The General Data Protection Regulation (GDPR) is effective in European Economic Area (“EEA”) countries from 25th May 2018.
GDPR gives you as an individual more rights over your data, and places greater obligations on organisations over how they obtain, hold and use your data.
Duke Marketing Ltd (Duke) is, for the purposes of this notice, both a controller and a processor of personal data. This notice will also detail third party organisations Duke works with who act as processors for the purpose of providing a better customer experience.
2. What does this privacy notice cover
This notice covers websites, physical shops, venues and other locations owned and operated by Duke Marketing Limited and its subsidiaries (“Duke”) and Terrific Travel Ltd trading as iomtt travel (“Terrific”) including dukevideo.com, iomtt.com, dukeaerialproductions.com and shop.iomtt.com.
Users of dukevideo.com, shop.iomtt.com, or users of other services in the Duke group can create a personal account. It is not necessary to create an account unless you wish to purchase goods or services from Duke in which case creation of an account is mandatory. In order to open an account we will collect the following personal data about you (the “Master Data”) at a minimum:
Your name (this will not be public)
Your email address (for online orders)
Your billing and postal address, and
Your phone number
This information is mandatory, which means that it will not be possible purchase directly from Duke via phone, mail, or website without it.
4. When do we collect data:
When you visit any of our websites and use your account to buy products and services.
When you make an online purchase and check out as a guest (in which case we just collect transaction-based data, plus your email address).
When you create an account with us.
When you purchase a product or service in-store or by phone but don’t have (or don’t use) an account.
When you engage with us on social media.
When you join Duke’s loyalty programme (Duke Club).
When you sign up to our eNewsletters (iomtt, iomtt travel or Duke Video)
When you contact us by any means with queries, complaints etc.
When you enter prize draws or competitions.
When you choose to complete any surveys we send you.
When you comment on or review our products and services. Any individual may access personal data related to them, including opinions - we currently utilise third-party provider TrustPilot to fulfill our review services.When you fill in any forms including but not limited to pre-order forms at the shops during The Isle of Man TT Races period, Isle of Man Festival of Motorcycling or at any shows.
When you’ve given a third party permission to share with us the information they hold about you.
When you use our shops or other venues which have CCTV systems operated for the security of both customers and staff. These systems may record your image during your visit.
When you fill in forms on the websites including contact forms or enquiry forms.
5. What data do we collect?
As mentioned in Accounts above, all transactions with Duke that involve posting an order will require master data consisting of name, email address, billing/delivery address, phone number.
In addition to transactions requiring master data we may also require individual data to fulfil other transactions. For example we will record your social media username in order to respond to queries via our social media channels, or your email address and name if you subscribe to our eNewsletters without opening an account.
We keep records of your order history and receipts. We do not keep records of any payment card details.
Records of communications with us by email, post, via shops or social media,
Details of your interactions with the websites and emails. Examples of this would include complaints and queries about products and services, items added to basket, products viewed, vouchers redeemed and media codes utilised.
Details about how you found the websites, where you arrived from, pages viewed and time of browsing. For the purposes of website security analysis we may internally log your IP address.
Your image may be recorded on CCTV when you visit the shops or other Duke venue.
To deliver the best possible web experience, we collect technical information about your internet connection and browser as well as the country and telephone code where your computer is located, the web pages viewed during your visit, the advertisements you clicked on, and any search terms you entered.
Your social media username, if you interact with us through those channels, to help us respond to your comments, questions or feedback.
Our website search engine is built and maintained by Duke. Search terms are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by Duke.
Reviews and feedback. In order to provide a reliable, independent and verifiable review system we employ TrustPilot to provide a review service for good and services offered via Duke websites. Trustpilot requires your name, email address and order number.
Cookies are files placed on your device when you access the website. It allows the website to recognise your device and store some information about the user’s preferences or past actions
7. Why do we process your data?
Every time you interact with Duke or Terrific we want you to have a pleasant, enjoyable and rewarding experience. We process your data to provide the best customer experience we can, and to continually strive to improve that for you. In order to improve our services we need to study how and why our customers utilise our websites and the best way to do that is to collect the data we do.
We then use the data to customise the experience of the Duke and Terrific websites, the content of our emails and our social media marketing campaigns to fit with your interests and previous behaviour.
The use of this data in this way is covered under the legitimate use basis of GDPR - our business, and the provision of goods and services to you in an efficient and knowledgeable way is enhanced the use of your data in this way.
Of course, you can choose to change what data you provide and reserve consent on certain contact methods, however, we might not be able to serve you in the way in which you want to be served if you do choose to reserve your consent in this way.
8. How we use your personal data
To process any orders that you place using our websites, phone lines, catalogues, magazine promotions or shops. We cannot process any order without full master details. In certain circumstances we will have to share the details of your order with third parties for fulfilment. Examples of this include Isle of Man TT VIP Hospitality Experiences and any travel arrangements. In these instances we always ensure third parties apply the same rigorous standards when handling your data.
To respond to reviews, requests, complaints and other enquiries. When you contact us in these instances we need to use your data to enable us to respond fully and accurately. We may also keep a record of these interactions in order to ensure we respond fully and accurately to any future communication with us, and to show the history of our communications with you. We have an obligation to retain this data for legal purposes and in the legitimate interests of our business.
We use your personal data, to protect your account and our business from fraud. We do this on the basis of legitimate business interests.
To protect our staff, business and customers from crime we use CCTV on our premises. Your image may be recorded when you visit our shops or offices. The data we collect is stored for 24 hours. We do this on the basis of legitimate business interests
To process payments and to protect you from fraud. We do this on the basis of legitimate business interests.
To communicate with you about your account, your orders, updates to terms and conditions, this policy and similar reasons. These messages do not contain promotional content and do not require specific prior consent as we could not comply with our obligations without the use of your data.
With your consent we will use your data to communicate with you via email, telephone and internet to let you know about special offers, new products, discounts, competitions and similar. You can opt out from any or all of these channels at any time.
Where we hold a postal address for you we will send you a catalogue or other relevant communications by post in relation to special offers, new products, discounts, competitions and similar. We’ll do this on the basis of legitimate business interest. You can opt out of receiving offers by post at any time.
To administer prize draws, competitions and so on, based on the consent your grant upon entering the competition.
To send you survey requests, review requests and feedback on our goods and services. These requests do not contain promotional material and do not require prior consent as they are intended to help improve our service to you. You can unsubscribe from these emails at any time.
We combine data about you from multiple sources to form a richer picture of you and our customer base as a whole to inform business decisions and to make your customer experience a better one.
For Duke Club members: We hold specific information on your purchase history to enable the administration of points on behalf of the Duke Club customer reward scheme. We do this on the basis of the consent granted when you join the Duke Club.
For the prevention and detection of crime and to comply with court orders, to comply with our contractual or legal obligations to share data with law enforcement.
9. How do we protect your personal data?
We utilise industry best practice to ensure our online operations employ a high level of security: all areas of our websites use ‘https’ technology and payment details use a secured, tokenized system to provide greater peace of mind and security.
Your personal data is password-protected, and we closely monitor our system for possible vulnerabilities and attacks.
10. How long will we keep your personal data.
In the case of any order placed with Duke we have a statutory obligation to hold the data for a period of seven years for accounting and auditing purposes. In some instances that period may be extended but we will never keep the data for longer than is strictly necessary.
Inactive accounts will be flagged after seven years of no activity and we will contact you to ask us whether you want to retain the account. Unless you reply in the affirmative we will delete the data associated with it (with the exception of data we must keep for statutory purposes).
Where we hold data from competitions, surveys, promotions or similar and the respondent is not otherwise a Duke customer we will hold the data for as long as is necessary for the original purpose for which the data was collected, or six months, whichever is shorter.
In all circumstances we will not hold your data for longer than is necessary for the purpose for which it was collected, at the end of that period we will delete or completely anonymise the data.
11. Who do we share your personal data with?
In the process of doing business and providing services to you we may share your data with selected trusted third parties who help to facilitate our business processes.
Our policies govern how we select partners to work with, what data we share with them, how they protect your data and how they handle your data.
All our third party partners operate in compliance with GDPR rules.
We ensure third parties not within the EEA comply with all regulatory requirements under GDPR and provide equivalent safeguards.
They may only use your data for the exact purposes we specify - third party partners cannot use your data for their own purposes, resell or share your data with other companies.
If we cease to operate with any third party partner they must destroy any data we have shared with them.
We vet any potential third party partner to ensure they employ the highest standards of security to ensure data is safe at all times.
We only share data relevant to the service our third party partners provide - we do not make all your data available by default.
What sort of third party partners do we work with?
Delivery Services, couriers, postal aggregators etc
Suppliers such as Red Torpedo, Veloce Publishing, Haynes Publishing, RST, Retro Classic, Isle of Man Post Office - these companies only process your data for the purpose of fulfilling your order, the data is not used for any other purpose.
Travel and accommodation suppliers including airlines, ferry companies, hotels, campsites, aggregators, The Travel Trust Association and other suppliers.
Website and email services including Vero, Loggly, Smartlook.
Software companies who provide services to Duke, including FrontApp, Travel Trust Association.
Payment service providers including Braintree, WorldPay and Commidea.
Google, Facebook, Twitter to show you products that might interest you whilst you are browsing the internet.
Professional advisors such as auditors.
Sharing your data with third party partners for their own purposes
Our general policy is to not share your data with any third parties for their own purposes unless it is to comply with law enforcement, statutory authorities or regulatory bodies. Requests of this nature will be handled on a case by case basis.
However, in very specific circumstances we may enter into an agreement with a third party which requires us to share your data in a way that it will be controlled and processed by a third party.
Examples are joint promotions with third parties - this would still require you to tick a box to show your consent for us to share your data with the third party for their marketing purposes.
Sale of the business: If Duke were to sell any or all parts of the business your data - under the terms of this privacy notice - may be transferred to the new owner.
12. Jurisdictions where your data may be processed
Some of our business transactions require us to share your personal data with third parties and suppliers outside of the European Economic Area
We may transfer personal data that we collect to countries that are outside of the EEA, such as Australia and USA. This might be to fulfil your order, to provide services related to the running of our website or emails or to process your payment.
We only use services which will treat your data in the same way as if it was being processed within the EEA.
For more details about this please contact our data protection officer.
13. We are committed to ensuring your data is used in the manner in which you want it used.
Your rights over your data are clear:
GDPR provides the following rights for individuals:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
This Privacy Notice informs you of how, why and when we collect and process your data, and of your rights over your data.
You can access your personal data via your account or through a request to our Data Protection Officer. Write to “Data Protection Officer, Duke Marketing Ltd, Champion House, PO Box 46, Douglas, Isle of Man IM99 1DD,” or email firstname.lastname@example.org In most cases access to your data should be free of charge.
Any errors or inaccuracies in your data can be corrected by accessing your account or by speaking to our customer services team on +44 (0) 1624 640 000. Please note we will need to verify your identity before making changes to personal data.
The right to erasure. Where you withdraw your consent for us to hold your data we will destroy or anonymise your data wherever possible with due consideration for your rights and our legitimate business interests and statutory obligations
The right to restrict processing: You can request that we stop any consent-based processing of your personal data after you withdraw that consent.
Right of data portability: You can request a copy of the personal data your have supplied to us. Please note, if your request is deemed excessive or manifestly unfounded we can request a ‘reasonable fee’ or refuse to comply with the request. In either case we will explain the reasons for our decision.
Right to object: You can opt out of your personal data being used for direct marketing (either through specific channels, or all channels) - you can do this via your account, over the phone, via email or by written instruction.
If we choose not to action your request we will explain to you the reasons for our refusal.
Your right to withdraw consent
Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.
Where we rely on our legitimate interest
In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation.
We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.
You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We must always comply with your request.
Checking your identity
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice.
If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
14. Job applicants, current and former Duke employees
Duke is the data controller for the information you provide during the process unless otherwise stated. If you have any queries about the process or how we handle your information please contact us at email@example.com
What will we do with the information you provide to us?
All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
What information do we ask for, and why?
We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.
The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it might affect your application if you don’t.
We ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, referees and potentially for answers to questions relevant to the role you have applied for. A recruitment team made up of Directors and managers for the relevant role will have access to all of this information.
We do not ask you to provide equal opportunities information. This is not mandatory information – if you don’t provide it, it will not affect your application. This information will not be made available to any staff outside of our recruitment team, including hiring managers, in a way which can identify you. Any information you do provide, will be used only to produce and monitor equal opportunities statistics.
Our hiring managers shortlist applications for interview.
We might ask you to participate in assessments; complete tests or occupational personality profile questionnaires; and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held only by Duke.
If you are unsuccessful following assessment for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of six months. If you say yes, we would proactively contact you should any further suitable vacancies arise.
We are required to confirm the identity of our staff, their right to work in the Isle of Man and we will also seek assurance as to their trustworthiness, integrity and reliability.
You will therefore be required to provide:
Proof of your identity – you will be asked to attend our office with original documents, we will take copies.
Proof of your qualifications – you will be asked to attend our office with original documents, we will take copies.
You will be asked to complete a criminal records declaration to declare any unspent convictions.
We will contact your referees, using the details you provide in your application, directly to obtain references
You may be asked for proof of your Manx worker status
If we make a final offer, we will also ask you for the following:
Bank details – to process salary payments
Emergency contact details – so we know who to contact in case you have an emergency at work
Membership of a pension scheme – so we can inform our company pension adviser, should you require it.
By using our services or providing your personal data to us, you expressly consent to the processing of your personal data by us or on our behalf. Of course, you still have the right to ask us not to process your data in certain ways, and if you do so, we will respect your wishes.
15. Transfer of data
Sometimes we’ll need to transfer your personal data between countries to enable us to supply the goods or services you’ve requested. In the ordinary course of business, we may transfer your personal data from your country of residence to ourselves and to third parties located in the UK or Isle of Man.
By dealing with us, you are giving your consent to this overseas use, transfer and disclosure of your personal data outside your country of residence for our ordinary business purposes.
This may occur because our information technology storage facilities and servers are located outside your country of residence, and could include storage of your personal data on servers in the UK and Isle of Man.
We’ll ensure that reasonable steps are taken to prevent third parties outside your country of residence using your personal data in any way that’s not set out in this Privacy Notice. We’ll also make sure we adequately protect the confidentiality and privacy of your personal data.
We’ll ensure that any third parties process your personal data only in accordance with their legitimate interests. These third parties may be subject to different laws from those which apply in your country of residence. Please note that we do not take active steps to ensure that any overseas recipient of your personal data complies with the laws which apply in your country.
For the purposes of this Privacy Notice, ‘personal data’ means any information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether or not the information or opinion is true, and whether or not the information or opinion is recorded in a material form.
If you are in Australia you may submit any questions, comments or complaints to our Isle of Man-based Data Protection Officer who will come back to you within 30 days.
If you are contacting us to complain about an alleged breach of this Privacy Notice or our legal privacy obligations, please provide us with as much detail as possible in relation to your complaint.
We will take every privacy complaint seriously and assess it with the aim of resolving all issues quickly and efficiently. We’d be grateful for your cooperation with us during this process by providing us with any relevant information that we made need.
If we have not come back to you within 30 days, or you are not happy with the response that you’ve received, you may submit a complaint to the Office of the Australian Information Commissioner.
We are committed to keeping your personal information secure and will take all reasonable precautions to protect it from loss, misuse or unauthorised access or alteration. However, except to the extent liability cannot be excluded due to the operation of statute, we exclude all liability (including in negligence) for the consequences of any unauthorised access to, disclosure of, misuse of or loss or corruption of your personal information.
Nothing in this Privacy Notice restricts, excludes or modifies or purports to restrict, exclude or modify any statutory consumer rights under any applicable law including the Competition and Consumer Act 2010 (Cth).
To learn more about our cookies and website ‘track’ and ‘do not track’ practices please see our Cookies Notice.
As your data may be transferred to third parties outside Canada, local police or other enforcement, regulatory or Government bodies may have access to that data, with or without our knowledge.
The personal data we process may be accessed by people within the Partnership, or by our third-party service providers, who require access for the purposes indicated in this Privacy Notice, or as may be permitted or required by applicable law. The personal data we collect is largely held in the Isle of Man or UK.
If you have any questions, please contact our Data Protection Officer.
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal information, you have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada, or in some Canadian provinces, your local Privacy Commissioner.
South Korea, Malaysia, Singapore, Qatar
Terms used in this Privacy Notice shall have the meanings assigned to them by the Personal Data Protection Act 2010 (also known as the PDPA).
By placing an order with us, opening an account, browsing our website and/or agreeing to receive digital direct marketing communications, you agree that we may process your personal data as described in this Privacy Notice and our Cookies Notice, including for analytics and research into website use.
When you agree to receive direct marketing emails from us, we’ll send you promotions on products we sell at Duke
If you are in Hong Kong you may submit a complaint to our Isle of Man-based Data Protection Officer who will come back to you within 30 days. If we have not come back to you or you are not happy with the response that you receive, you may submit a complaint to the Office of the Privacy Commissioner for Personal Data.
16. Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated on 24th May 2018
17. How to contact us
Duke Marketing Limited
Isle of Man