Privacy Notice - UKMCAB

This privacy notice explains how the Office for Product Safety and Standards (OPSS) as part of the Department for Business and Trade (DBT), as a ‘data controller’, processes personal data for in relation to the UK Market Conformity Assessment Bodies service (“ UKMCAB Service ”), and the rights of the individuals whose Personal Data we use. This Privacy Notice contains the information we are required to provide such individuals to comply with Articles 13 and 14 of the UK General Data Protection Regulation (“UK GDPR”). We encourage you to review this Privacy Notice carefully

This notice is supplemented by our main privacy notice (opens in a new tab) which provides further information on how DBT processes personal data, and sets out your rights in respect of that personal data.

Who we are

The OPSS (“we”, “our” and “us”) is a departmental office within the DBT and it is the UK’s national product regulator. Our primary purpose is to protect people and places from product-related harm, enabling trade and growth by ensuring consumers and businesses can buy and sell products with confidence.

The OPSS is responsible for operating the UKMCAB Service, which is the definitive source and register of Conformity Assessment Bodies (“CABs”) which are authorised to certify goods in the UK. The UKMCAB Service is designed for use by: (i) organisations involved in the supply and manufacture of regulated products (“Traders”); (ii) the CABs responsible for certifying regulated products in the UK; and (iii) the entities involved in managing the UKMCAB Service itself, which includes the UK Accreditation Service (“UKAS”) and other government department (“OGD”).

DBT is the Data Controller of the Personal Data which we collect. This means DBT has overall responsibility for ensuring our use of Personal Data is lawful, and we have secure systems in place to protect it. For further information, you can contact the DBT’s Data Protection Officer (“DPO”) using the details set out at the end of this Privacy Notice.

Our privacy commitment

OPSS (as part of DBT) is committed to protecting your privacy. We handle Personal Data in line with the UK GDPR at all times, as well as other laws which protect information and privacy. This includes, for example, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

In addition to the commitments set out in this Privacy Notice, we also operate in accordance with the data privacy rules set out in the DBT Personal Information Charter (opens in a new tab) .

Scope

Please note this Privacy Notice only applies to the OPSS’ collection and use of Personal Data in relation to the UKMCAB Service. Information about how the OPSS processes Personal Data in relation to other services or gov.uk websites is set out in alternative privacy notices, accessible at the bottom of each website page. Please ensure you have reviewed and understand the applicable privacy notice to the service you are using.

What Personal Data is

“Personal Data” is defined under the UK GDPR as any information relating to an identified, or identifiable living individual. It includes information which on its own may not identify you, but which could lead to your identification if considered in combination with other pieces of information. It includes, but is not limited to, information such as your name, contact details, address and IP address.

It is our intention to be transparent about how we collect and use Personal Data. regardless of whether we have collected it from you directly or it has been provided to us by a third party.

How we collect Personal Data

We collect Personal Data both directly (from the individual it relates to) and indirectly (from a third party, other than the individual it relates to), in the following ways:

  • from CABs staff members, contractors and individuals otherwise authorised to act their behalf (“ Service Users ”) when they set up profiles, or add information to the UKMCAB Service;
  • from UKAS and OGOs staff members, contractors and individuals otherwise authorised to act their behalf (“ Service Managers ”) when they use the UKMCAB Service;
  • from individuals who contact us to provide feedback or ask questions about the UKMCAB Service (“ Third Parties ”); and
  • when individuals (including Service Users, Service Managers and Third Parties) visit the UKMCAB Service website (“ Service Website ”), we collect data using Cookies and Google Analytics in line with the preferences they select.

Regardless of how we collect Personal Data, we are required to uphold the rights summarised in the ‘ Your information rights ’ section below.

What Personal Data we collect

DBT collects the following types of Personal Data from Service Users and Service Managers:

  • their name, contact details, role and employer;
  • their details of which version of web browser they use; and
  • information about any questions, feedback or interactions they have with us in relation to the UKMCAB Service.

We collect the following types of Personal Data from Third Parties:

  • any details which they choose to provide us with such as their name and contact details;
  • their details of which version of web browser they use; and
  • information about any questions, feedback or interactions they have with us in relation to the UKMCAB Service.

For information about what data we collect when individuals visit the UKMCAB Service website and how we use it, please refer to the ‘ Analytics ’ section below.

What Special Category Personal Data DBT collects

Under Article 9 of the UK GDPR, certain types of Personal Data are subject to additional protections (“ Special Category Personal Data ”). We do not currently collect or process any Special Category Personal Data in relation to the UKMCAB Service. If this changes, and we consider it necessary to process your Special Category Personal Data, we will notify you of the details of any such processing and the legal basis on which we rely to do so.

Why DBT asks for this information and how we use your Personal Data

WDBT to collect the information in order to fulfil its public functions.

We use Personal Data for the following purposes:

  • to maintain the UKMCAB Service so that Traders and members of the public can identify CABs;
  • to create individual accounts for Service Users and Service Managers so that they can access the UKMCAB Service and upload relevant information;
  • to capture feedback and questions regarding the UKMCAB Service, which allows us to improve it;
  • to interact with Service Users, Service Managers and Third Parties about any feedback or questions they have;
  • so that we can report on and analyse the distribution of CABs across the various legislative areas within the UKMCAB Service; and
  • to send email notifications to Service Users and Service Providers in line with any alerts they sign up to receive, to remind them of accreditation review dates and approval actions needed.

Analytics

We use Google Analytics software to collect information about how individuals use the Service Website (“ Analytics Data ”). This includes information about: (i) the pages you visit; (ii) how long you spend on each page; (iii) how you got to the Service Website; and (iv) what you click on while you’re visiting the Service Website.

We do not collect or store your personal information as part of the analytics process so this information cannot be used to identify who you are.

We collect Analytics Data in order to:

  • improve the Service Website by monitoring how you use it, for example by improving its search functionalities;
  • gather feedback to improve the UKMCAB Service;

Information sharing

From time to time, we may share Personal Data with the following parties, for the reasons outlined:

  • individuals or parties we may be required to share Personal Data with to comply with our legal obligations such as a court, party to a proceeding or public body tasked with preventing fraud or other crime; and
  • with other government departments, public authorities, law enforcement agencies and regulators where the Personal Data we hold will assist them with discharging their functions and we have a lawful basis for doing so;
  • in response to information requests, for example, under Freedom of Information (FOI) law or the Environmental Information Regulations (EIR);
  • where we are ordered to do so or where we are otherwise required to do so by law;
  • with third party data processors as governed by contract;

We will take steps to anonymise information wherever possible when sharing information internally or with third parties. The process of anonymisation removes the personal identifiers from the information and thus means that the information no longer contains Personal Data.

We ensure that any third parties with whom we share Personal Data to process it on our behalf adopt equivalent or superior data protection standards to our own.

The legal basis for processing your personal data

In order for our use of Personal Data to be lawful, we are required to satisfy one or more of the lawful bases for processing which are prescribed by Article 6(1) of the UK GDPR.

The lawful basis we primarily rely on for processing Personal Data in relation to the UKMCAB Service is Article 6(1)(e) of the UK GDPR, that processing is necessary for the performance of a task carried out in the public interest or in the exercise of our official authority.

When we receive, respond to and act upon feedback and questions relating to the UKMCAB Service, and when we process Analytics Data, the lawful basis we rely on is Article 6(1)(f), that processing is necessary for our legitimate interests. This is to ensure we can monitor and improve the UKMCAB Service and Service Website.

To the extent we use Personal Data to comply with law, whether in the context of proceedings or otherwise, the lawful basis we rely on is Article 6(1)(c), that processing is necessary for compliance with a legal obligation to which the OPSS is subject. For clarity, we do not rely on this legal basis for our day-to-day management of UKMCAB Services, we only rely on it as and when the law requires us to disclose or use Personal Data in a particular way.

Where your Personal Data is processed and stored

We host the UKMCAB Service and any Personal Data we collect in relation to it within the UK. We choose our systems and providers carefully to make sure that your Personal Data is as safe as possible while under our control. At present, we use a Microsoft Azure product for hosting the UKMCAB Service.

Overseas transfers

As noted in the previous section, we store Personal Data within the UK. We do not send or share your Personal Data outside of the UK. If this changes, we will notify you of the details of any such transfer and the mechanisms and protections in place to ensure the security of your Personal Data.

How long will DBT hold your data for

Under the UK GDPR, DBT will only retain your Personal Data for as long as needed to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. This is subject to statutory or professional retention periods which may require us to retain certain types of information for longer, or directions from law enforcement authorities to retain information related to proceedings.

We retain Personal Data in relation to the UKMCAB Service for 15 years from the date on which we received it, following which we the data shall be reviewed for continued operational use and historical value. An organisation’s data will be archived within UKMCAB and removed from public view when an organisation’s accreditation(s) end.

Reference:
17.1
Category:
Product Safety and Standards
Name:
Accredited assessment bodies
Description:
Records of accredited assessment bodies
Retention period:
15 years
Trigger:
End of accreditation
Disposal action:
Review for continued operational use and historical value
Comments and references to statute:
General Product Safety Regulations 2005 (and other safety legislation) Public Records Act

If we decide that we need to process your personal data for a reason which is incompatible with the purposes for which we collected it for, we will contact you to explain why we are doing this and why it is lawful to do so.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

How we protect Personal Data and keep it secure

To comply with our legal obligations under the UK GDPR, we are required to have appropriate technical and organisational measures in place to protect your Personal Data. We are committed to doing all that we can to keep your Personal Data secure, and have set out below some examples of the measures we have in place:

  • to prevent unauthorised access or disclosure of your Personal Data, we use varying levels of encryption and run regular penetration tests to assess our security standards;
  • access to the UKMCAB Service is restricted to those of our staff members who have a genuine need to access it, including by using passwords and unique login credentials; and
  • the use of two factor authentication (2FA) by internal UKMCAB Service users and administrators

Your information rights

Under the UK GDPR, you have a number of rights in relation to your Personal Data. These include the right to:

  • be informed about how we use your Personal Data;
  • obtain access to your Personal Data that we hold;
  • request that your Personal Data is corrected if you believe it is incorrect, incomplete or inaccurate;
  • request that we erase your Personal Data in the following circumstances:
    • it is no longer necessary for the purposes for which we originally collected it;
    • we are relying on our legitimate interests as the legal basis for processing your Personal Data, and you object to our processing and there is no overriding compelling ground which enables us to continue;
    • we have processed it unlawfully (i.e. in breach of the requirements of the data protection legislation);
    • if it is necessary to delete it to comply with a legal obligation;
  • ask us to restrict our processing activities where you consider that:
    • your Personal Data is inaccurate;
    • our processing is unlawful and you oppose its erasure;
    • we no longer need your Personal Data but you require us to keep it to enable you to establish, exercise or defend a legal claim;
    • you have raised an objection to our use of your Personal Data and we are considering whether we have legitimate grounds which override your objection;
  • request a copy of certain Personal Data that you have provided to us in a commonly used electronic format, if we are relying on your consent or the performance of a contract for processing it;
  • object to our processing of your Personal Data where we are relying on our legitimate interests, our performance of a task carried out in the public interest or in the exercise of our official authority, in which case we will carry out an assessment to determine whether we have overriding legitimate grounds which entitle us to continue to process your Personal Data; and
  • not be subject to automated decisions which produce legal effects, or which could have a similarly significant effect on you..

If you would like further information on your rights, or the circumstances in which they apply or may be restricted, please contact our DPO for further information.

Changes to this Privacy Notice

From time to time, we may make changes this Privacy Notice. In that case, the ‘last updated’ date at the bottom of this page will also change. For this reason, it is important you regularly check this page for updates.

Any changes to this Privacy Notice will apply to you and your Personal Data immediately. If these changes affect how your Personal Data is processed, OPSS will take reasonable steps to let you know. You can see previous versions of this Privacy Notice .

Contact us or make a complaint

Please contact our DPO if you have any questions about anything in this Privacy Notice, think that your Personal Data has been misused or mishandled, or you wish to make a complaint. Our DPO’s detail are:

Data Protection Officer
Department for Business and Trade
Old Admiralty Building
Admiralty Place
London
SW1A 2DY
Email: data.protection@businessandtrade.gov.uk

If you have made a complaint to us about how we handle your Personal Data that we have not been able to resolve, you have the right to complain to the UK’s Information Commissioner’s Office (“ICO”). The ICO is the UK’s independent regulator of information rights, and their details are set out below:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

W: https://ico.org.uk/ (opens in a new tab)

Telephone: 0303 123 1113
Textphone: 01625 545860
Email: casework@ico.org.uk

You can find out more about your rights as a data subject, and details of how to contact our Data Protection Officer and the ICO in our main privacy notice (opens in a new tab) .

This Privacy Notice was last updated on 23rd October 2024.

Is there anything wrong with this page?