Privacy notice
The purpose of this document
This privacy notice explains how the Department for Business and Trade (DBT), as a 'data controller', processes personal data for the 'Check when large businesses pay their suppliers' service on GOV.UK.
This notice is supplemented by our main privacy notice which provides further information on how DBT processes personal data, and sets out your rights in respect of that personal data.
Personal data DBT collects
DBT collects information about:
- individuals filing payment practice reports on behalf of businesses
- company directors who have approved the filing of payment practice reports for their organisation
DBT collects the following categories of personal data:
- names
- email addresses
Why DBT asks for this information and what happens if it is not provided
DBT collects this information to meet its obligations under 'The Reporting on Payment Practices and Performance Regulations 2017', which requires qualifying UK businesses to report on their payment practices.
The 'Check when large businesses pay their suppliers' service is provided by DBT to enable this reporting to take place. Personal data is collected through this service to:
- identify individuals filing reports on behalf of businesses
- send confirmation emails and reminders to individuals filing reports on behalf of businesses
- record and publish the names of company directors who have approved the payment practice reports for their organisation
This personal data must be provided by all qualifying businesses to meet their legal obligations under the regulations.
The legal basis for processing your personal data
The legal bases for processing your personal data (Article 6(1) UK General Data Protection Regulation (GDPR)) are that:
- processing is necessary for compliance with a legal obligation to which the controller is subject
- processing is necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller
In some instances, we may process your data further for a compatible purpose and/or on other legal bases. For example, your data may be used for archiving, research and/or statistical purposes. These are compatible purposes for further processing in UK GDPR and your data will be subject to appropriate safeguards if used for such purposes.
How DBT processes personal data it receives
Once received:
- your data will be stored within the 'Check when large businesses pay their suppliers' service
- names of company directors will be published openly as part of the business' payment practice reports. Publication may take place through a range of DBT digital channels
- your data may also be processed within other DBT internal digital and data systems
Third-party processors
We use the following third-party processors to operate the service:
- Amazon Web Services - DBT's contracted cloud-hosting service provider
- Government Digital Service - provides the GOV.UK Notify service, used for confirmation and reminder emails
Information sharing
In addition to the open publishing of company director names, we may share personal data you provide:
- with other government departments, public authorities, law enforcement agencies and regulators
- with other third parties where we consider it necessary in order to further our functions as a government department
- in response to information requests, for example, under Freedom of Information (FOI) law or the Environmental Information Regulations(EIR)
- to a court, tribunal or party where the disclosure is necessary in order to exercise, establish or defend a legal claim
- where we are ordered to do so or where we are otherwise required to do so by law
- with third party data processors as governed by contract
You can find out more detailed information about how we share data and further processing in the main privacy notice.
How long will DBT hold your data for
DBT will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
Names of company directors will be retained indefinitely.
Email addresses of individuals who file reports will be retained for 10 years.
If we decide that we need to process your personal data for a reason which is incompatible with the purposes for which we collected it for, we will contact you to explain why we are doing this and why it is lawful to do so.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Your rights
You have a number of rights available to you under UK data protection legislation, including:
- the right to request copies of the personal data we hold about you
- the right to request that we rectify information about you which you think is inaccurate or incomplete
- the right to request that we restrict your data from further processing (in certain circumstances)
- the right to object to the processing of your data (in certain circumstances)
- the right to data portability (in certain circumstances)
- the right to request that we erasure your data (in certain circumstances)
- the right not to be subject to a decision based on solely automated data processing
You can contact DBT's Data Protection Officer for further information about how your data has been processed by the department or to make a complaint about how your data has been used. Please contact: data.protection@businessandtrade.gov.uk
You can also submit a complaint to the Information Commissioner's Office (ICO) at:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: https://ico.org.uk/
Telephone: 0303 123 1113
You can find out more about your rights as a data subject, and details of how to contact our Data Protection Officer and the ICO in our main privacy notice.