Privacy notice

Last updated 9 October 2024

The purpose of this document

The Department for Business and Trade (DBT) is committed to protecting the privacy and security of your personal data and criminal offence data, and the personal data and criminal offence data you provide about other people. This privacy notice describes how we collect and use personal data and criminal offence data in accordance with UK data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We are required under Data Protection Legislation to notify you of the information contained in this privacy notice. It is important that you read this privacy notice, so that you are aware of how and why we are using your personal data and criminal offence data.

What personal data we collect

Personal data we collect includes your:

  • name
  • email address
  • company name
  • registered company number

We collect the name and address of the business or person suspected of breaching trade sanctions, and suppliers of sanctioned goods or services. We also collect the name, address and email address of businesses or people who are the end-users of sanctioned items or services.

Criminal offence data we collect includes (but is not limited to) information about:

  • offenders or suspected offenders
  • allegations and unproven allegations

Why we need personal data and criminal offence data

The information you provide will be processed by DBT and selected third parties in order to:

  • evaluate alleged or suspected breaches of trade sanctions
  • understand the types of people and companies using our services
  • anonymise individuals’ personal data for data analysis purposes

Other purposes which may be relevant (to be considered on a case by case basis):

  • gather feedback to improve our services
  • respond to any feedback you send us, if you have asked us to
  • enable you to access and use government services
  • provide you with information about relevant services
  • monitor use of the site to identify security threats

Our lawful basis for processing personal data and lawful authority for processing offence data

Our lawful basis for processing personal data, as required under article 5 and article 6 UK GDPR, is that it is necessary:

  • as set out in article 6(1)(e) UK GDPR, to perform a task in the public interest which is based in law (for example including but not limited to regulations made under section 13 and 16 of the Sanctions and Anti-Money Laundering Act 2018)
  • as set out in section 8 of the Data Protection Act 2018, in the exercise of our functions as a government department

Our lawful authority for processing criminal offence data, as required under article 10 UK GDPR, is on the basis of section 10 and schedule 1, part 2, paragraph 6 of the Data Protection Act 2018, processing is necessary for reasons of substantial public interest and processing is necessary for:

  • the exercise of a function conferred on a person by an enactment or rule of law
  • the exercise of a function of the Crown, a Minister of the Crown or a government department.

How we share your personal data and criminal offence data

We will, in some circumstances and where the law allows, share your personal data and/or criminal offence data with other government departments, regulators, auditory bodies, agencies, public bodies and third-party service providers which may include, but are not limited to other UK government departments, including, but not limited to the Foreign, Commonwealth and Development Office (FCDO) and HM Revenue and Customs (HMRC).

You will be notified if your personal data and/or criminal offence data is shared with other third parties not included in this list, unless not required to do so under Data Protection Legislation.

Aggregated analysis of responses may also be shared with UK regulators and auditory bodies such as the Information Commissioner’s Office (ICO), the Government Internal Audit Agency (GIAA) and the National Audit Office (NAO).

We will also share your personal data or criminal offence data if we are required to do so by law or regulation, for example, by court order, or to prevent fraud or other crime.

Where we share your personal data and/or criminal offence data for a law enforcement purpose (as defined in section 31 DPA 2018), we will only share personal data and/or criminal offence data if all the following apply:

  • the sharing of the personal data or criminal offence data is based on law (for example including, but not limited to, regulations made under section 13 and 16 the Sanctions and Anti-Money Laundering Act 2018
  • the sharing of the personal data or criminal offence data is necessary for a law enforcement purpose

We will not:

  • sell or rent your personal data or criminal offence data to third parties
  • share your personal data or criminal offence data with third parties for their marketing purposes

How long we keep personal data and criminal offence data

In line with our records management and retention and disposal policy, we will only retain your personal data and the criminal offence data you provide about others for as long as:

  • it is needed for the purposes set out in this document
  • the law requires us to

Subject to the bullet points above, we will retain the personal data for up to 15 years from the date on which it is provided or subsequently updated, in order to fulfil the purposes for which it was collected.

How we protect personal data and criminal offence data and keep it secure

We are committed to doing all that we can to keep personal data and criminal offence data secure. We have set up systems and processes to prevent unauthorised access or disclosure of your personal data and criminal offence data. For example, we protect your personal data and criminal offence data using varying levels of encryption. All personal data and criminal offence data is stored in the UK.

We also ensure that any third parties keep all personal data and criminal offence data they process on our behalf, secure.

Contacting you

We will use the personal data and criminal offence data you provide to contact you about the ‘Report a suspected breach of trade sanctions’ service or enquiry you have made.

Your rights

You have the right to request:

  • information about how your personal data and criminal offence data is processed
  • a copy of any personal data and criminal offence data we hold about you
  • that any inaccuracies in your personal data are corrected immediately

You can also:

  • raise an objection about how your personal data and criminal offence data is processed
  • request that your personal data and criminal offence data is erased if there is no longer a justification for it
  • ask that the processing of your personal data and criminal offence data is restricted in certain circumstances

Contacting us

If you have any of these requests, questions or concerns about this privacy notice and/or how we handle your personal data and criminal offence data, contact the DBT’s Data Protection Officer.

Data Protection Officer
Department for Business and Trade
Old Admiralty Building
Whitehall
LONDON
SW1A 2DY
Email: data.protection@businessandtrade.gov.uk

Information Commissioner’s Office

Contact the Information Commissioner for independent advice about data protection, privacy and data-sharing issues.

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Textphone: 01625 545860
Email: casework@ico.org.uk

Changes to this privacy notice

We may change this privacy policy. If we do, the ‘last updated’ date on this page will also change. Any changes to this privacy policy will apply to you and your data immediately.

If these changes affect how your personal data is processed, DBT will take reasonable steps to let you know.

Confidentiality

Information provided whilst using this service, including personal information, may be disclosed in accordance with access to information regimes, primarily the Freedom of Information Act 2000 (FOIA).

If you want the information you provide to be treated confidentially, please be aware that, in accordance with the FOIA, public authorities are required to comply with a statutory code of practice which deals, amongst other things, with obligations of confidence.