Main privacy policy of the Department for Business and Trade

The purpose of this document

The Department for Business and Trade (DBT) is committed to protecting the privacy and security of your information. This privacy policy describes how we collect and use personal information about you in accordance with UK Data Protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 and section 8 of the Data Protection Act 2018.

We are required under data protection legislation to notify you of the information contained in this privacy policy. It is important that you read this policy so that you are aware of how and why we are using your information.

In addition to this general privacy policy, when you interact with us, we may provide you with more specific information about how we will process your personal data.We have specific privacy policies relating to DBT services in addition to our main privacy policy:

• Privacy policy for where to export, learn to export and export plan
• Privacy policy for report a trade barrier
• Privacy policy for project finance
• Privacy policy for UK Export Academy
• Privacy policy for trade profiles (find a buyer (FAB), find a supplier (FAS)
• Privacy policy for export opportunities
• Privacy policy for attending a DBT event
• Privacy policy for other government departments, agencies, public bodies and third party service providers
• Privacy policy for contact form used by export support
• Privacy policy for Business.gov.uk user research panel

What data we collect

The personal data we collect includes your:

• name
• email address
• phone number
• address
• postcode
• job or role within your company
• use of assistive technology
• internet protocol (IP) address and details of which operating system and web browser you use

We are trialling Artificial Intelligence (AI) solutions to support the delivery of our functions. Unless made expressly clear to you, we will not use AI to either make or inform decisions about you.

We will apply effective data minimisation techniques to all such uses of your data.

Why we need your data

The data you provide will be processed by DBT in order to:

• manage relationships with businesses the department is supporting to trade or invest internationally
• identify and secure international and UK-based opportunities
• identify businesses with the greatest propensity to trade or invest and direct them to the most appropriate advice, events, and services
• evaluate the impact of trade and investment services
• better understand the trade and investment environment
• better understand the domestic and international business landscape
• target financial support at businesses to secure trade and investment opportunities
• process business applications to access trade and investment-related advice and services
• understand barriers to trade and investment
• design effective and intelligent trade and investment policy, services, and make business decisions
• send you promotional messages in order to carry out our public task or function as a government department

Other purposes which may be relevant (to be considered on a case-by-case basis) are to:

• gather feedback to improve our services
• respond to any feedback you send us, if you have asked us to
• allow you to access government services and make transactions
• provide you with information about relevant services
• monitor use of the site to identify security threats

Lawful basis for processing

Our lawful basis for processing your personal data is that the processing is necessary:

• to perform a task in the public interest (Article 6(1)(e) of the UK GDPR and section 8 of the Data Protection Act 2018
• for the exercise of our functions as a government department

In 2021, the Information Commissioner's Office (ICO) issued guidance clarifying that promotional messages issued by public sector organisations would not be classed as direct marketing if those promotional messages are necessary for the performance of a public task or function. In view of this clarification, DBT relies on the ‘public task’ lawful basis when sending promotional messages to carry out DBT’s public tasks or functions. This is without prejudice to your right to object and to exercise other applicable rights available under the regulation. The full details of data subjects’ rights and how to contact us are provided below.

Contacting you

We will use the personal information you provide to contact you about the specific service you have used or enquiry you have made.We rely on the ‘public task’ lawful basis when sending promotional messages to carry out DBT’s public tasks or functions (Article 6(1)(e) of the UK GDPR and section 8 of the Data Protection Act 2018). This is without prejudice to your right to object and to exercise other applicable rights available under the regulation.The full details of data subjects’ rights and how to contact us are provided below.

Where we obtain your information from

You give us your personal data in different ways, including but not limited to:

• visiting our websites, interacting with our tools and using our digital services
• creating a company profile on our websites
• populating our online forms and completing our surveys
• when you download documents from us
• when you contact us about investing capital in the UK and buying from the UK
• any communications you make with us by phone, email, post, websites, social media or otherwise
• when you visit us at our buildings and premises
• when you register, pay for and attend trade events

Information we may obtain about you

To fulfil our duties in the public interest, protect our employees and assets and comply with legal and regulatory obligations like trade control, anti-money laundering and bribery and corruption laws, DBT may carry out checks on existing or potential Commercial Clients both on a pre-contract basis and periodically post-contract.

We may verify the background of individuals such as directors, officers, sole traders, shareholders and key stakeholders of our current or potential Commercial Clients. This processing is carried out under the lawful basis of Public Task, as it supports DBT’s objectives to promote economic growth and support UK businesses. The lawful basis for processing personal data under Public Task is outlined in Article 6(1)(e) of the UK General Data Protection Regulation (GDPR)and section 8 of the Data Protection Act 2018, which permits processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in DBT.

Additionally, where legally obligated by law, certain aspects of this processing may be carried out under the lawful basis of Legal Obligation (Article 6(1)(c) of the UK GDPR), where the processing is necessary to comply with specific legal requirements.

We may check against:

• publicly available information about your company or business activities
• any government’s issued sanctions lists or blocklist
• media sources, including social media

We may also check data regarding your suspected or actual criminal behaviour, criminal records or proceedings regarding criminal or unlawful behaviour but only for the purposes of ensuring DBT’s compliance with legal and regulatory obligations and to the extent we are allowed by UK and local overseas laws.You have the right to object to processing under the Public Task lawful basis at any time. If you wish to object, please contact us at data.protection@businessandtrade.gov.uk.

How we may share your information

We may share your personal data with third parties, including for the purposes set out in the 'Why we need your data’ section of this policy. Our third-party data processors are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.In addition to our data processors, we may share your data with other recipients, including:

• other government departments, public agencies or bodies
• third party service providers (where not our data processors)
• event partners and sponsors, where you register to one of our events
• other businesses, companies and organisations, in the course of our services
• law enforcement agencies and regulators
• the National Archives, for archival purposes

This processing is carried out under the lawful basis of Public Task, as it supports DBT’s objectives to promote economic growth and support UK businesses. The lawful basis for processing personal data under Public Task is outlined in Article 6(1)(e) of the UK General Data Protection Regulation (GDPR) and section 8 of the Data Protection Act 2018, which permits processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in DBT.You have the right to object to processing under the Public Task lawful basis at any time. If you wish to object, please contact data.protection@businessandtrade.gov.uk.

Additionally, where legally obligated by law, certain aspects of this processing may be carried out under the lawful basis of Legal Obligation (Article 6(1)(c) of the UK GDPR and section 8 of the Data Protection Act 2018), where the processing is necessary to comply with specific legal requirements. Under this lawful basis, data subjects do not have the right to object, the right to erasure, or the right to data portability.

Where not exempt, we may be required to disclose your information in response to information requests, for example, under Freedom of Information (FOI) law or the Environmental Information Regulations (EIR). This processing is carried out under the lawful basis of Legal Obligation (Article 6(1)(c) of the UK GDPR and section 8 of the Data Protection Act 2018), as it is necessary to comply with legal requirements.Where necessary in order to exercise, establish or defend a legal claim, we may disclose your information to a court, tribunal or other party. This processing is carried out under the lawful basis of Legal Obligation (Article 6(1)(c) of the UK GDPR), as it is necessary to comply with legal requirements.

You will be notified if your information is shared with other third parties not included in this list.Aggregated analysis of responses may also be shared with the Information Commissioner’s Office (ICO), the Government Internal Audit Agency (GIAA) and the National Audit Office (NAO).

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature.We will not:

• sell or rent your data to third parties
• share your data with third parties for their own marketing purposes

We will also share your data if we are required to do so by law or regulation, for example, by court order or to prevent fraud or other crime.

How long we keep your data

In line with our records management and retention and disposal policy, we will only retain your personal information for as long as:

• it is needed for the purposes set out in this document
• the law requires us to

Subject to the bullets above, we will retain your personal information for up to 10 years from the date on which it is provided or subsequently updated, in order to fulfil the purposes for which it was collected.

Rights afforded to data subjects

Lawful basis: Public Task (Article 6(1)(e) of the UK GDPR)

Under the lawful basis of Public Task, which permits processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us, data subjects are afforded the following rights:

• Right to object: you have the right to object to the processing of your personal data at any time. If you wish to object, please contact us at data.protection@businessandtrade.gov.uk.
• Right to access: you have the right to request access to your personal data and obtain information about how it is being processed.
• Right to rectification: you have the right to request the correction of any inaccurate or incomplete personal data.
• Right to restriction of processing: you have the right to request the restriction of processing of your personal data under certain circumstances, such as if you contest the accuracy of the data or object to the processing.
• Right to data portability: you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request the transfer of this data to another controller, where technically feasible.

Lawful basis: Legal Obligation (Article 6(1)(c) of the UK GDPR)

Under the lawful basis of Legal Obligation, which permits processing necessary to comply with a legal requirement, data subjects are afforded the following rights:

• Right to access: you have the right to request access to your personal data and obtain information about how it is being processed.
• Right to rectification: you have the right to request the correction of any inaccurate or incomplete personal data.
• Right to restriction of processing: you have the right to request the restriction of processing of your personal data under certain circumstances, such as if you contest the accuracy of the data or object to the processing.

Please note: under the lawful basis of Legal Obligation, data subjects do not have the following rights:

• Right to object: you do not have the right to object to the processing of your personal data.
• Right to erasure: you do not have the right to request the deletion of your personal data.
• Right to data portability: you do not have the right to request the transfer of your personal data to another controller.

If you have any questions or wish to exercise your rights, please contact data.protection@businessandtrade.gov.uk.

How we protect your data and keep it secure

We are committed to doing all that we can to keep your data secure. We have set up systems and processes to prevent unauthorised access or disclosure of your data. For example, we protect your data using varying levels of encryption. All personal data is stored in the European Economic Area (EEA).We also ensure that any third parties keep all personal data they process on our behalf secure.

Contact us

If you have any requests relating to your rights or have questions about this privacy policy and how we handle your personal information, you can contact:

Data Protection Officer

Department for Business and Trade

Old Admiralty Building

Whitehall

LONDON

SW1A 2DY

Email: data.protection@businessandtrade.gov.uk

Information Commissioner’s Office

Contact the Information Commissioner for independent advice about data protection, privacy, and data-sharing issues.

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Telephone: 0303 123 1113

Textphone: 01625 545860

Email: casework@ico.org.uk

Changes to this privacy policy

We reserve the right to update this privacy policy at any time and we will provide you with a new privacy policy when we make any substantial updates.

Confidentiality

Information provided whilst using this service, including personal information, may be disclosed in accordance with access to information regimes, primarily the Freedom of Information Act 2000 (FOIA).

If you want the information you provide to be treated confidentially, please be aware that, in accordance with the FOIA, public authorities are required to comply with a statutory code of practice that addresses obligations of confidence, among other things.