheating.com. This includes information provided at the time of registering to use our site, subscribing to a service, requesting further services and completing the Contact Form;
Visit our site, we may automatically collect traffic data, location data, weblogs, browser, usage and other communications data;
Report a problem with our site;
Contact us by phone;
Register a product warranty online or through our call centre;
Interact with us via social media;
Complete any surveys we send to you;
From the Gas Safe Register (if you are an installer and/or reseller)
Respond to our marketing activities
From third party database providers of business lists (not consumers or sole traders) if they are a potential B2B relevant incorporated business who we wish to trade with.
IP Addresses and Cookies
Like most websites you visit, we use cookies. Click here if you would like more detailed information about how these cookies work and our policy regarding the information they collect.
How we use your personal data including legal basis
Website
When you contact us using the Contact Form, we may store your personal data. The legal basis for this is ‘legitimate interest’. Where we process your personal data under this basis, we perform an assessment (LIA) that balances your rights and freedoms alongside our interests, to ensure that what we do with your personal data is what you would reasonably expect.
Products and Services
There are three legal bases under which we process personal data for product and services:
When you register a product. The legal basis for this is ‘performance of a contract’;
Where we keep your personal data for the purpose of product recall requirements, the basis is ‘vital interests’.
After the expiry of a warranty for example, we may also keep your personal data under the basis of ‘legal obligation’ re’ gas safety, and health and safety regulations;
Marketing
We may send you relevant marketing messages by email, text message (SMS), telephone or post about us and our products and offers where you are a business-to-business customer or potential business-to-business customer. For example, you may already install our equipment and/or provide servicing, are a product reseller, or have registered for one of our promotions or competitions. Alternatively, you may have had a dialogue with our sales team. If you are an incorporated business, you may currently have no relationship with us, but are one of the trade suppliers we wish to target.
For consumers we will only send marketing material to you if you meet at least one of the following categories:
You have enquired about our products or services
Have one of our products already installed (which could have been fitted by a third party)
Have or have had a product warranty registration with Ideal Heating
Use one of our Apps to manage your boiler and/or heating
For email and SMS messages, the legal basis for processing is normally legitimate interests, although in certain circumstances we may seek your consent. If you want us to stop sending you information by email or SMS, you can opt out at any time by selecting the ‘unsubscribe’ link on any email or SMS we send you. You can also email us at dpo@groupe-atlantic.co.uk. or write to us at: The Data Protection Officer, Ideal Heating Limited, National Avenue, Hull, HU5 4JB.
Surveys
We may ask you to complete surveys for research purposes. The legal basis for these is legitimate interest or performance of a contract. Where legitimate interest is relied on, you have the right to opt out at any time.
How we share your personal data
We may disclose your information to third parties if we:
Sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of those assets;
Have a duty to disclose your personal data to comply with any legal obligation. This includes sharing information with other organisations for the purposes of fraud prevention.
We are required to have written contracts in place with any third parties we use to process your personal data. This is to ensure that third party processors only act on the documented instructions of the data controller, and to ensure that both parties understand their responsibilities, especially in regard to safeguarding personal data.
Third parties we share your personal data with are listed below:
ADP
Agency TK
Agentis
Allianz
Amazon Web Services
Aspray 24
Axinite
Boiler Guide Limited
Certsure
Checkatrade
Cognito
CSI
Davies
Domestic & General
Elementary Digital
Expert Trades
First Event
Flaunt Digital
Force24
Gas Safe Register
Google Analytics
Health and Safety Executive
HomeServe
Ideal Energy Distribution Ltd (IED)
JSM Brandex
LoyaltyMatters
Microsoft
NewZend
Overkiz
Principles Agency
Prizeshark
Pulseware
QlikView
SalesForce
Sauce
ServicePower
Square Owl
Tick 9
Tradehelp
UPS
ViperGas
Whistle
Worldpay
Wyke Printers
We also receive and share personal identifiable data with Installers when they register your product or are required to undertake warranty or other contracted work. Our basis for receiving or sharing your data is on the grounds of Data Controller to Data Controller. Appropriate data processing documentation has been put into place between the parties to protect any of your personal identifiable data.
No personal identifiable data belonging to any third party must be shared with Ideal Heating without first obtaining the consent of the data subject (householder). In transferring any personal data either electronically or verbally, the installer confirms that they have permission from the data subject to do so.
Where we store your personal data
Some data that we collect listed below, is transferred and stored outside the EEA. All other personal data is processed within the EEA.
Processed outside the EEA:
Google Tag Manager (website analytics) – EU-US Privacy Shield.
MailChimp
Salesforce (in certain circumstances)
It will also be processed by staff who work for us and, or by one of our suppliers. This includes for example staff fulfilling your order, processing your payment details and providing support services. We take all necessary steps to ensure that your data is processed securely in accordance with this Privacy Policy.
How long we keep your personal data for
This depends on the type of personal data and what it is used for. We only keep personal data for as long as we have a legal basis to do so, and we adhere to the principle of data minimisation. This means that we only keep the minimum amount of information necessary for specific processing.
We keep personal data you provide by filling in forms on our site unless or until you unsubscribe. If you unsubscribe, we retain minimal information about you to ensure that we know you have unsubscribed;
Financial transaction data is kept for a maximum of seven years. This is due to legal obligations in relation to accounting and tax;
Where there is a contract between us, and in case of any legal action, personal data is retained for 8 years after the end of the contract.
A Data Retention Schedule listing how long different documents are retained is available on request, by using the contact details below.
How we secure personal data
We use a combination of physical, technical and organisational controls to safeguard your personal data. We are also committed to regularly evaluating our data protection security.
Personal data is stored on secure servers;
Payment transactions such as card transactions are encrypted using SSL technology;
Emails are scanned for malware and viruses;
Data sent between our website and your browser is protected using industry standard protocol such as Transport Layer Security;
Data processed by third parties is safeguarded by contracts containing audit rights of inspection and warranties;
Personal data is stored within secured networks, and is only accessible by a limited number of people. Access rights and other policies and procedures forming part of our Information Security Management System (ISMS) further secure your information.
Our security procedures mean that we may occasionally request proof of i.d. before we are able to disclose personal information to you.
Unfortunately, the transmission of information via the Internet is not always secure. Although we do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site. Once received however, we will use our procedures and security to prevent unauthorised access.
Your Rights
You have certain rights (detailed below) under data protection law, and you can make requests to us about any personal data we hold about you.
Requests must be submitted via dpo@groupe-atlantic.co.uk or using the postal address listed further below.
We will also need to verify your identity and we will email you a Data Subject Access form for you to complete. Once this has been submitted, we have 30 days from the date of receipt to provide the information requested, and will not ordinarily charge a fee. If further copies are required, and / or the request is deemed vexatious, we can charge a reasonable fee.
Your rights include:
Right to be informed. You have the right to be informed about the collection and use of your personal data, as detailed in this Privacy Policy;
Right to access. You have the right to request a copy of the information we hold about you. If you want to request a copy you can contact us as detailed above;
Right to rectification. We want to make sure that your personal information is accurate and up to date. You have the right to ask us to correct or remove information you think is inaccurate.
Right to erasure. You have the right to ask us to delete your personal data. You can ask us to erase your personal data where there is no good reason for us to continue to process it. This will apply for example where the purpose we collected your information for is no longer relevant, or where you withdraw consent, if consent was given to start with;
Right to restriction. You have the right to request the restriction or suppression of your personal data under certain circumstances. This means you can limit how we use your personal data. This might apply if for example you believe the processing is unlawful;
Right to data portability. You have the right to ask for a copy of your personal data in a form that lets you copy or transfer it to another IT system in a machine readable way, and / or another organisation. This will apply where the processing is based on consent or a contract, and the processing is by automated means;
Right to object. You have the right to object to the processing of your personal data in some circumstances. You have the right to stop your data being used for direct marketing purposes;
Right not to be subject to automated decision making including profiling. Where such processing produces legal effects or similarly significantly affects;
Right to withdraw consent. Where our processing is based on your consent, you have the right to withdraw this consent at any time;
If you have any questions, requests or are unhappy how we have handled your personal data you should raise a complaint via: dpo@groupe-atlantic.co.uk
Or you can write to us at: Ideal Heating Ltd, National Avenue, Hull, East Yorkshire, HU5 4JB. We have a duty to respond within 30 days.
If after 30 days you have not received a response from Ideal Heating you have the right to complain to the Information Commissioners Office (click here https://ico.org.uk/make-a-complaint/ to visit the ICO’s website).
Postal address: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Changes to our Privacy Policy
We keep our privacy policy under regular review and we will place any updates on this web page. When such a change is made, we will post a notification of change and date of current version. You have a responsibility to view this policy from time to time to be aware of any such change.
Annex 1: Controller to Controller Processing Agreement
Data Controller to Data Controller
Introduction
This Data Controller to Data Controller document constitutes a data processing agreement in compliance with UK and ROI Data Protection Legislation.
This DPAC2C is part of the binding Connect Scheme and Max AI Scheme Terms & Conditions. Please see Ideal Boilers’ Privacy Policy for further data protection information.
The Parties
(1) Ideal Boilers Ltd, registered in England and Wales under company number 00322137, whose registered office is National Avenue, Hull HU5 4JN (“Data Discloser”)
(2) The Installer who has either accepted this agreement online as part of the Connect Scheme and Max AI Scheme Terms & Conditions or has inserted their details and signature on page 4 (“Data Discloser”)
Agreed Purposes: To share personal data concerning individual data subjects who have either registered an Ideal product for warranty purposes and/or are seeking technical support and/or repair from an Installer.
Definitions
The names Ideal Boilers Ltd and Ideal Heating Ltd are interchangeable and for the purposes of this agreement will all be denoted as Ideal Boilers.
For the purposes of this agreement the word Installer shall have the same meaning as gas fitter, independent contractor, gas engineer or other Gas Safe registered business or individual.
Controller, processor, data subject, personal data, personal data breach, processing and appropriate technical and organisational measures: as defined in the UK and ROI by Data Protection Legislation.
‘Processing’ has the same meaning attributed to it by UK and ROI GDPR. In summary “Processing” means any operation or set of operations which is performed on personal data including, but not limited to, collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Data Discloser: a party that discloses Shared Personal Data to another Data Controller.
Data Subject: means an individual to whom the Data relates.
ICO: UK Information Commissioner’s Office
DPC: Data Protection Commission (Ireland))
Data Protection Legislation: all applicable data protection and privacy legislation in force in the UK and for those living in the Republic of Ireland (ROI). This includes for UK subjects: UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations and for ROI the General Data Protection Regulation ((EU) 2016/679 and currently the Privacy and Electronic Communications Regulations which is to be replaced by the ePrivacy Regulation.
Permitted Recipients: the parties to this agreement, the employees of each party, any third parties engaged to perform contractual obligations in connection with this agreement.
Shared Personal Data: any Personal Identifiable Data to be shared between the parties under clause 1.1 of this agreement. Shared Personal Identifiable Data shall be confined to the following categories of information:
a. Name
b. Personal address, and telephone number
c. Email address
d. Other named parties and their details who may live in the household or nearby
DATA PROTECTION
1.1 Sharing Personal Identifiable Data
This clause outlines the framework for the sharing of personal data between the parties as controllers in common. Each party acknowledges that one party (referred to in this clause as the Data Discloser) will regularly disclose to the other party Shared Personal Identifiable Data collected by the Data Discloser for the Agreed Purposes of supporting boiler installations, their maintenance and other related activities.
1.2 Effect of non-compliance with Data Protection Legislation
Each party shall comply with all the obligations imposed on a controller under UK and ROI Data Protection Legislation, and any material breach of the UK and ROI Data Protection Legislation by one party shall, if not remedied within 30 days of written notice from the other party, give grounds to the other party to terminate this agreement with immediate effect.
1.3 Specific obligations concerning data sharing
Both Parties shall be individually and separately responsible for complying with the obligations that apply to it as a Data Controller under any applicable Data Protection Laws in relation to any Personal Data Processed.
Each Party is a Controller of the Personal Identifiable Data it discloses or makes available to the other Party and will process that Personal Data as separate and independent Data Controllers for the Agreed Purposes. The parties process the Personal Data as Data Controllers in common and not as joint Data Controllers.
Each party shall:
(a) ensure that it has all necessary notices and consents in place to enable lawful transfer of the Shared Personal Data to the Permitted Recipients for the Agreed Purposes;
(b) give full information to any data subject whose personal data may be processed under this agreement regarding the nature of such processing. This includes giving notice that, on the termination of this agreement, personal data relating to the data subject may be retained by or, transferred to one or more of the Permitted Recipients, their successors and assignees;
(c) process the Shared Personal Data only for the Agreed Purposes;
(d) not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients;
(e) ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Identifiable Data (including obligations of confidentiality) which are no less onerous than those imposed by this agreement;
(f) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;
(g) not transfer any personal data received from the Data Discloser outside the UK or EEA unless the transferor:
(i) complies with the provisions of Articles 26 of the GDPR (in the event the third party is a joint controller); and
(ii) ensures that (i) the transfer is to a country approved by the ICO or European Commission as providing adequate protection pursuant to Article 45 of UK GDPR; or (ii) there are appropriate safeguards in place pursuant to Article 46 UK GDPR; or (iii) Binding corporate rules are in place or (iv) one of the derogations for specific situations in Article 49 UK GDPR applies to the transfer.
1.4 Mutual assistance
Each party shall assist the other in complying with all applicable requirements of the UK Data Protection Legislation. In particular, each party shall:
(a) where legally required consult with the other party about any notices given to data subjects in relation to the Shared Personal Identifiable Data;
(b) promptly inform the other party where required about the receipt of any Data Subject Access Request;
(c) Each Data Controller will support the other Data Controller in promptly responding to requests from individuals to exercise their rights. If a Data Subject Access Request or data deletion request is made directly to one Data Controller by a data subject or their representative, that Data Controller will promptly inform the second Data Controller so that all records can be accurately maintained;
(d) not disclose or release any Shared Personal Identifiable Data in response to a data subject access request without first consulting the other party wherever possible;
(e) assist the other party, in responding to any request from a data subject and in ensuring compliance with its obligations under UK or ROI Data Protection Legislation with respect to security, personal data breach notifications, data protection impact assessments and consultations with supervisory authorities or regulators;
(f) notify the other party without undue delay on becoming aware of any breach of the UK or ROI Data Protection Legislation;
(g) at the written direction of the Data Discloser, delete or return Shared Personal Identifiable Data and copies thereof to the Data Discloser on termination of this agreement unless it is needed to: protect the vital interests of the data subject, meet the contractual obligations of the data subject or required by law.
Either party will inform the other party if they are the subject of any enquiries or
proceedings by the ICO and/or DPC.
Furthermore, the Parties will:
(i) maintain complete and accurate records and information to demonstrate compliance with UK and ROI legislation; and
(j) provide the other party with contact details of at least one employee as a point of contact and responsible manager, for all issues arising out of UK and ROI Data Protection Legislation.
1.5 Indemnity
Each Data Discloser shall be liable to the other for damages it causes by any breach of these clauses. The liability between the parties shall be limited to actual damage suffered
arising out of or in connection with the breach of UK or ROI Data Protection Legislation by the breaching party. The offending party shall also be liable to the Data Subjects for any damages it has caused them.
1.6 Survival
The parties’ obligations under this DPAC2C shall survive termination or expiration of the contractual arrangement with the Installer so long as the Installer has access to any Personal Identifiable Data.
This DPAC2C forms part of the Connect Scheme and Max AI Scheme Terms & Conditions 2022 and becomes automatically legally binding when the Installer accepts the above agreement. If you are an installer but have not already agreed theConnect Scheme and Max AI Scheme Terms & Conditions, please sign this DPAC2C below which will then take immediate legal effect:
For and on behalf of (Data Discloser)
Your name: ………………………………………………..…………………
Your Job title: ………………………………………………..…………………
Company or trading name: ………………………………………………..…………………
Signature: ………………………………………………..…………………
Address: ………………………………………………..…………………
Address: ………………………………………………..…………………
Email address: ………………………………………………..…………………
Telephone number: ………………………………………………..…………………
For and on behalf of Ideal Boilers Ltd (Data Discloser) agreement deemed pre-signed
James Hamilton
Data Protection Officer
Ideal Boilers Ltd, National Avenue, Hull HU5 4JN
If you have any questions regarding this Data Processing Agreement Data Controller to Data Controller (DPAC2C) please contact: dpo@groupe-atlantic.co.uk
Or you can write to us at: Ideal Heating Ltd, National Avenue, Hull, East Yorkshire, HU5 4JN.
Version 1
Agreement dated August 5 2022