Sell your car
Profile

Records of Processing Activities (ROPA)

Company: Car Market Me Limited
Data Controller: Car Market Me Limited
Address: 37 Borth Avenue, Offerton, Stockport, SK2 6AJ, United Kingdom
Contact: info@carmarketmiddleeast.com
Date Prepared: January 2025
Last Reviewed: January 2025
Next Review Date: January 2026

Document Purpose

This document records all processing activities carried out by Car Market Me Limited in compliance with:

  • UK General Data Protection Regulation (UK GDPR) Article 30
  • Data Use and Access Act 2025
  • UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection

This ROPA must be made available to the Information Commissioner’s Office (ICO) or UAE Data Office upon request.

Processing Activity 1: Dealer Account Management

Basic Information

  • Processing Activity Name: Dealer Account Registration and Management
  • Data Controller: Car Market Me Limited
  • Controller Contact: info@carmarketmiddleeast.com

Purpose of Processing

  • Create and maintain dealer accounts on the platform
  • Enable dealers to list vehicles for sale
  • Communicate with dealers about their account and services
  • Provide customer support
  • Comply with legal obligations

Legal Basis for Processing

  • UK GDPR: Article 6(1)(b) – Performance of contract
  • UK GDPR: Article 6(1)(f) – Legitimate interests (platform operation)
  • UAE PDPL: Article 4 – Consent and legitimate purpose
  • Consent obtained: Yes, at registration

Categories of Data Subjects

  • Vehicle dealers (businesses and individuals)
  • Business owners and authorized representatives
  • Located primarily in: Middle East (UAE, Saudi Arabia, etc.)

Categories of Personal Data

Business Information:

  • Business name and trading name
  • Business registration number
  • Business address
  • Business type/category

Contact Person Information:

  • Full name
  • Job title/position
  • Email address
  • Phone number
  • Professional contact details

Account Information:

  • Username
  • Encrypted password
  • Account creation date
  • Last login date
  • Account status (active/suspended)
  • Subscription/payment history (if applicable)

Categories of Recipients

  • Internal staff (customer support, technical team)
  • IT service providers (hosting, email services)
  • Payment processors (if applicable)
  • Law enforcement (if legally required)

International Transfers

  • From: Middle East (UAE and surrounding countries)
  • To: United Kingdom (where data is stored and processed)
  • Safeguards: UK maintains adequate data protection standards; explicit consent obtained from UAE users
  • Transfer mechanism: Consent under UAE PDPL Article 26

Retention Period

  • Active accounts: Duration of business relationship
  • Closed accounts: 6 years after account closure (for legal/tax purposes)
  • Deletion: After retention period, data is securely deleted

Technical and Organizational Security Measures

  • Encrypted password storage (hashing with salt)
  • SSL/TLS encryption for data transmission
  • Access controls and authentication
  • Regular security updates and patches
  • Firewall protection
  • Regular backups with encryption
  • Access logging and monitoring
  • Staff training on data protection

Processing Activity 2: Vehicle Listings Management

Basic Information

  • Processing Activity Name: Vehicle Advertisement Listings
  • Data Controller: Car Market Me Limited
  • Controller Contact: info@carmarketmiddleeast.com

Purpose of Processing

  • Display vehicle advertisements on the platform
  • Enable buyers to search and browse vehicles
  • Facilitate contact between buyers and sellers
  • Maintain platform functionality

Legal Basis for Processing

  • UK GDPR: Article 6(1)(b) – Performance of contract
  • UK GDPR: Article 6(1)(f) – Legitimate interests
  • UAE PDPL: Consent and legitimate purpose
  • Consent obtained: Yes, through dealer agreement

Categories of Data Subjects

  • Vehicle dealers who post listings
  • Located primarily in: Middle East

Categories of Personal Data

Vehicle Information (Non-Personal):

  • Make, model, year, specifications
  • Price and condition
  • Location (city/region only)
  • Images and descriptions

Dealer Contact Information (Publicly Displayed):

  • Business name
  • Display phone number (if dealer chooses to display)
  • Business location
  • Listing date

Categories of Recipients

  • Public website visitors (anyone can view listings)
  • Search engines (indexed for SEO)
  • Internal staff for moderation

International Transfers

  • From: Middle East
  • To: United Kingdom (data storage)
  • Publicly accessible: Yes (website is public)
  • Safeguards: Information is intentionally made public by dealers

Retention Period

  • Active listings: Duration of listing (until removed by dealer)
  • Deleted listings: 30 days (for backup purposes)
  • Historical records: Up to 2 years (for business analytics)

Technical and Organizational Security Measures

  • Image upload scanning for malware
  • Content moderation for inappropriate material
  • Rate limiting to prevent scraping
  • Regular backups
  • Access controls for modification

Processing Activity 3: Buyer Enquiry Processing

Basic Information

  • Processing Activity Name: Buyer Vehicle Enquiries
  • Data Controller: Car Market Me Limited (acting as intermediary)
  • Controller Contact: info@carmarketmiddleeast.com

Purpose of Processing

  • Forward buyer enquiries to relevant dealers
  • Facilitate communication between buyers and sellers
  • Maintain records for customer support
  • Improve platform services

Legal Basis for Processing

  • UK GDPR: Article 6(1)(a) – Consent
  • UAE PDPL: Explicit consent
  • Consent obtained: Yes, at point of enquiry submission

Categories of Data Subjects

  • Potential vehicle buyers
  • General public interested in vehicles
  • Located primarily in: Middle East

Categories of Personal Data

Enquiry Information:

  • Full name
  • Email address
  • Phone number (optional)
  • Enquiry message content
  • Vehicle of interest (reference)
  • Date and time of enquiry
  • IP address (for fraud prevention)

Categories of Recipients

  • Primary recipient: The specific dealer who listed the vehicle
  • Internal staff (for customer support only)
  • Email service provider
  • Law enforcement (if legally required)

International Transfers

  • From: Middle East (enquiry origin)
  • To: United Kingdom (temporary processing)
  • To: Middle East dealer (final recipient)
  • Safeguards: Explicit consent obtained; SSL encryption

Retention Period

  • Active enquiries: 90 days
  • Resolved enquiries: 1 year (for customer support)
  • After retention: Securely deleted

Technical and Organizational Security Measures

  • SSL/TLS encryption in transit
  • Encrypted database storage
  • Access restricted to authorized personnel
  • Anti-spam and fraud detection
  • Rate limiting
  • Immediate forwarding to minimize storage duration
  • Automated deletion after retention period

Processing Activity 4: Website Analytics and Cookies

Basic Information

  • Processing Activity Name: Website Analytics and Performance Tracking
  • Data Controller: Car Market Me Limited
  • Controller Contact: info@carmarketmiddleeast.com

Purpose of Processing

  • Understand website usage patterns
  • Improve user experience
  • Monitor website performance
  • Detect technical issues
  • Prevent fraud and abuse

Legal Basis for Processing

  • UK GDPR: Article 6(1)(a) – Consent (for non-essential cookies)
  • UK GDPR: Article 6(1)(f) – Legitimate interests (for essential cookies)
  • UAE PDPL: Consent
  • Consent obtained: Yes, through cookie banner

Categories of Data Subjects

  • All website visitors
  • Global audience (primarily Middle East focus)

Categories of Personal Data

Technical Data:

  • IP address (anonymized where possible)
  • Browser type and version
  • Device type (mobile, desktop, tablet)
  • Operating system
  • Screen resolution
  • Referring website
  • Pages visited
  • Time spent on pages
  • Click paths
  • Session duration
  • Geographic location (country/city level)
  • Cookie identifiers

Categories of Recipients

  • Internal staff (marketing, IT, management)
  • Analytics service providers (e.g., Google Analytics, if used)
  • No third parties for marketing purposes

International Transfers

  • From: Global visitors (mainly Middle East)
  • To: United Kingdom (our servers)
  • To: USA (if using Google Analytics or similar)
  • Safeguards:
    • Data Processing Agreements with third parties
    • IP anonymization enabled
    • Consent obtained via cookie banner

Retention Period

  • Cookie data: As long as cookies remain active (varies by cookie type)
  • Analytics data: 12-26 months (depending on service provider settings)
  • Essential cookies: Session duration only

Technical and Organizational Security Measures

  • IP anonymization
  • Cookie consent management platform
  • Secure cookie flags (HttpOnly, Secure)
  • Regular audit of cookies in use
  • User ability to delete/manage cookies
  • Minimal data collection principle

Processing Activity 5: Marketing Communications (If Applicable)

Basic Information

  • Processing Activity Name: Email Marketing and Newsletters
  • Data Controller: Car Market Me Limited
  • Controller Contact: info@carmarketmiddleeast.com

Purpose of Processing

  • Send newsletters about new features and vehicles
  • Promote platform services
  • Share industry news and updates
  • Announce new dealer partnerships

Legal Basis for Processing

  • UK GDPR: Article 6(1)(a) – Consent
  • UAE PDPL: Explicit consent
  • Consent obtained: Yes, through opt-in checkbox (never pre-ticked)

Categories of Data Subjects

  • Dealers who opted in
  • Buyers who opted in
  • Newsletter subscribers
  • Located in: Middle East and globally

Categories of Personal Data

  • Email address
  • Name (if provided)
  • Subscription date
  • Email engagement data (opens, clicks)
  • Preferences/interests
  • Unsubscribe requests

Categories of Recipients

  • Internal marketing team
  • Email service provider (e.g., Mailchimp, SendGrid)
  • No sharing with third parties for their marketing

International Transfers

  • From: Middle East subscribers
  • To: United Kingdom (processing)
  • To: Email service provider location (varies)
  • Safeguards: Standard contractual clauses with email provider

Retention Period

  • Active subscribers: Duration of subscription
  • Unsubscribed: 30 days (to honor unsubscribe and prevent re-adding)
  • Engagement data: 2 years

Technical and Organizational Security Measures

  • Double opt-in confirmation (recommended)
  • One-click unsubscribe in every email
  • Encrypted email transmission
  • Secure database storage
  • Regular list cleaning
  • Suppression list for unsubscribes
  • Access controls

Processing Activity 6: Customer Support and Communications

Basic Information

  • Processing Activity Name: Customer Support Tickets and Communications
  • Data Controller: Car Market Me Limited
  • Controller Contact: info@carmarketmiddleeast.com

Purpose of Processing

  • Respond to customer inquiries
  • Resolve technical issues
  • Handle complaints
  • Provide account assistance
  • Improve customer service

Legal Basis for Processing

  • UK GDPR: Article 6(1)(b) – Performance of contract
  • UK GDPR: Article 6(1)(f) – Legitimate interests
  • UAE PDPL: Legitimate purpose and consent

Categories of Data Subjects

  • Dealers with support requests
  • Buyers with inquiries
  • General website users

Categories of Personal Data

  • Name
  • Email address
  • Phone number (if provided)
  • Account information
  • Support ticket history
  • Communication content
  • Date and time of contact

Categories of Recipients

  • Customer support team
  • Technical support team
  • Management (for escalations)
  • Help desk software provider (if applicable)

International Transfers

  • From: Middle East
  • To: United Kingdom
  • Safeguards: Standard contractual clauses if third-party tools used

Retention Period

  • Open tickets: Until resolved
  • Closed tickets: 3 years
  • After retention: Securely deleted

Technical and Organizational Security Measures

  • Secure help desk system
  • Access controls
  • Encryption of stored communications
  • Staff training on confidentiality
  • Regular backup

Data Processors Used

Processor Name Service Provided Location Data Processed Safeguards
[Web Hosting Provider] Website hosting [Location] All platform data DPA signed, ISO 27001 certified
[Email Service] Transactional emails [Location] Email addresses, names DPA signed, GDPR compliant
[Analytics Provider] Website analytics [Location] Anonymized visitor data DPA signed, IP anonymization
[Payment Processor] Payment processing [Location] Payment details PCI-DSS compliant, DPA signed

Note: Update this table with your actual service providers

Data Subject Rights Procedures

How Data Subjects Can Exercise Their Rights

Contact Methods:

  • Email: info@carmarketmiddleeast.com
  • Mail: 37 Borth Avenue, Offerton, Stockport, SK2 6AJ, United Kingdom
  • Account settings portal (for registered users)

Rights Available

  1. Right of Access – Request copy of data held
    • Response time: Within 30 days
    • Fee: Free (unless excessive)
  2. Right to Rectification – Correct inaccurate data
    • Response time: Within 30 days
    • Process: Identity verification, then update
  3. Right to Erasure – Delete data (“right to be forgotten”)
    • Response time: Within 30 days
    • Exceptions: Legal obligations, legitimate interests
  4. Right to Restrict Processing – Limit how data is used
    • Response time: Within 30 days
    • Implementation: Flag account/data
  5. Right to Data Portability – Receive data in structured format
    • Response time: Within 30 days
    • Format: CSV or JSON
  6. Right to Object – Object to processing
    • Response time: Immediate consideration
    • Assessment: Balance with legitimate interests
  7. Right to Withdraw Consent – Remove consent at any time
    • Process: Immediate upon request
    • Effect: Stop processing requiring consent

Identity Verification Process

  • Request submitted via registered email, OR
  • Provide account details and answer security questions, OR
  • Government-issued ID for high-risk requests

Escalation

If data subject is unsatisfied:

  • UK: Information Commissioner’s Office (ICO) – https://ico.org.uk
  • UAE: Telecommunications and Digital Government Regulatory Authority (TDRA)

Data Breach Response Plan

Detection and Assessment

  1. Identify the breach
  2. Contain the breach
  3. Assess severity and risk to individuals

Notification Requirements

To ICO (UK):

  • Within 72 hours if risk to individuals’ rights and freedoms
  • Report via ICO website portal

To UAE Data Office:

  • Within timeframe specified in regulations
  • Via designated reporting mechanism

To Affected Individuals:

  • Without undue delay if high risk
  • Via email or prominent website notice
  • Include: nature of breach, likely consequences, measures taken, contact point

Documentation

  • Maintain record of all breaches (even if not reportable)
  • Include: facts, effects, remedial action

Review and Updates

Regular Review Schedule

  • ROPA Review: Quarterly (minimum annually)
  • Policy Reviews: Annually or when changes occur
  • Security Measures: Quarterly assessment
  • Staff Training: Annually (minimum)

Change Management

When processing activities change:

  1. Update this ROPA within 30 days
  2. Assess if new DPIA required
  3. Update privacy policy if necessary
  4. Notify data subjects if material change
  5. Update consent mechanisms if needed

Approval and Sign-Off

  • Prepared by: [Name, Position]
  • Reviewed by: [Name, Position]
  • Approved by: [Name, Position, Date]

Contact for ROPA Questions

Data Protection Lead
Car Market Me Limited
Email: info@carmarketmiddleeast.com
Address: 37 Borth Avenue, Offerton, Stockport, SK2 6AJ, United Kingdom

Appendix: Glossary

  • Data Controller: Organization determining purposes and means of processing personal data
  • Data Processor: Organization processing data on behalf of the controller
  • Data Subject: Individual whose personal data is being processed
  • Personal Data: Any information relating to an identified or identifiable individual
  • Processing: Any operation performed on personal data
  • Consent: Freely given, specific, informed, and unambiguous indication of agreement
  • Legal Basis: Lawful reason for processing personal data under GDPR/PDPL

Document Version: 1.0
Last Updated: January 2025
Next Review: January 2026