Skip to main content

Security Policy

ENGINECAREPARTS.COM

Data Protection Policy

In accordance with the EU General Data Protection Regulation (GDPR)

Version: 1.0

Effective Date: June 1st, 2026

Legal Entity: Engine Care Parts Ltd.

Registered Address:

Q West (I.H.2.8)
1110 Great West Road
Brentford
Middlesex
TW8 0GP
United Kingdom

1. Goal of the Data Protection Policy

The purpose of this Data Protection Policy is to establish and document ENGINECAREPARTS.COM's commitment to protecting personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

This policy provides a framework for the lawful, fair, transparent, and secure processing of personal data. It serves as evidence of compliance for customers, suppliers, regulatory authorities, and other stakeholders and may be used as supporting documentation during audits, inspections, and assessments.

The objectives of this policy are to:

  • Ensure compliance with GDPR and applicable data protection legislation.
  • Protect the rights and freedoms of individuals whose personal data is processed.
  • Establish clear responsibilities for data protection within the organisation.
  • Implement appropriate technical and organisational measures (TOMs).
  • Promote a culture of privacy, security, and accountability.
  • Support continuous improvement of data protection practices.

2. Preamble

ENGINECAREPARTS.COM is an online supplier of engine parts, components, and related products serving customers across the United Kingdom, European Union, and other international markets.

As part of its business activities, ENGINECAREPARTS.COM processes personal data relating to customers, suppliers, employees, contractors, and website visitors. The company recognises the importance of protecting personal information and is committed to ensuring that all personal data is processed lawfully, fairly, transparently, and securely.

ENGINECAREPARTS.COM is dedicated to maintaining the trust of its customers and business partners by implementing robust privacy and security controls and complying with all applicable data protection obligations.

3. Security Policy and Responsibilities in the Company

3.1 Data Protection Objectives

ENGINECAREPARTS.COM has established the following data protection objectives:

  • Ensure confidentiality, integrity, and availability of personal data.
  • Prevent unauthorised access, disclosure, alteration, or destruction of personal data.
  • Maintain compliance with GDPR and other applicable legal obligations.
  • Minimise risks associated with data processing activities.
  • Ensure timely response to data protection incidents.
  • Promote privacy by design and privacy by default across all systems and processes.

3.2 Roles and Responsibilities

Company Management

Senior management is responsible for:

  • Approving and supporting data protection policies.
  • Allocating appropriate resources for compliance.
  • Ensuring accountability throughout the organisation.

Data Protection Lead

ENGINECAREPARTS.COM has designated a Data Protection Lead responsible for:

  • Monitoring GDPR compliance.
  • Advising management on data protection matters.
  • Coordinating data protection activities.
  • Acting as the primary point of contact for privacy-related matters.

Department Managers

Department managers are responsible for:

  • Ensuring compliance within their areas of responsibility.
  • Implementing approved security procedures.
  • Reporting data protection risks and incidents.

Employees and Contractors

All personnel are required to:

  • Comply with data protection policies and procedures.
  • Handle personal data securely.
  • Report suspected data breaches promptly.
  • Complete required data protection training.

3.3 Continuous Improvement

ENGINECAREPARTS.COM is committed to maintaining and continuously improving its Data Protection Management System (DPMS) through:

  • Regular reviews and audits.
  • Risk assessments.
  • Security testing.
  • Incident analysis.
  • Updates to policies and procedures.

3.4 Training and Awareness

The company provides regular data protection and information security awareness training to relevant personnel. Employees are informed of their responsibilities regarding the lawful handling of personal data and are required to maintain confidentiality.

4. Legal Framework in the Company

4.1 Applicable Legislation

ENGINECAREPARTS.COM complies with:

  • General Data Protection Regulation (EU) 2016/679 (GDPR)
  • UK GDPR
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR)
  • Consumer protection and e-commerce legislation where applicable

4.2 Industry-Specific Requirements

The company considers applicable requirements arising from:

  • E-commerce operations
  • Online payment processing
  • Customer account management
  • Marketing communications
  • Supplier and logistics relationships

4.3 Requirements of Internal and External Parties

The company takes into account:

  • Customer contractual requirements
  • Supplier agreements
  • Regulatory expectations
  • Industry standards and best practices
  • Security requirements imposed by third-party service providers

4.4 Lawful Basis for Processing

Personal data is processed only where a lawful basis exists, including:

  • Performance of a contract
  • Compliance with legal obligations
  • Legitimate interests
  • Consent where required
  • Protection of vital interests

5. Documentation

ENGINECAREPARTS.COM maintains appropriate records demonstrating compliance with GDPR, including:

  • Records of processing activities (ROPA)
  • Privacy notices
  • Consent records where applicable
  • Data processing agreements
  • Risk assessments
  • Data Protection Impact Assessments (DPIAs)
  • Incident records
  • Training records
  • Audit reports

5.1 Internal and External Inspections

The company conducts periodic reviews and audits to evaluate compliance with data protection requirements. External assessments may be undertaken where appropriate.

5.2 Data Protection Needs Assessment

Personal data is classified according to the required level of protection regarding:

Confidentiality
Protection against unauthorised access and disclosure.

Integrity
Protection against unauthorised modification or corruption.

Availability
Ensuring information remains accessible when required for legitimate business purposes.

6. Existing Technical and Organisational Measures (TOM)

ENGINECAREPARTS.COM implements appropriate technical and organisational measures in accordance with Article 32 GDPR.

6.1 Pseudonymisation

Where appropriate, personal data is pseudonymised to reduce privacy risks and minimise exposure of identifiable information. Measures include:

  • Limiting direct identifiers.
  • Use of unique reference numbers where practical.
  • Restricting access to identification keys.

6.2 Encryption

The company implements encryption measures including:

  • SSL/TLS encryption for website traffic.
  • Encrypted administrative access.
  • Encryption of sensitive data where appropriate.
  • Secure payment processing through PCI-compliant third-party providers.

6.3 Confidentiality

Access Control

  • Role-based access permissions.
  • Individual user accounts.
  • Strong password requirements.
  • Multi-factor authentication where available.
  • Periodic access reviews.

Entry Control

  • Secure office facilities.
  • Controlled access to premises.
  • Visitor management procedures where applicable.

Authorisation Control

  • Access granted based on business need.
  • Regular review of user permissions.
  • Immediate revocation of access upon termination of employment or contracts.

Separation Control

  • Logical separation of systems and environments.
  • Segregation of production and testing environments where applicable.
  • Restricted access to customer and employee data.

6.4 Integrity

Transfer Control

  • Secure electronic transmission protocols.
  • Encryption during data transmission.
  • Data sharing only with authorised recipients.

Input Control

  • Audit logs where technically feasible.
  • User accountability through authenticated access.
  • Change management procedures.

6.5 Availability and Resilience

Availability Control

  • Regular system backups.
  • Redundant hosting infrastructure where available.
  • Monitoring of critical systems and services.

Resilience Control

  • Security patch management.
  • Malware protection.
  • Firewall protection.
  • Business continuity planning.

6.6 Recoverability

The company maintains recovery procedures designed to restore the availability and access to personal data in a timely manner following physical or technical incidents. Measures include:

  • Scheduled backups.
  • Backup testing.
  • Disaster recovery planning.
  • Documented recovery procedures.

6.7 Procedures for Regular Review, Assessment and Evaluation

Data Protection Management System

ENGINECAREPARTS.COM maintains documented procedures to monitor compliance with GDPR requirements and improve data protection controls.

Incident Response Management System

The company has established procedures for:

  • Identifying security incidents.
  • Reporting incidents.
  • Investigating breaches.
  • Notifying supervisory authorities where required.
  • Communicating with affected individuals when necessary.

Data Protection by Design and Default

Privacy considerations are integrated into the design and implementation of new systems, processes, and services. Measures include:

  • Data minimisation.
  • Purpose limitation.
  • Restricted default access settings.
  • Security risk assessments.

Order Control (Processor Management)

Where third-party processors are engaged:

  • Data Processing Agreements (DPAs) are established.
  • Processors are assessed for security and compliance.
  • Ongoing monitoring of processor performance is conducted.
  • Appropriate safeguards are implemented for international data transfers.

7. Data Subject Rights

ENGINECAREPARTS.COM respects and facilitates the rights of individuals under GDPR, including:

  • Right to be informed.
  • Right of access.
  • Right to rectification.
  • Right to erasure.
  • Right to restrict processing.
  • Right to data portability.
  • Right to object.
  • Rights relating to automated decision-making and profiling.

Requests will be handled within statutory timeframes.

8. Data Breach Management

Any suspected personal data breach must be reported immediately to the Data Protection Lead. The company shall:

  • Assess the nature and severity of the breach.
  • Take immediate containment measures.
  • Document all breaches.
  • Notify relevant authorities where required.
  • Notify affected individuals when legally required.

9. Policy Review

This policy shall be reviewed at least annually or whenever significant changes occur to:

  • Applicable legislation.
  • Business operations.
  • Technology infrastructure.
  • Data processing activities.
  • Security risks.

Management is responsible for approving revisions and ensuring continued compliance.

!