Privacy notice for other government departments, agencies, public bodies and third party service providers

Purpose of this document

The Department for Business and Trade (DBT) is committed to protecting the privacy and security of your information. This notice describes how we collect and use your personal data in accordance with UK data protection legislation, namely the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We are required under data protection legislation to notify you of the information contained in this privacy notice. It is important that you read this notice so that you are aware of how and why we are using your information.

What data we collect

The personal data we collect includes your:

• name
• email address
• phone number
• address
• job or role within your company
• use of assistive technology
• rating of enquirer’s knowledge of where to go for help and support with exporting

Why we need your data

The information you provide will be processed by DBT and selected third parties in order to:

• let you create a User Account on our website and sign into that User Account with your email address
• provide you with relevant information about investing in the UK or abroad
• match you to the right UK trade and investment opportunities
• direct you to appropriate advice, events and services
• help you to understand barriers to trade and investment and design policies or implement measures to overcome them
• help us design effective and intelligent trade and investment policies, and services
• research, develop and improve products and services
• develop and maintain digital services which will support the objectives in the public interests of DBT
• manage relationships with businesses, maintaining and promoting contact with existing and prospective clients, and development,
• target financial support at businesses to secure trade and investment opportunities
• take steps to enter – or fulfil – a contract with you

To meet legal and/or regulatory compliance, such as:

• trade control, anti-money laundering, bribery and corruption laws, or any other applicable law or regulation
• the litigation and defence of legal claims

For business management and execution, including:

• financial management, account management, customer service, implementation of controls, management reporting, analysis
• performing budgetary analysis, reporting budget to the Treasury
• registering you for trade events and taking your payments
• internal audits and investigations
• granting you access to our websites and prospectuses, monitoring use of the site to identify security threats
• authentication of individual status and access rights

Lawful basis for processing

Our lawful basis for processing your personal data is that the processing is necessary:

• to perform a task in the public interest (Article 6(1)(e) of the UK GDPR)
• for the exercise of our functions as a government department

How we share your information

We will, in some circumstances and where the law allows, share your data with other government departments, agencies, public bodies, and third-party service providers which may include, but are not limited to:

• Government Digital Service (GDS)
• His Majesty Government (HMG) IT services
• His Majesty’s Revenue and Customs (HMRC)
• other UK government’s departments, including but not limited to the Foreign, Commonwealth and Development Office, UK Export Finance, Ministry of Defence (MOD), Office for National Statistics
• National Cyber Security Centre (NCSC)
• UK Shared Business Services
• local enterprise partnerships and trade bodies
• devolved administrations
• UK Regional Delivery Partners
• Investment Support Service (ISSs)
• MI5
• MI6
• Metropolitan Police
• Serious Fraud Office (SFO)
• GOV Pay
• Worldpay
• Amazon Web Services (AWS)
• UK CLOUD
• organisations contracted by DBT to deliver investment support services, including Ernst & Young and OCO Global
• organisations contracted by DBT to provide marketing and communications services, including M&C Saatchi, Manning Gottlieb OMD, TMW Unlimited, Aventri and Populus
• Kantar Public
• Core
• Transform
• Gyro (and subsidiary Fetch)
• FIVIUM
• Google Analytics
• Google
• LinkedIn
• Ebay
• DBT’s delivery partners Bray Leino and M Integrated Services
• DBT’s overseas delivery partners
• Overseas Buyers
• Event organisers
• Innovision
• FIVIUM
• EU (for steel and aluminium)

Data will also be shared with the Marketplaces which are applied for, for example:

• Alibaba
• Allegro
• Amazon
• Ankorstore
• Bol
• Cdiscount
• Cerqular
• Coupang
• Douglas
• eBay
• Europages
• Faire
• Flaconi
• Flipkart
• Fnac & Darty
• Fruugo
• JD.com
• Kaufland
• La Redoute
• Lazada
• Leroy Merlin
• Macy's
• Mano Mano
• Mumzworld
• Noon
• Nordstrom
• Nykaa
• OnBuy
• Onceit
• Rakuten
• Range Me
• Rue du Commerce
• Spartoo
• The Bay
• The Iconic
• The Market
• Tiendamia
• Trade Me
• Walmart
• Wayfair
• Zalora

You will be notified if your information is shared with other third parties not included in this list.

Aggregated analysis of responses may also be shared with the Information Commissioner’s Office (ICO), the Government Internal Audit Agency (GIAA) and the National Audit Office (NAO).

We will not:

• sell or rent your data to third parties
• share your data with third parties for their marketing purposes

We will also share your data if we are required to do so by law or regulation, for example, by court order or to prevent fraud or other crime.

Communicating with you

We will use the personal information you provide us with to contact you about the specific service/s you have used or enquiries you have made.

Failure to provide us with accurate information about you will impact our ability to communicate with you, to provide you with a level of service that meets your expectations, or our ability to enter into a contract with you or continuing to contract with you.

We seek to ensure that our information collection and processing is always proportionate. We will notify you of any changes to information we collect or to the purposes for which we collect and process it.

How we obtain your information

Information that you give us

You give us your information in many ways, including:

• by visiting our websites, interacting with our tools, using our digital services
• creating a company profile on our websites
• populating our online forms and/or completing our surveys
• when you download our investment prospectus
• when you contact us about investing capital in the UK and/or buying from the UK
• in any communications you make with us via phone, email, post, websites, social media or otherwise
• when you visit us at our buildings and premises and your image is captured on our CCTV cameras
• when you register, pay for, and attend trade events

Information we may obtain about you

In order to fulfil our duties in the public interest, protect our employees and assets, and comply with legal and regulatory obligations, such as trade control, anti-money laundering, bribery and corruption laws and other regulatory requirements, DBT may carry out checks on existing or potential Commercial Clients both on pre-contract basis and post-contract periodically.

We may verify the background of individuals - such as directors, officers, sole traders, shareholders and key stakeholders - of our current or potential Commercial Clients.

We may check you against:

• publicly available information about your company or business activities
• any government’s issued sanctions lists or blocklists
• against media sources – including social media

We may also check data regarding your suspected or actual criminal behaviour, criminal records or proceedings regarding criminal or unlawful behaviour but only for the purposes of ensuring DBT’s compliance with legal and regulatory obligations and/or to the extent we are allowed by UK and local overseas laws.

Lawful basis for processing

The personal data covered by this privacy notice is processed:

• to perform our public tasks
• for the exercise of our functions as a government department
• in order to take steps prior to entering into a legal contract
• to fulfil a contractual obligation DBT has already entered with you
• where it is necessary to comply with legal or regulatory obligations to which DBT is subject to
• for our legitimate interests or those of a third party. Where our processing of your information is based solely on our legitimate interests (or those of a third party), you have the right to object to that processing if you give us specific reasons why you are objecting, which are based on your particular situation. If you object, we can no longer process your information unless we can demonstrate legitimate grounds for the processing, which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims. Refer to the 'Your rights' section for more information on how to exercise your right to object or contact our Data Protection Officer (DPO) at data.protection@trade.gov.uk
• to protect your life where necessary

To withdraw your consent, contact the Data Protection Team at data.protection@businessandtrade.gov.uk. Our full contact details can be found in the 'Contact us' section. Once we have received notification that you have withdrawn your consent, we will no longer process your application and, subject to our retention policy, we will dispose of your personal data securely and in line with our Retention and Disposal Policy. Refer to the 'How long we keep your data' section or contact our DPO at data.protection@businessandtrade.gov.uk.

From time to time, after you have contacted us or you have signed up to one of our websites, used our tools or services, we may send you related information which we feel would benefit your business or would enable DBT to understand your business needs and improve our services. These include:

• information on trade related events
• the latest overseas business opportunities
• industry news related to trade and investment
• new publications
• information about our services and those of our partners
• surveys

You have the right to opt out at any time from receiving such information by writing to our Information Rights Team or to our Data Protection Officer. For contact details, refer to the 'Contact us' section.

How long we keep your data

In line with our records management and retention and disposal policy, we will only retain your personal information for as long as:

• it is needed for the purposes set out in this document
• the law requires us to

We will retain your personal information for up to 10 years from the date on which it is provided or subsequently updated, in order to fulfil the purposes for which it was collected.

How we protect your data and keep it secure

We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

This is in line with our DBT Information Security Policy. If you have any questions – or want to see a copy of our DBT Information Security Policy – contact the DPO at data.protection@businessandtrade.gov.uk. Our full contact details can be found in the 'Contact us' section.

For detailed information on how to protect your information, computers and devices against fraud, identity theft, viruses and many other online problems, visit Get Safe Online.

From time to time information may be stored in or accessed from countries outside the European Economic Area (EEA). Where this may happen, we always make sure that there are appropriate safeguards in place, such as standard contractual clauses, binding corporate rules or the EU-US Privacy Shield, to guarantee that your information – and your rights – are protected to the same high standard as under UK Data Protection legislation.

Your information is generally stored on servers and filing systems in the UK or the European Economic Area. From time to time, it may be stored in or accessed from countries outside the European Economic Area. Where this may happen, we always make sure that there is:

• an adequacy decision between the EU and the third country or
• the EU-US Privacy Shield, for transfers from the EEA to the US

In the absence of these, appropriate safeguards must in place, such as:

• a legally binding and enforceable instrument between public authorities or bodies, which provides appropriate safeguards for your rights and freedoms and it is legally binding and enforceable
• binding corporate rules
• standard contractual clauses adopted by the European Commission, which have been recognised as providing adequate protection to personal information transferred outside the EEA

When these clauses are included in a contract with one of the companies we work with, it means that if they transfer your information outside the EEA, they must make sure that your information is just as safe as it is in the EEA. This includes:

• standard data protection clauses adopted by a supervisory authority and approved by the European Commission similar to those adopted by the Commission (per above), but they will be first adopted by the supervisory authority and then approved by the Commission
• a code of conduct approved by a supervisory authority together with binding and enforceable commitment to it by the receiver outside the EEA
• certification under an approved certification mechanism together with the binding and enforceable commitment of the receiver outside the EEA
• contractual clauses authorised by a supervisory authority (note: at present the ICO is not authorising such contractual clauses)
• administrative arrangements between public authorities or bodies (for example a Memorandum of Understanding) which include enforceable and effective rights for the individuals whose personal data is transferred, and which have been authorised by a supervisory authority. You can obtain a copy of the safeguards we have in place by writing to our DPO at data.protection@businessandtrade.gov.uk. Our full contact details can be found in the 'Contact us' section.

Exemptions under art 49(1) GDPR

In the absence of an adequacy decision or appropriate safeguards, the law allows us to go ahead with the transfer outside the EEA if:

(a) you have explicitly consented to the proposed transfer, after we have informed you of the possible risks of such transfers

(b) the transfer is necessary for the performance of a contract between DBT and yourself or the implementation of pre-contractual measures taken at your request

(c) the transfer is necessary for the conclusion or performance of a contract concluded in your interest between DBT and another natural or legal person

(d) the transfer is necessary for important reasons of public interest

(e) the transfer is necessary for the establishment, exercise or defence of legal claims

(f) the transfer is necessary in order to protect your or someone else’s life, where the data subject is physically or legally incapable of giving consent

(g) the transfer is made from a public register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest

(h) we are making a one-off restricted transfer and it is in our compelling legitimate interests

Your rights

Rights afforded to individuals

Under current data protection legislation, you have several rights in respect of your information and the way we use it. Some of these rights only apply in certain situations. We explain below what rights you have, what these mean and how they apply to the way we use your information.

Access your information

You can ask for:

• confirmation that we process your personal information
• a copy of your personal information that we hold and
• other information about how we process your information

We will provide you with a copy of your personal information which we hold unless the data protection laws provide an exception that we decide to rely on, for example where there are ongoing court proceedings. We may also edit out the names of any other individuals to protect their privacy.

Wherever possible, we will provide you with a copy of your personal information in the same manner you make your request unless we agree otherwise with you.

Have your information rectified

You can ask us to rectify your information if it is not accurate, complete or up to date.

We will update or correct your information, although sometimes we may need to ask you to provide evidence to confirm the changes.

Have your information erased

This is also known as the right to be forgotten.

You can ask us to delete your information:

• if we no longer need it
• if we rely on your consent to use your information and you withdraw it
• if you object to our processing it and we have no overriding legitimate grounds to continue processing it or
• if we are legally required to delete it This right does not apply if we need the data:
• to comply with a legal obligation
• to fulfil our tasks carried out in the public interest or in the exercise of our official authority to exercise our right of freedom of expression and information
• for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing, or
• if we need the information to establish, exercise or defence of legal claims

Restrict our processing of your information

You may ask us to restrict our processing of your personal information where:

• you believe the information we hold about you is inaccurate while we check whether it is accurate
• we no longer need your information, but you need it to establish, exercise or defend a legal claim

We will not process your personal information while we consider your request. However, we will still be able to process your personal information for the purposes of any ongoing court or other legal proceedings.

We will inform you if we begin processing your personal information again and explain why.

Have your information transferred to you and/or a third party

This is also known as the right to data portability. You can ask us to provide you with a copy of the information which you have provided to us and which we hold electronically.

This right only applies to the information which you have provided to us which we hold electronically. It does not apply to information that we collect to comply with our legal obligations.

We will provide this information to you in a commonly used and machine-readable format.

Object to our processing of your information, including profiling

You can object to our use of your information, including profiling unless:

• we have compelling legitimate grounds for using your information or
• we need to use your information to establish, exercise or defend a legal claim, for example where there are ongoing court proceedings

Not to be subject to an automated decision

This right is not applicable to you since we do not perform any processing activity based solely on automated decision.

Timeline for responding to a data subject right

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, contact the DPO in writing at data.protection@businessandtrade.gov.uk. Our full contact details can be found in the 'Contact us' section. We will always do our best to respond to your request within one month of receiving an information right request and any additional information we need to confirm your identity and understand your request.

Sometimes, we may need some more time to deal with your request, particularly if it is complicated. Where this happens, we will write to you within one month and let you know why we need some more time and when we will provide you with our response.

If we are unable to carry out your request, we will send you a response explaining why.

Contact us

If you have any requests relating to your rights or have questions about this privacy policy and how we handle your personal information, you can contact:

Data Protection Officer
Department for Business and Trade
Old Admiralty Building
Admiralty Place
LONDON
SW1A 2DY
Email: data.protection@businessandtrade.gov.uk

Information Commissioner’s Office 

Contact the Information Commissioner for independent advice about data protection, privacy, and data-sharing issues.

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Textphone: 01625 545860
Email: casework@ico.org.uk

Changes to this privacy notice

We reserve the right to update this privacy notice at any time and we will provide you with a new privacy notice when we make any substantial updates.

Confidentiality

Information provided while using this service, including personal information, may be disclosed in accordance with access to information regimes, primarily the Freedom of Information Act 2000 (FOIA).

If you want the information you provide to be treated confidentially, be aware that, in accordance with the FOIA, public authorities are required to comply with a statutory code of practice that addresses obligations of confidence, among other things.