Privacy notice

Last updated 9 October 2024

The purpose of this document

The Department for Business and Trade (DBT) is committed to protecting the privacy and security of your personal data, and the personal data you provide about other people. This privacy notice describes how we collect and use personal data in accordance with UK Data Protection Legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We are required under Data Protection Legislation to notify you of the information contained in this privacy notice. It is important that you read this notice, so that you are aware of how and why we are using your personal data.

What personal data we collect

Personal data we collect on applicants and individuals named on a licence, includes:

  • name
  • address
  • email address

We also collect:

  • name and email address of third parties applying on behalf of others
  • name and address of suppliers of sanctioned services
  • name, address and email address of businesses or people who are the end-users of sanctioned items

Why we need personal data

The information you provide will be processed by DBT and selected third parties in order to:

  • evaluate licence applications
  • understand the types of people and companies interested in our services
  • anonymise individuals’ personal data for data analysis purposes

Other purposes which may be relevant (to be considered on a case by case basis):

  • gather feedback to improve our services
  • respond to any feedback you send us, if you have asked us to
  • enable you to access and use government services
  • provide you with information about relevant services
  • monitor use of the site to identify security threats

Our lawful basis for processing personal data

The lawful basis for doing so is that it is necessary:

  • to perform a task in the public interest which is based in law (for example including but not limited to regulations made under section 13 and 16 of the Sanctions and Anti-Money Laundering Act 2018); and
  • as set out in section 8 of the Data Protection Act 2018 in the exercise of our functions as a government department.

How we share your personal data

We will, in some circumstances and where the law allows, share your data with other government departments, agencies, public bodies and third party service providers which may include, but are not limited to:

  • HM Revenue and Customs (HMRC)
  • other UK government departments, including but not limited to HM Treasury; Department for Culture, Media and Sport (DCMS); Department for Science, Innovation and Technology (DSIT); Department for Energy Security and Net Zero (DESNZ); and the Foreign, Commonwealth and Development Office (FCDO) – only where necessary for advice on licence applications
  • other UK government departments UK regulators and/or auditory bodies as needed, to monitor and implement trade sanctions

You will be notified if your information is shared with other third parties not included in this list, unless not required to do so under Data Protection Legislation.

Aggregated analysis of responses may also be shared with UK regulators and auditory bodies such as the Information Commissioner’s Office (ICO), the Government Internal Audit Agency (GIAA) and the National Audit Office (NAO).

We will not:

  • sell or rent your personal data to third parties
  • share your personal data with third parties for their marketing purposes

We will also share your data if we are required to do so by law or regulation. For example, by court order, or to prevent fraud or other crime.

Where we share your personal data for a Law Enforcement Purpose (as defined in section 31 DPA 2018), we will only share personal data if:

  • the sharing of the personal data is based on law (for example including but not limited to regulations made under section 13 and 16 the Sanctions and Anti-Money Laundering Act 2018); and
  • the sharing of the personal data is necessary for a law enforcement purpose.

How long we keep personal data

In line with our records management and retention and disposal policy, we will only retain your personal data and the personal data information you provide about others for as long as:

  • it is needed for the purposes set out in this document
  • the law requires us to.

Subject to the bullets above, we will retain your personal data for up to 15 years from the date on which it is provided or subsequently updated, in order to fulfil the purposes for which it was collected.

How we protect personal data and keep it secure

We are committed to doing all that we can to keep personal data secure. We have set up systems and processes to prevent unauthorised access or disclosure of your data. For example, we protect your personal data using varying levels of encryption. All personal data is stored in the UK.

We also ensure that any third parties keep all personal data they process on our behalf secure.

Contacting you

We will use the personal data you provide to contact you about the ‘Apply for a licence to provide sanctioned trade services’ digital service or enquiry you have made.

Your rights

You have the right to request:

  • information about how your personal data is processed
  • a copy of any personal data we hold about you
  • that any inaccuracies in your personal data are corrected immediately

You can also:

  • raise an objection about how your personal data is processed
  • request that your personal data is erased if there is no longer a justification for it
  • ask that the processing of your personal data is restricted in certain circumstances

Contacting us

If you have any of these requests or have questions about this privacy notice and how we handle your personal information, contact:

Data Protection Officer
Department for Business and Trade
Old Admiralty Building
Whitehall
LONDON
SW1A 2DY
Email: data.protection@businessandtrade.gov.uk

DBT’s Data Protection Officer

DBT’s Data Protection Officer (DPO) is responsible for independent advice and monitoring of DBT’s use of personal information.

Contact the DPO with any concerns about how DBT handles your personal information.

Data Protection Officer
Department for Business and Trade
Old Admiralty Building
Whitehall
LONDON
SW1A 2DY
Email: data.protection@businessandtrade.gov.uk

Information Commissioner’s Office

Contact the Information Commissioner for independent advice about data protection, privacy and data-sharing issues.

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Textphone: 01625 545860
Email: casework@ico.org.uk

Changes to this privacy notice

We may change this privacy policy. If we do, the ‘last updated’ date at the top of this page will also change. Any changes to this privacy policy will apply to you and your data immediately.

If these changes affect how your personal data is processed, DBT will take reasonable steps to let you know.

Confidentiality

Information provided whilst using this service, including personal information, may be disclosed in accordance with access to information regimes, primarily the Freedom of Information Act 2000 (FOIA).

If you want the information you provide to be treated confidentially, please be aware that, in accordance with the FOIA, public authorities are required to comply with a statutory code of practice which deals, amongst other things, with obligations of confidence.