The Motor Ombudsman Privacy Notice

Definitions

Accredited Business means any business that is accredited to all or one of Our Codes of Practice.

Automated Decision(s) means a decision made solely by automated means, without any human involvement.

Codes of Practice means the vehicle sales, service and repair, new cars or vehicle warranty products codes of practice and any other motor industry codes of practice operated by TMO from time to time. More information can be found here.

Consumer, “you”, “your” means the registered keeper and/or end user of any Vehicle, or the complainant or their representative and includes vulnerable consumers.

Cookie means a simple text file that is stored on your computer or mobile device by a website’s server and only that server will be able to retrieve or read the contents of that cookie, more information can be found here.

Data Protection Law(s) means the Assimilated Regulation (EU) 2016/679, UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018), as amended from time to time.

Internet Protocol (IP) Address means a set of numbers that is automatically assigned to your computer whenever you log onto your internet service provider or through your organisation’s local area network (LAN) or wide area network (WAN).

Our Service(s) means any of the following;

• Early Resolution means Our informal process for resolving disputes between the parties;
• Mediation means bringing together the parties to facilitate open dialogue, communication, and negotiation to reach a jointly agreed resolution to a complaint;
• Adjudication means the first stage of Our formal process for investigating disputes and making a decision on them based on the evidence provided by both parties, the Code and what is fair and reasonable in the circumstances; and
• Ombudsman’s Final Decision means the second stage of Our formal process for investigating disputes and making a potentially binding decision on them, if accepted by the Consumer, based on the evidence provided by both parties, the Code and what is fair and reasonable in the circumstances.

Personal Data means any information about a living individual from which that person can be identified. It does not include data where the identity has been removed and this will be classified as anonymous data. Some examples of personal information include: name, location data (e.g. IP address) or telephone number.

Process or Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data (whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction).

Profiling means the automated processing of Your Personal Data to evaluate certain things about You.

Sensitive Personal Data means special categories of data, including race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation. The law imposes higher standards of protection on those who process special category data as it is more sensitive.

‘TMO’, ‘the Company’, ‘we’, ‘our’, or ‘us’ means The Motor Ombudsman Limited, UK company registration number 06517394. TMO’s registered office is located at 71 Great Peter Street, London SW1P 2BN.

Website means this site (‘themotorombudsman.org’).

1. Purpose

TMO respects your privacy and is committed to protecting your Personal Data. This Privacy Notice tells you everything you need to know about your Personal Data when interacting with TMO either as an Accredited Business or as a Consumer, and whether you are submitting a case by completing one of our online submission forms or by phoning us, registering your business to become accredited to our Codes of Practice, or contacting us via any other channels , or using our Website.

It’s important you read this Privacy Notice so that you’re fully aware of how and why we are using your Personal Data. You’ll also be able to understand why we will Process your Personal Data (our purposes of Processing) and the legal basis for that Processing.

Your Personal Data is held and used by us in accordance with the Data Protection Laws. These govern our Processing of your Personal Data whether we Process it electronically, on paper, or in any other medium.

By submitting Personal Data to us via this Website, you acknowledge that the information will be processed by TMO in the manner and for the purposes described in this Privacy Notice.

2. The Personal Data we collect and use

TMO only collects Personal Data which we need and that is relevant for the purposes for which we intend to use it. Outlined below are the types of Personal Data we collect and how and why we collect it.

2.1 Personal Data that you may give to us

• Where you submit an enquiry or complaint you may give us your name, e-mail address, telephone number or other contact information, vehicle registration number, and any other Personal Data you choose to submit regarding your complaint;
• The opinions and other information you provide when responding to customer surveys and/ or questionnaires;
• Any information you include in correspondence you send to us or in forms you submit to us when using our Website or social media pages;
• Any information you provide to us via telephone;
• Any additional sensitive Personal Data that you choose to share with us for example when contacting us in relation to a complaint surrounding a third party in connection with our ADR Services, either via our Website, webforms, email, or by telephone;
• Where you sign up to ‘rate a garage’ through our Website, your name, e-mail address, telephone number or other contact information and invoice information will be collected.

2.2 Information that we collect about you

When you visit our Website we automatically collect:

• the Internet Protocol (IP) Address of your device and details regarding the type of device and browser software you use to access our Website. TMO collects IP addresses for the purposes of systems administration and to audit the use of the Website. We do not ordinarily link a user’s IP address to personally identifiable information of that user. Each user’s session will be logged, but the user remains anonymous. However, we can use IP addresses to identify users of the Website when we feel it is necessary to enforce compliance with the Website’s Terms of Use, or to protect our service, the Website or other users.
• details of your use of our Website, namely traffic data, weblogs and statistical data, including where and when you clicked on certain parts of our Website, including which of our services you have viewed, and details of the webpage from which you visited it;
• Cookie, pixels and beacon identification information;
• your unique login information and complaint history (where you have created an account with us).
• When you visit our social media pages we collect:
  • the information you post on those pages;
  • information regarding your interactions with the content we post; and
  • statistical information regarding all our followers’ activities (but from which we cannot identify you as we only have access to this information in aggregated form)

3. How we use your Personal Data?

We may process your Personal Data for several reasons. We will always ensure we have a valid legal ground to process your Personal Data, depending on the purposes of our use and the risks to your privacy.

3.1 Where you have provided Consent

We process your Personal Data for the following purposes where you have consented for us to do so:

• to contact you via email or SMS (as you have indicated) with marketing information about our products and services (see Marketing for further details).

You can withdraw your consent for us to use your information in any of these ways at any time. Please see Section 9 Your rights in relation to your Personal Data.

3.2 Where necessary to comply with our Legal Obligations

We will use your Personal Data to comply with our legal obligations:

• to keep a record of the exercise of any of your rights relating to our Processing of your Personal Data; and
• to meet legal, regulatory and compliance requirements, including those imposed upon TMO by virtue of our capacity as an Ombudsman and provider of Alternative Dispute Resolution; and
• to handle and resolve any complaints we receive relating to Our Services.

3.3 Where necessary for us to pursue a Legitimate Interest

We use and process your Personal Data where it is necessary for us to pursue our legitimate interests as a business for the following purposes:

1. To promote our business, brands and products and measure the reach and effectiveness of Our Services and campaigns:

• for analysis and insight conducted to enhance your visitor experience; and
• to identify and record when you have received, opened or engaged with our Website or electronic communications (please see Cookies Notice); and
• to respond to correspondence you send to us and fulfil the requests you make to us; and
• to respond to changing market conditions and the needs of our visitors to our Website; and
• to analyse, evaluate and improve our services so that your visit and use of our Website and social media pages are more useful and enjoyable (we will generally use data amalgamated from many people so that it does not identify you personally); and
• for service development purposes.

1. To operate the administrative and technical aspects of our business efficiently and effectively

• to process any of your complaints regarding a third party business and where we will be assisting you by way of Our Services through our Website; and
• to administer our Website and our social media pages and for internal operations, including troubleshooting, testing, statistical purposes; and
• for the prevention of fraud and other criminal activities; and
• to verify the accuracy of data that we hold about you and create a better understanding of you as an account holder or visitor; and
• for network and information security in order for us to take steps to protect your information against loss or damage, theft or unauthorised access; and
• to comply with a request from you in connection with the exercise of your rights (for example where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request); and
• for the purposes of corporate restructure or reorganisation or sale of our business or assets; and
• for efficiency, accuracy or other improvements of our databases and systems, for example, by combining systems or consolidating records we hold about you; and
• to enforce or protect our contractual or other legal rights or to bring or defend legal proceedings; and
• to inform you of updates to our terms and conditions and policies; and
• for other general administration including managing your queries, complaints, claims, and to send service messages to you.

3.4 Where necessary for us to carry out Pre-Contractual Steps you have requested or for the performance of our Contract

We will use your Personal Data where this is necessary for us to perform our contract with you or to carry out any pre-contractual steps you’ve asked us to so that you can enter into that contract, for the following purposes:

• to run our competitions and promotions that you enter from time to time and to notify you in the event that you are successful and to distribute prizes; and
• where you are an Accredited Business who has signed up to our newsletter, to process your registration and administer your business’s accreditation to the Codes of Practice.

3.5 Where processing is in your Vital Interests

We will use your Personal Data where this is in your vital interest for the following purposes:

• to notify you of any product recall issues.

3.6 Where we use your Personal Data to make Automated Decisions

We may employ automated systems to enhance the efficiency of Our Service. This technology is integral in handling your dispute, ensuring timely and accurate signposting based on the information you give us.

Types of Automated Decisions in Our Service:

• Case Prioritisation and Triage: Automated tools may assess the urgency and category of new cases based on the details you provide. This helps in efficiently allocating resources to cases and identifying which cases may require additional resource.
• Remit Decisions:  Automated systems may also determine whether a case falls within our remit. This initial assessment ensures that cases outside our jurisdiction are promptly identified and signposted appropriately, giving you suitable information about how to pursue the dispute further elsewhere without unnecessary delays.

3.7 Your Rights Regarding Automated Decisions

Automated Decision (details)	Source of information	How the decision is made	Potential impacts of the decision	Your rights
Case Prioritisation and Triage	Information provided by you during submission and ongoing case file.	The information you provide is automatically compared against our internal criteria to ensure resources are suitably allocated in the event of a vulnerability and priority criteria.	To help us identify needs & allocate resource effectively.	You can ask us to not automatically process your information. You can also ask us to review our Automated Decision within 1 month of the decision having been made. You can also ask us how and what information was used to make the decision.
Remit Decisions	Information provided by you during submission and ongoing case file.	The information you provide is automatically compared against our internal criteria to determine if a case falls within our remit.	To help us identify remit over disputes and provide suitable signposting for cases we cannot formally assist with.	You can ask us to not automatically process your information. You can also ask us to review our Automated Decision within 1 month of the decision having been made. You can also ask us how and what information was used to make the decision.

You have the right to object to any Automated Decisions made, including the determination of a case’s remit.

If you believe an automated decision has been made in error, you can request a manual review by one of Our team.

Our automated processes can be categorised as follows:

For further details about how automated processes may affect your dispute and to understand your data privacy rights, please refer to the ‘Your rights in relation to your Personal Data’ section of this notice. If you wish to challenge an Automated Decision or have other concerns, please reach out to us using gdpr@tmo-uk.org.

4. Marketing

If your business is accredited to TMO, we use your Personal Data for direct marketing based on our Legitimate Interests. This includes promoting the Codes, the Website, and sending you information about Our Services. We personalise marketing communications and respect your selected preferences. You can opt-out at any time using unsubscribe links included in our communications or by updating your preferences by:

• emailing us at gdpr@tmo-uk.org and we will amend your preference for you; or
• ticking the relevant preference box where provided or on the business registration page of the Website before confirming your registration; or
• contact us on 0345 241 3008 (press option 2); or
• Write to us at The Motor Ombudsman Ltd, 71 Great Peter Street, London SW1P 2BN (confirming your accreditation number where relevant).

We may ask you to confirm or update your marketing preferences if you ask us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.

IMPORTANT: If you opt-out of receiving marketing communications from us, we keep your email address on our suppression list for a defined period (Please see further information under ‘Section 8 The periods for which we retain your Personal Data’.) to ensure that we comply with your wishes.

5. Sharing Personal Data with Third Parties

We only share your Personal Data outside our business in limited cases. If we do, we ensure that the recipients are contractually required by us to protect your Personal Data, unless legally obligated to share it. Our contractors and recipients must follow our instructions. We do not sell your Personal Data to third parties.

5.1 Suppliers

We disclose your Personal Data to our third party service providers, agents and subcontractors (Suppliers) for the purposes of providing services to us or directly to you on our behalf, including the operation and maintenance of our Website and social media pages and to calibrate the AI used by us to further improve our service to you.

Click below to view a list of the categories of our suppliers.

Categories of Our Suppliers

Recipient / relationship to us	Industry sector (& sub-sector)	Location
Online Teleconferencing	IT (Cloud Services)	EEA
Online Form Providers	IT (Cloud Services)	UK
Email service provider	IT (Cloud Services)	UK
Social Media	IT (Cloud Services)	EEA & USA
Case management providers	IT (Cloud Services)	UK
Organisations specialising in case management automation	IT (Cloud Services)	UK
Telephony provider	IT (Cloud Services)	EEA & USA
Data Transfer Services	IT (Cloud Services)	EEA
Advertising, PR, digital and creative agencies	Media (Advertising & PR)	EEA
Mailing services providers	Logistics (Delivery Service)	UK
Facilities and technology service providers including scanning and data destruction providers	IT (Data Management)	UK
Insurers and insurance brokers	Insurance (Underwriting & Broking)	EEA
Legal, security and other professional advisers and consultants	Professional Services (Legal & Accounting)	UK
Organisations specialising in the audit of the performance and verification of TMO’s accredited businesses	Automotive (Verification and Audit Service)	UK
Organisations specialising in the audit of the performance and verification of TMO’s ADR Service	Service (Verification and Audit Service)	UK
Data analytics platform providers	IT (Data Analytics)	EEA
Website hosting services providers	IT (Hosting)	UK

5.2 Early Disclosure to third parties in connection with ADR Services

When you submit a complaint against an Accredited Business via the form on our Website, we may automatically Process the information you have submitted and disclose it to the Accredited Business, to enable the business to identify the complaint and take steps to try to resolve it. This includes your case number, vehicle registration number and the outline of your complaint as written by you.

Before automatically Processing the information, you will be given the opportunity to review and confirm your details and the content of the complaint. You can also opt out of automatic Processing of your information when you complete the form.

5.3 Disclosure to third parties in connection with ADR Services

When providing Our Services, including handling your enquiry or complaint, we may share your Personal Data with the following third parties. This includes sharing all relevant complaint details and any Personal Data you provide to us. The third parties involved are:

• Any other parties involved in the complaint;
• The Ombudsman Standard Board or any other body which regulates or monitors us;
• any other body with whom we are legally obliged to co-operate, for example law enforcement bodies.
• Other bodies or individuals involved in the administration of Our Service or Codes of Practice.

5.4 Disclosure to third party accredited business in connection with our ‘Online Reviews’ service

When you leave an online review about your experience with one of our accredited businesses through the Website survey tool, we will ask for your consent to share your Personal Data. This includes your name, email address, telephone number, and review details, with the relevant third party.

6. Aggregate Data

We combine Personal Data gathered during registration with data collected using cookies (please see Cookies Notice). This helps us to track statistics like the total number of Website visits, page visits, and the domain names of our visitors’ internet service providers. Third parties may assist us in aggregating and analysing this data. The information, in an aggregated form, is used to enhance our understanding of how visitors use the Website and improve its functionality. No Personal Data is disclosed in this process.

7. Security and links to other websites

We take the security of your Personal Data seriously and employ industry-standard measures to keep it safe. However, please be cautious as internet transmissions may not be completely secure. When accessing links to other websites, their privacy notices or policies will apply.

We use secure data networks with firewalls and password protection. Your Personal Data is safeguarded against unauthorised access, loss, or damage. You are responsible for keeping any provided passwords or PINs confidential. While we strive to protect your Personal Data, we cannot guarantee complete security during online transmission. We are not responsible for the privacy practices of other websites linked on our site.

Access to your Personal Data is limited to authorised personnel, who are bound by confidentiality obligations. We train our employees to handle data properly and securely. Whilst we cannot guarantee prevention of data breaches, we make efforts to prevent them.

8. The periods for which we retain your Personal Data

We only keep your Personal Data for as long as necessary. Some information, like call recordings, is retained for 12 months, while others are kept for 7 years even after they are no longer needed for business purposes. This allows us to handle any potential legal proceedings. In certain cases, longer retention may be required due to specific exceptions.

8.1 Retention schedule

Click below to view our retention schedules.

Our Retention Schedules

This table explains the retention schedules and exemptions that apply.

Type of Personal Data	When do we receive your Personal Data?	How long do we keep your Personal Data after we receive it?
Details regarding when you have consented to receiving marketing from us	When you complete the consent form	7 years from the date you complete the form.
Social media handles	When you follow our social media account or page	Until you stop following our social media account or page.
Your vehicle registration when you register with us to ‘rate a garage’	When we receive your online review via our Website to ‘rate a garage’ and you provide your vehicle registration details	7 years
Opinions /other information you give  via feedback surveys	When you submit your completed survey online	7 years
Information you give to us when entering a competition	When we receive your completed entry form	7 years, except for the entries themselves which may be kept indefinitely depending on the material provided.
IP addresses and type of device	When you use any of our Website	12 months from the date of collection.
Telephone call recordings	From when your call is answered by TMO’s team until the call ends	7 years from the date recorded*
Original documents	From when TMO acknowledges receipt of your documents	3 months
Full case file including online or Website forms, emails, documents and other information	From when TMO first opens your case file	7 years from closing the case file

*Please note: Calls recorded prior to May 1st 2025 will be retained for a period of 12 months from the date they occurred.

The exceptions to the periods mentioned above are where:

• you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law (see further Your rights in relation to your Personal Data); or
• you exercise your right to require us to retain your Personal Data for a period longer than our stated retention period (see further Your rights in relation to your Personal Data); or
• we bring or defend a legal claim or other proceedings during the period we retain your Personal Data, in which case we will retain your Personal Data until those proceedings have concluded and no further appeals are possible; or
• we archive the information to our business-critical back-ups, in which case we will delete it in accordance with our deletion cycle and information will usually be permanently deleted after 10 years; or
• in limited cases, existing or future law or a court or regulator requires us to keep your Personal Data for a longer or shorter period.

9. Your rights in relation to your Personal Data

Under the Data Protection Laws, as a Data Subject you have the legal right to be informed about the processing of your data, as well as the following rights to:

9.1 The right of access

You have the right to ask for a copy of the information that we hold about you by emailing or writing to us at the address at the end of this policy. We will not provide you with a copy of your Personal Data if this concerns other individuals or we have another lawful reason to withhold that information.

Please note: a subject access request does not give you the right to access specific documents or an entire case file. Instead, it entitles you to your ‘Personal Data’ in a clear and permanent form.

9.2 The right to rectification

The accuracy of your information is important to us and we are working on ways to make it easier for you to review and correct the information that we hold about you. In the meantime, if you change your name or address/email address, or you discover that any of the other information we hold is inaccurate or out of date, please let us know by contacting us in any of the details described at the end of this policy.

9.3 The right to erasure

In certain circumstances, you can ask for your Personal Data to be removed from our systems by emailing or writing to us at the address at the end of this policy. Unless there is a reason that the law allows us to use your Personal Data for longer, we will make reasonable efforts to comply with your request.

9.4 The right to object

Where we rely on our legitimate interests as the legal basis for Processing your Personal Data for particular purposes, you can object to us using your Personal Data for these purposes by emailing or writing to us at the address at the end of this policy. Except for the purposes for which we are sure we can continue to Process your Personal Data, we will temporarily stop Processing your Personal Data in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under Data Protection Laws, we will permanently stop using your data for those purposes. Otherwise we will provide you with our justification as to why we need to continue using your data.

You can object to us using your Personal Data for direct marketing purposes and we will automatically comply with your request. If you would like to do so, please use our unsubscribe tool.

In certain circumstances, you can ask for your Personal Data to be removed from our systems by emailing or writing to us at the address at the end of this policy. Unless there is a reason that the law allows us to use your Personal Data for longer, we will make reasonable efforts to comply with your request.

9.5 The right to data portability

You have the right to ask for a copy of the information that we hold about you by emailing or writing to us at the address at the end of this policy. We will not provide you with a copy of your Personal Data if this concerns other individuals or we have another lawful reason to withhold that information.

9.6 Rights in relation to Automated Decision making and Profiling

You have rights around Automated Decision making and profiling.

You have the right to information about these kinds of Processing, and the right to ask for human intervention or to challenge an Automated Decision. You can do this when an Automated Decision is made about you, or you can contact us on gdpr@tmo-uk.org to speak to us about this. Please see the ‘Where we use your Personal Data to make Automated Decisions’ section for more information on Automated Decision making used in Our Service.

9.7 Withdraw your consent

Where we rely on your consent as the legal basis for Processing your Personal Data, you are able to withdraw your consent at any time by contacting us using the details at the end of this policy.

If you would like to withdraw your consent to receiving any direct marketing to which you previously opted-in, you can also do so using our unsubscribe tool.

If you withdraw your consent, our use of your Personal Data before you withdraw is still lawful.

If you would like to exercise any of those rights, please refer to 12. How to contact us

10. Changes to this Privacy Notice

Please visit this page regularly for any updates to this Privacy Notice. If we make any changes to it, it they will be promptly communicated by way of an updated notice posted on this page. By continuing to use this Website and, if applicable, maintaining your registration as a accredited business, you acknowledge any changes. We suggest checking this page frequently and reviewing the notice each time you visit our Website.

11. Transfer of Personal Data outside of the United Kingdom

It is sometimes necessary for us to transfer Your Personal Data to countries outside the UK.
In those circumstances we will comply with applicable UK laws designed to ensure the privacy of your Personal Data. For more information about which of Our suppliers are involved in transfer of Your Personal Data outside of the UK, see section 5.1 Suppliers.

Under Data Protection Laws, we can only transfer Your Personal Data to a country outside the UK where:

• the UK government has decided the particular country ensures an adequate level of protection of Personal Data (known as an ‘adequacy regulation’) further to Article 45 of the UK GDPR. A list of countries the UK currently has adequacy regulations in relation to is available here. We rely on adequacy regulations for transfers to the following countries: USA and Germany;
• there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you, or
• a specific exception applies under relevant data protection law.

In the event we cannot or choose not to continue to rely on adequacy regulations at any time we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by UK Data Protection Law and reflected in an update to this policy. Any changes to the destinations to which we send personal data or in the transfer mechanisms we rely on to transfer personal data internationally will be notified to you in accordance with section 10, ‘Changes to this privacy notice’ above.

Whenever we transfer or Process Your Personal Data outside of the UK, we’ll ensure the level of protection to Your Personal Data is maintained to the standards required within the UK Data Protection Laws through contractual clauses and other legal mechanisms.

Visitors are advised to note that if you are visiting the Website from a country other than the country in which our server is located (currently the United Kingdom), the various communications will necessarily result in the transfer of information across international boundaries.

12. How to complain

If you believe your Personal Data is being misused and does not comply with Data Protection Laws, we encourage you to contact us first via post, telephone or email (see “How to contact us” below). We will try to resolve any issues or concerns you may have.

You can file a complaint with a data protection regulator in the country where you work or live, or where your rights have been violated. In the UK, you can contact the Information Commissioner’s Office (ICO) for this purpose.

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire
SK9 5AF
Tel: 0303 123 1113
Website: www.ico.org.uk

13. How to contact us

To contact us in relation to this Privacy Notice, including to exercise any of your rights in relation to your Personal Data, please contact our Data Protection team by one of the following means:

• by post at The Motor Ombudsman Ltd, 71 Great Peter Street, London SW1P 2BN; or
• by phone 0345 241 3008 (press option 2); or
• by email at gdpr@tmo-uk.org.

For anything else, including consumer queries, press and media queries or business accreditation queries, please see the ‘Contact Us’ section of our Website for the relevant contact details.