• This IoT Privacy Notice provides guidance and information to GDC Group Ltd (registered in England and Wales No.01313016) trading as Glen Dimplex Heating and Ventilation (“GDHV”) customers regarding the processing of their personal data.

• GDHV ("us", "we" or "our") is committed to protecting and respecting your privacy. This IoT Privacy Notice sets out the basis on which any personal data we collect from you or that you provide to us will be processed by us. Please read this IoT Privacy Notice carefully to understand our treatment and use of personal data.

• In this IoT Privacy Notice, references to “you” means the person whose personal information we collect, use and process.

• We will use your personal data only for the purposes and in the manner set forth below, which describes the steps we take to ensure the processing of your personal data is in compliance with the Data Protection Acts 2018 and any subsequent data protection and privacy legislation, European Union Law including Regulation (EU) 2016/679, known as the General Data Protection Regulation or GDPR and any subsequent amendments (collectively referred to as “Data Protection Legislation”).

• For the purposes of Data Protection Legislation, the Data Controller is GDHV.

• GDHV and their affiliated companies will be referred to collectively as the “Glen Dimplex Group”.

If you have any questions, comments or requests regarding this policy or how we use your personal data please use the below contact details:

Mainland UK

Privacy: gdhvprivacy@glendimplex.com

Customer Service: 0353 1 842 4833 / Contact Form

How and why do we process your personal data?

The personal data we collect from you or through our systems helps us manage our relationship with you, e.g. collection of appliance data to provide remote diagnostics service, but also to comply with our legal obligations or for the conduct of our business. The personal data we collect, the basis of processing and the purposes of processing are detailed below. Sometimes, these activities are carried out by third parties, including other members of the Glen Dimplex Group (see “Sharing of Personal Data” section below).

Where do we obtain my personal data from?

Most of the personal data we process is obtained from you when you enter into a contract with us, but we also obtain personal data about you in the course of the performance of your contract with us, including the collection of personal data in order to create an account and to provide device control functionality. We will also obtain your email address from another customer in the event that customer requests that you are added to a Dimplex Control account and such data will be processed in accordance with this document.

In some circumstances, we may request your explicit consent to process (specific types of) personal data. In these circumstances, you are able to withdraw your consent at any time by following the instructions provided when you gave consent or at the contact details below.

Our Group Companies

Personal data will only be shared across the Glen Dimplex Group in certain circumstances and where lawful to do so, i.e. it may be necessary to share your personal data with other members of the Glen Dimplex Group, which includes our ultimate holding company and its subsidiaries for the purposes of our business management, including workforce management and administration, management information, forecasting and other related functions.

Access rights between members of the Glen Dimplex Group are limited and granted only on a need to know basis, depending on job functions and roles.

Service Providers 

We use third party service providers who provide services e.g. Service Engineers and Installation Services Providers. In providing the services, your personal data will, where applicable, be processed by the service provider on our behalf.

We will check any third party that we use to ensure that they can provide sufficient guarantees regarding the confidentiality and security of your personal data. We will have written contracts with them which provide assurances regarding the protections that they will give to your personal data and their compliance with our data security standards and international transfer restrictions.

Disclosures to Third Parties

In certain circumstances, we share and/or are obliged to share your personal data with third parties outside the Glen Dimplex Group, for the purposes described above and in accordance with Data Protection Legislation.

These thid parties include:

• energy utility companies that provide your energy services
• regulatory authorities
• financial institutions
• tax authorities
• auditors
• relevant industry bodies
• external professional advisors
• others, where it is permitted by law, or where we have your consent.

Your personal information may be transferred, stored and processed in one or more countries outside the European Economic Area (“EEA”), for example, when one of our service providers use employees or equipment based outside the EEA. For transfers of your personal data to third parties outside of the EEA, we take additional steps in line with Data Protection Legislation. We have put in place adequate safeguards with respect to the protection of your privacy, fundamental rights and freedoms, and the exercise of your rights, e.g. we establish an adequate level of data protection through EU Standard Contractual Clauses based on the EU commission’s model clauses.

If you would like to see a copy of any relevant provisions, please contact the data protection officer (see “Contact Us” section above).

We operate and use appropriate technical and physical security measures to protect your personal data.

We have in particular taken appropriate security measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access, in connection with the customer relationship. Access is only granted on a need-to-know basis to those people whose roles require them to process your personal data. In addition, our service providers are also selected carefully and required to use appropriate protective measures.

We will keep your personal data for as long as it is necessary to fulfil the purposes for which it was collected as described above and in accordance with our legal and regulatory obligations. This may mean that some information is held for longer than other information.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.

You may have various rights under data protection legislation in your country (where applicable).

These may include (as relevant):

Without prejudice to any other administrative or judicial remedy you might have, you may have the right under data protection legislation in your country (where applicable) to lodge a complaint with the relevant data protection supervisory authority in your country if you consider that we have infringed applicable data protection legislation when processing your personal data. This means the country where you are habitually resident, where you work or where the alleged infringement took place.

The UK Information Commissioners Office contact details can be found here.

We reserve the right to change this IoT Privacy Notice at any time. If we make changes we will notify you of such changes so that you can see what information we gather, how we might use that information and in what circumstances we may disclose it.