Privacy policy

This privacy policy sets out how Wainman Racing Shop uses and protects any information that you give Wainman Racing Shop when you use this website.

Wainman Racing Shop is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.

Wainman Racing Shop may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from 22nd July 2011.

What we collect

We may collect the following information:

  • name

  • contact information including email address

  • demographic information such as postcode, preferences and interests

  • other information relevant to customer surveys and/or offers

What we do with the information we gather

We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:

  • Internal record keeping.

  • We may use the information to improve our products and services.

  • We may periodically send promotional emailsabout new products, special offers or other information which we think you may find interesting using the email address which you have provided.
  • From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, fax or mail. We may use the information to customise the website according to your interests.


We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure,we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

How we use cookies

A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Controlling your personal information

You may choose to restrict the collection or use of your personal information in the following ways:

  • whenever you are asked to fill in a form on the website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes

  • if you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by writing to or emailing us at


The GDPR in summary

Here are the key areas of the GDPR, with particular reference to the EU Directive 95/46 data protection directive.

Individual rights – and informing people about them

The current EU data protection legislation (Directive 95/46) gives individuals rights over their personal data and describes what information individuals have to be provided with by business, including information about what that business was going to do with that personal data. Often this was done via privacy statements or notifications provided on a website.

The GDPR extends this significantly, providing additional rights that must again be communicated to individuals. In particular individuals must be informed that they have the following (non-exhaustive) rights:

  1. to complain to supervisory authorities, such as the ICO in the UK;
  2. to withdraw their consent to processing of their personal data (see below);
  3. to access their personal data and have it rectified or erased (the ‘right to be forgotten’) by the business and also any third-parties that have accessed it;
  4. to be informed of the existence of any automated personal data processing (including profiling);
  5. to object to certain types of processing, e.g direct marketing and decisions based solely on automated processing;
  6. to be told how long their personal data will be held for;
  7. to be provided with details of any appointment Data Protection Officer (see Below).

In addition, individuals have the right to ask non-profit organisations to exercise rights and bring claims on their behalf, similar to a US style class action.


If you are collection data based on the consent of individuals, while EU data protection legislation has always required such consent to be freely-given specific and informed, with the GDPR this has to be confirmed by a statement or other clear affirmative action. In words, pre-ticked consent boxes on websites, or silence/inactivity on behalf of the individual after reviewing a privacy statement, will not constitute consent.

Additionally, consent cannot be one-size-fits-all, so business can’t be use and individuals single consent at one stage in their business dealings a consent for other kinds of personal data processing. Separate consents are required for different personal data processing operations.

Finally, individuals must not only be informed they have the right to withdraw consent at any time but it must be easy for them to withdraw consent as it was to give it.

Existing consents given by individuals should be revisited to make sure that they comply with the requirements of the GDPR. If there are conflicts or ambiguities then companies will need to either establish a new lawful basis for processing the data (e.g it’s necessary for the performance of a contact), get a new consent, or cease processing that personal data.

Right to move or transfer personal data (data portability)

Individuals now have the right to move, copy or transfer their personal data from one place to another, even to a competitor. For example, a playlist might be generated for a user by a music service, and should they switch to a new provider then they can take this with them. As such, the personal data needs to be in a structured, commonly-used and machine-readable format so it can easily be utilised and shared.

The requirement to make data truly portable and easy-to-use by others is likely to incur significant IT adjustments and therefore costs.

Much wider scope

Put simply, the GDPR makes liable for breaches not just the business that collects the personal data, but also any third-party that processes the personal data on behalf of that business, whether that’s another business, organisation, or individual. However, this does not mean a business can simply hand the personal data to a third-party and then cast a blind eye. The business must ensure the third-party supplier is also compliant with the GDPR.

Additionally, the potential geographical scope is extended beyond just the EU to any business—or again to any third-party processing personal data on its behalf—who offers goods or services to individuals in the EU, or who monitors the behaviour of individuals in the EU. Notably, it doesn’t matter whether or not payment is required for the goods or services, so the likes of charities and NGOs fall under the GDPR.

Because the EU is a trading partner of most countries, the GDPR’s wider scope means it has implications for many businesses worldwide, and will effectively require them to be compliant if they wish to operate in EU member states either directly or as a third-party for others.

Proof of compliance

It’s not enough to merely comply with the GDPR. A business needs to prove it’s doing so under the GDPR’s requirement for “accountability”, and this means complying with some rather onerous record-keeping requirements. In particular, records should be maintained that detail processing activities*, subject access requests, breaches, how consents are obtained, and Privacy Impact Assessments (see below).

This requirement again also affects those third-parties processing personal data on a business’ behalf, although the requirements are not as detailed.

* Applies to companies employing more than 250 people, or companies employing fewer people where the processing carried out is likely to result in a risk to the rights and freedoms of individuals, is not occasional, or includes Special Categories of Data, such as information on health, religion or sexual orientation.

Privacy from start to finish

Technical and organisational measures need to be in place throughout the lifetime of the personal data to match the privacy expectations of the individual—from inception through to execution and finally cessation of that activity. This is referred to as “Privacy by Design”, meaning that privacy considerations must be built into every aspect of that processing by design.

Additionally, only the personal data strictly required for that purpose should be actually processed— something referred to as data minimisation or “Privacy by Default”.

In reality, implementing Privacy by Design and Privacy by Default will involve continuous training, undertaking regular audits, minimising the data collected, restricting access to personal data to a need to know basis, and implementing appropriate technical and organisational security measures such as pseudonymisation and encryption.

General Data Protection Regulation (GDPR): The Sage quick start guide for businesses 6

Mandatory breach reporting

In the event of a breach of the GDPR, companies collecting personal data must tell supervisory authorities—such as the ICO in the UK—within 72 hours of becoming aware. Third- parties processing the personal data on behalf of those companies must tell that business without undue delay.

If the breach poses a high risk to the individuals concerned, companies must also notify the affected individuals without undue delay.

Data Protection Officer (DPO)

Under the GDPR companies and any third-parties that process personal data on their behalf will need to appoint a Data Protection Officer (“DPO”) if: (i) they are a public body; (ii) if
the core activities of the business or third-parties involve monitoring of individuals on a large scale; or if the core activities consist of processing on a large scale of special categories of personal data, including data relating to criminal convictions and offences. The DPO needs to have expert knowledge of data protection law, although doesn’t necessarily need to be an employee and could instead be employed on a service contact to fulfil the role. Details of the DPO will need to be communicated to the supervisory authority, such as the ICO in the UK.


The penalties for non-compliance with the GDPR are tough and could be up to 4% of annual global turnover, or €20m, whichever is greater. You might be fined even if there is no actual loss of data. One thing to note is that there are no exclusions or exceptions for small businesses. Additionally, there is the ability for individuals to file a class action lawsuit requesting a formal regulatory investigation if a business does not comply with the GDPR.