This privacy notice was last updated on 9 January 2020.
About this notice
Who we are
The Consumers' Association is a registered charity (Charity No 296072) and sits at the top of the Which? Group. The Consumers' Association is responsible for all Which? campaigns and the development of Which? policy. The majority of the research included in the various Which? publications is also undertaken by the Consumers' Association.
Where the Consumers’ Association is processing your information, including in relation to our campaigns and policy work, your ordinary or associate membership, Which? Connect, Collective Switching activities, or Which? Birth Choice, Which? University, Which? Consumer Rights or Which? Later Life Care services, for the purposes of data protection legislation, it is a controller of your personal information. Its registered address is 2 Marylebone Road, London, NW1 4DF.
All our commercial operations are carried out through Which? Limited (Company No 677665) and its subsidiary companies. These activities include our various magazines and books, websites and other digital products (excluding those provided by the Consumers’ Association), Which? Computing Helpdesk, Which? Conversation, Which? Conveyancing, Which? Best Buy Guarantee, Which? Legal, Which? Wills, Which? Switch, Which? Money Helpline and Which? Trusted Traders.
Where we are processing your information in relation to these products and services, for the purposes of data protection legislation, Which? Limited is a controller of your personal information. Its registered address is 2 Marylebone Road, London, NW1 4DF.
The Consumers Association and Which? Limited will together be referred to in this privacy notice as "Which?", "we", "us" or "our".
What this notice applies to: This notice applies to personal information we collect about you when you interact with us (for example when you use our websites such as which.co.uk), or that we collect from third parties, as described in this privacy notice. It sets out:
i. what information we collect, and from whom;
ii. how we use that information;
iii. who we share your information with;
iv. how your information is protected;
v. your rights in relation to the information we hold about you; and
vi. how long we keep your information.
What this notice does not apply to: This notice does not apply to any services provided by Which? Financial Services Limited (including Which? Mortgage Advisers, Which? Insurance Advisers and Which? Money Compare) where a different privacy notice applies. For further details please see the Which?’ Financial Services privacy notice.
Changes to this privacy notice: We keep our privacy notice under regular review, and we encourage you to periodically review this page for the latest information on our privacy practices. Any material changes will be notified to you by updating them on our website together with any such other methods as may be appropriate.
1. What information does Which? collect?
Information you provide to us voluntarily
You may give us your personal information when you:
• order products and services from us;
• use our products and services;
• use, or provide a comment or write a review on, our websites;
• correspond with or contact us;
• enter into any of our competitions, promotions or surveys;
• contact one of our helplines;
• interact with us on social media platforms;
• sign up to one of our newsletters or other communications;
• take part in our research;
• request a call back through our websites;
• apply to become an Ordinary Member;
• apply to become a Which? Trusted Trader;
• get involved with one of our campaigns, Which? Conversations or blogs; or
• otherwise interact with us or provide information to a third party to be referred to us.
Where we request information from you we will collect the information set out in the relevant forms or pages, or as explained to you over the telephone. You may choose to provide additional information to us when you contact us or otherwise interact with us or provide information to a third party to be referred to us. We record calls for monitoring and training purposes and store customer feedback and information on our customer information databases.
Information we collect automatically
We, or the companies which work on our behalf, collect certain related data of visitors to our websites automatically including what pages you have viewed, for how long and your website journey.
Information is also collected about how you arrived at our websites in the first place, including what links or adverts of ours you have viewed or clicked on to reach us, or any search terms you have used. Where you see an advert outside of our website we, or an ad agency working on our behalf, will place a cookie on your browser so that, when you access our website, we recognise that you have seen an advert of ours elsewhere. Information collected automatically using cookies or other tracking technologies includes your IP address, and if you have logged in, your login details.
For further information see our separate cookies and tracking technologies notice.
Information we collect from third-party sources
On occasions, we acquire information from another company, for example to supplement the data that Which? holds. Where this happens we will take appropriate steps to assure ourselves that your information was collected legally.
For example, we use Google Analytics and New Relic to collect information about how visitors to our website use the site, including collecting information on how long customers spend visiting our content items, how often they return to visit our websites and what demographic categories they fall into.
Information which is available publicly
Your personal information may be available to us from external publicly available sources: for example, geo-demographic information and information from public registers such as listed directorships, information from the electoral roll and press reports. In addition, depending on your privacy settings for social media services, we may access information from those accounts or services.
2. What types of information does Which? process?
We collect, store and use the following types of information:
• your name and contact details (including your postal address, telephone number, email address(es), your membership number and social media identity);
• financial information such as bank details or credit/debit card details where you provide this to make a payment;
• details about the products and services we provide to you;
• details about how you use our products and services;
• information you provide on other individuals (for example dependants);
• information provided when you use our products or services, including where you are seeking guidance or advice;
• correspondence you have had with us;
• comments and reviews you have left on our websites;
• your contribution to any research you take part in;
• information about your computer / mobile device and your visits to and use of our websites, including for example your IP address;
• details about you that are stored in documents in different formats, or copies of them; and
• any other information shared with us as described in section 1 above.
In order to receive certain services via the websites (eg access to our Best Buys and Don't Buys recommendations), you will need to create a Which? ID. The information that you provide when setting up your Which? ID includes your name, address, email address and payment card details. If you register to set up a Which ID, you will also have a unique password which enables you to access your account.
3. How does Which? use my information, and on what legal basis?
The following sections describe in more detail how Which?, or one of the companies who work on our behalf, may use your information, and in particular the legal grounds on which we rely in doing so.
What we use your personal information for
We use the information collected for a number of purposes, including:
• to provide our products and services;
• to verify your membership;
• to make and manage payments;
• to manage our relationship and communicate with you;
• to provide you with advice or guidance about our products and services;
• to respond to complaints and seek to resolve them;
• to enhance your online experience;
• to conduct research and surveys;
• to develop and carry out marketing activities and competitions;
• to develop and manage our products and services and test new products and services;
• to better understand our customers and consumers in general, and study how our customers use products and services from us and other organisations;
• to research consumer views and experiences for research and editorial purposes, including through requests for help and surveys;
• to respond to individual experiences shared with us and for editorial content;
• to understand your website journey, including what pages you have viewed and for how long;
• to serve you adverts on other websites about things which you’ve shown an interest in on our own website, or relating to campaigns you have interacted with;
• to communicate with regulators, legislators and corporate stakeholders;
• to conduct and commission research into consumer opinions;
• to administer and keep safe and secure our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
• to train our staff and measure the quality of the service we give you; and
• to obey laws and regulations that apply to us.
The legal grounds we rely on to process your information
The legal grounds on which we rely are:
• to fulfil our contractual obligations (for example in order to provide the products or services requested and to contact you if a problem arises with them);
• to pursue our legitimate interests (for example to facilitate your use of our websites, including obtaining products or services via our websites, or for marketing);
• your consent; and / or
• to fulfil a legal duty.
When we rely on our legitimate interests, these are as follows:
• keeping our records up to date;
• charging for products and services;
• developing products and services;
• marketing our products and services;
• administering our websites and keeping them safe and secure;
• ensuring that content is presented in the most effective manner for you and your devices;
• facilitating your use of our websites, including obtaining products or services via our websites;
• measuring the use of our websites and improving their content and accessibility;
• measuring and understanding the effectiveness of advertising, and delivering relevant advertising to you;
• tailoring content and our communications so that they are most relevant to you;
• carrying out campaigns work and developing Which? policy;
• complying with legal and / or regulatory requirements;
• identifying consumer trends;
• understanding products, services and the consumer experience; and
• informing and generating content (for our editorial outputs and other channels).
4. Who does Which? share my information with?
We, or one of the companies who work on our behalf, share your personal information with the following third parties:
• Data processors
To help us fulfil contracts and to pursue our legitimate interests, we share your personal information with third parties who provide services to Which? or who act on Which?'s behalf, for instance other parts of the Which? Group, vendors, IT and other suppliers, research agencies, payment processors, financial institutions, shipping companies or postal authorities that are involved in fulfilling your request. We do not authorise these companies to use or disclose your personal information except for the purpose of providing the service we request of them. Which? group companies are all based in the UK, but some third-party data processors will be based outside of the European Economic Area (EEA).
• Group companies
We share your information between companies in our group for the following purposes:
• providing you with the products and services you obtain from us;
• responding to requests to exercise your rights;
• responding to complaints and seeking to resolve them;
• keeping our records up to date;
• charging for products and services;
• developing products and services; and
• informing and generating content (for our editorial outputs and other channels).
We may also share your information with other members of our group if you have indicated to us that you would like to hear about their Which? products and services.
All members of our group are based in the UK and comply with similarly high standards in the treatment of your information and will use it only for the purposes set out in in this privacy notice. A full list of companies/brands within our company group is available here.
• Social media companies, search engines and advertising platforms
Personal information about our existing customers may be used to further our legitimate interests, in particular to better understand our target audience on social media sites, search engines and advertising platforms (such as Google, Facebook, YouTube and Amazon) and to promote our services on those platforms to prospective new members of a similar profile and current existing members. The personal information is pseudonymised when uploaded to these platforms to match against potential new members.
The information that we provide to these platforms for such purposes does not directly identify you and is used to establish whether you are also a customer of the social media site and. If so, where the information is being used to better understand our target audience and promote our services to prospective new members, it may also be used to identify users of the social media site that have a similar profile to you and for serving advertisements.
The information we provide to the social media platform is destroyed once the matching exercise is complete. If you do not wish your personal data to be used in this way, please contact firstname.lastname@example.org.
A social networking widget may be found in many of our pages. This widget gives you the tool to bookmark our websites, blog, share, tweet and email our content to a friend. Your interaction with this tool, or being on the same webpage while being logged into these services, will result in further cookies from these social media companies being placed on your system. Our cookie and tracking technologies notice provides further information about this.
• Third parties involved in corporate transactions
Which? may share your information with third parties involved in any reorganisation, restructuring, merger or sale, or other transferring of assets, provided that the receiving party agrees to respect such personal information in a manner that is consistent with this Privacy Notice.
• Other third parties
These third parties may be companies with which we have a relationship in relation to products and services provided to you, companies through which you have contacted Which? or companies you ask us to contact on your behalf.
Other circumstances in which we will disclose your information
We will disclose your information to local and foreign regulators, governments, law enforcement authorities, advisors, courts, tribunals and arbitrators when we have a legal obligation to do so or when we believe our compliance with the request to be fair, reasonable and lawful, eg to detect, prevent or investigate security breaches, fraud or other crimes.
We will also disclose your information to establish, exercise or defend legal claims, for example: (i) to enforce our terms & conditions; (ii) to ensure the safety and security of our users, consumers and third parties; and (iii) to protect our rights and property and the rights and property of our website visitors, consumers and third parties.
Location of third parties
Some potential recipients of your information might be located outside the European Economic Area (“EEA”), in jurisdictions which do not have the same data protection laws as those in the EEA. If we do transfer your information outside the EEA we will take appropriate steps to protect that information, which include:
• transferring to third parties in jurisdictions that the European Commission has determined offers adequate protection for your information (and information relating to adequacy decisions made by the European Commission are available here); and
• entering into an agreement with the recipient, which includes clauses that the European Commission has determined offers adequate protection for your information (a template copy of which is available here).
For more information, please contact us using the details outlined in section 10, (How may I contact Which? about its privacy notice?) below.
5. What are my data protection rights?
You have the following rights in relation to your personal data:
• Access: The right to request access to and a copy of your personal information (which can be done by emailing email@example.com;
• Restriction: You can ask us to pause processing your information in certain circumstances (eg you are disputing its accuracy);
• Rectification: You can have any inaccuracies in your personal information corrected;
• Deletion: You can ask us to delete all your personal information in certain circumstances (eg if the information is no longer necessary for the purposes for which it was collected);
• Objection: You can object to us processing your personal information in certain circumstances;
• Objection to marketing: Please see section 7 (Marketing and advertising) below, for information about how to opt-out of direct marketing communications;
• Portability: You can ask us to transfer your information electronically to you or another organisation in certain circumstances;
• Withdrawal of consent: Where we rely on your consent to process your information, you can withdraw consent at any time, although this will not affect our uses of your personal information prior to the withdrawal of your consent; and
• To lodge a complaint with the Information Commissioner’s Office (“ICO”) or other relevant supervisory authority: You can complain to the ICO (ico.org.uk/global/contact-us/email) or other relevant supervisory authority about any aspect of our handling of your information.
More information about the right to complain can be found at https://ico.org.uk/for-the-public. If you have any questions about these rights, or you would like to exercise them, please contact us using the details at section 10 (How may I contact Which? about its privacy notice?) below.
Please be aware that you are under no obligation to provide us with your personal information. However, failure to do so may, in some circumstances, prevent us from being able to provide you with products and services, or otherwise interact with you.
When exercising your data protection rights we may ask you to verify your identity in order to help us respond efficiently to your request.
If you would like to exercise any of the above rights, please email or write to us using the details outlined in section 10 (How may I contact Which? about its privacy notice?) below. All of these rights are free to exercise and we will do our best to respond to you as quickly as possible and in any event, within one month of receipt of your written request. We will inform you within one month of receipt of such request if we will need longer to respond, for example due to the complexity of the request.
We want to make sure that your personal information is accurate and up to date. Please always let us know if you think that it is not and needs updating. Details of how to get in touch are in section 10 (How may I contact Which? about its privacy notice?) below.
6. How long is my information retained?
Whenever we collect or process your personal data, we will only keep information about you for as long as we need to fulfil the purposes for which we are processing your information. At the end of that retention period, your data will either be deleted or anonymised. Examples of our retention periods are:
- Where you are a member, we would normally keep your information for the duration of your membership and then a period of up to three years after you cease being a member.
- Where we need to keep your information for financial reporting obligations, we would normally keep it for ten years from the date of payment.
- Where we need to keep your information for dealing with legal claims or complaints, we would normally keep it for seven years from the end of that matter.
- Where we have provided legal advice, we would normally keep your information for seven years from the end of that matter.
- Where you have provided information that informs and/ or generates content for our editorial outputs and other channels, we will normally keep that information for up to seven years.
7. Marketing and advertising
We may use the information you provide to send you communications about Which?'s products and services and/or Which?'s campaign work. This might be by telephone or postal marketing in furtherance of our legitimate interests, or for marketing by email or SMS, with your consent.
You can change your marketing preferences at any time by clicking on the “unsubscribe” link in the footer of our emails, or by writing to us, emailing us or phoning us. All details can be found in section 10 (How may I contact Which? about its privacy notice?) below. You can also unsubscribe from receiving any further marketing communications.
We may analyse the information we collect about you to improve the targeting of communications. We use profiling and screening techniques to ensure that our communications to you are relevant and timely, and to provide an improved experience for you. When building a profile, we may analyse geographic, demographic and other information relating to you in order to better understand your interests and preferences so we can contact you with the most relevant communications. In doing this, we may use additional information from third party sources when it is available. If you do not wish your data to be used in this way, please contact us at firstname.lastname@example.org or using the details in the section headed How may I contact Which? about its privacy notice? below.
We engage in the following forms of advertising on other websites which are part of the same advertising network or affiliate network as we are.
We engage in a form of advertising which is called ‘performance advertising’ on other websites and on our websites. This is a form of advertising where we only pay the advertiser when there are measurable results. We have a series of partner sites, or ‘affiliates’ who will host our adverts and links, and if you come to our website and decide to buy something from us via those adverts or links, then we will then pay them a small fee.
We carry out display and contextual advertising on other websites. These are usually in the form of banner adverts of varying sizes and formats that appear on pages within these external sites that may run across the top of your computer screen, or can be a piece of text.
We, third-party advertising networks which work on our behalf and search platforms we work with, may show you adverts on other websites or within their platforms about things which you’ve previously shown an interest in on our website. The adverts may highlight other products or services which we think you’d be interested in too.
We also work with messaging platforms that on our behalf, and with your direct express consent, may deliver messages to your desktop or mobile browsers. These messages will be tailored to the pages and content you have shown interest in and you have the option when each message is delivered to opt out of all future communications.
8. Links to other websites and social media
Where we provide links to other websites, we do so for information purposes unless otherwise indicated. The other websites are outside our control and are not covered by this privacy notice. If you access other websites using the links provided, the operators of these websites may collect information from you which will be used by them in accordance with their privacy notice, which may differ from ours.
On some pages of our websites, third parties that provide content, applications or plug-ins through our Website may track your use of content, applications and plug-ins or customise content, applications and plug-ins for you. For example, when you share an article using a social media sharing button on our websites (e.g., Facebook, Twitter, or Google Plus), the social network that has created the button will record that you have done this. For more information on social media plug-ins on our Website, see our cookie and tracking technologies notice.
9. Use of our website by minors
If you are aged 13 or under, please get your parent's/guardian's permission before you provide information to us via our websites. Users without this consent are not allowed to provide us with information and, in the event that they do so, we will cease to process their information as soon as we find out.
10. How can I contact Which? about its privacy notice?
You can contact us by post, telephone and email as follows:
email@example.com (to manage your marketing and analytics
firstname.lastname@example.org (for access requests under section 5)
email@example.com (for general queries)
General Counsel, Which?, 2 Marylebone Road, London, NW1 4DF
Telephone number: 029 2267 0000
To find out more about Which? and who we are, please look at the 'About Us' section of our general terms.
11. Changes to this Privacy Notice
Which? may need to update this Privacy Notice from time to time. You can see when the Privacy Notice was last updated by checking the date at the top of the page. A summary of changes can be found in this section, along with the date they were made.
If we make any updates, such as materially changing how we use your personal data, we will alert you as required by applicable privacy laws.
21.10.19 - Section 4 - Clarification on how we share your personal data with social media companies, search engines and advertising platforms.
09.01.20 - Section 6 - Clarification on how long your personal data is retained.