Skip to main content
  1. Home

Main privacy notice of the Department for Business and Trade

The purpose of this document

This privacy notice explains how the Department for Business and Trade (DBT) uses your information (‘personal data’). Unless otherwise stated, DBT is the ‘controller’ of the personal data we process. This means that we are responsible for deciding how and why we process your personal data.

We are committed to protecting the privacy and security of your personal data in accordance with data protection legislation, including the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

In addition to this general privacy notice, when you interact with us, we may provide you with more specific information about how we will process your personal data.

Why we need your information and how we use it

DBT collects and uses (‘processes’) personal data for a range of purposes. Why and how we process your personal data depends on the nature of your interaction with us, and you should refer to any specific privacy information you have been provided.

Examples of our purposes for processing include:

To perform our tasks and functions as a government department

For example:

  • communicating with you about the DBT service(s) you are using or enquiries you have made
  • matching you to and contacting you about other services, events or information which we think you may be interested in
  • facilitating your access to our websites, including allowing you to create a user account on great.gov.uk
  • designing effective business and trade policies, products and services, including inviting you to participate in relevant research
  • managing our relationship with you / your business

To take steps to enter into or fulfil a contract with you

For example:

  • taking payment from you

To comply with our legal or regulatory obligations

For example:

  • trade control, anti-money laundering, bribery and corruption laws, or any other applicable law or regulation
  • litigation and defence of legal claims

Business management and execution

For example:

  • financial management, account management, customer service, implementation of controls, management reporting, analysis
  • performing budgetary analysis, reporting budget to the Treasury
  • internal audits and investigations
  • granting you access to our websites and prospectuses, monitoring use of the site to identify security threats
  • authentication of individual status and access rights

Marketing

When you provide your personal information when you contact us, you may be given the option to provide your consent for us to contact you by email or telephone for direct marketing communications. You will only receive these communications if you have given your consent.

If you provide your consent for direct marketing, you have the right to unsubscribe at any time. For email marketing, you can do so using the ‘unsubscribe’ link included in the marketing emails. For telephone marketing, you should inform the caller that you no longer wish to be contacted.

Health, safety and security

This includes:

  • protection of DBT employees and assets
  • building access and security at premises
  • security and health and safety when organising and holding trade events and roadshows
  • occupational health and safety
  • protection of an individual’s life

Communicating with you

We will use the personal information you provide us with to contact you about the specific service/s you have used or enquiries you have made.

Failure to provide us with accurate information about you will impact our ability to communicate with you, to provide you with a level of service that meets your expectations, or our ability to enter into a contract with you or continuing to contract with you.

From time to time, after you have contacted us or you have signed up to one of our websites, used our tools or services, we may send you related information which we feel would benefit your business or would enable DBT to understand your business needs and improve our services.

These include:

  • information on trade related events
  • the latest overseas business opportunities
  • industry news related to trade and investment
  • new publications
  • information about our services and those of our partners
  • surveys

You have the right to opt-out at any time from receiving such information. For contact details, please refer to the section on “contacting us”.

What information we collect about you

Depending on how you interact with us, we may process the following information about you:

  • name
  • contact details, such as email address, postal address, phone number, job title, and organisation (employer name)
  • business information (where this also constitutes your personal data, for example, if you are a sole trader)
  • opinions and feedback, for example, about our services
  • internet protocol (IP) address
  • dietary requirements
  • accessibility requirements
  • travel arrangements
  • diversity data, such as gender, ethnicity, sexual orientation and disability status
  • copies of identity documents, such as a passport or driving license

Occasionally, we may need to collect information about you which is not on this list.

Where do we obtain your information from?

Information that you give us

You give us your personal data in many ways, including:

  • by visiting our websites, interacting with our tools, using our digital services. For example
  • when visiting Great.gov.uk
  • creating a company profile on our websites
  • populating our online forms and/or completing our surveys
  • when you download our investment prospectus
  • when you contact us about investing capital in the UK and/or buying from the UK
  • in any communications you make with us via phone, email, post, websites, social media or otherwise
  • when you visit us at our buildings and premises and your image is captured on our CCTV cameras
  • when you register, pay for, and attend trade events

Information we may obtain about you

In order to fulfil our duties in the public interest, protect our employees and assets, and comply with legal and regulatory obligations, such as trade control, anti-money laundering, bribery and corruption laws and other regulatory requirements, DBT may carry out checks on existing or potential Commercial Clients both on pre-contract basis and post-contract periodically.

We may verify the background of individuals - such as directors, officers, sole traders, shareholders, and key stakeholders - of our current or potential Commercial Clients.

We may check you against:

  • publicly available information about your company or business activities
  • any government’s issued sanctions lists or blacklists
  • media sources – including social media

We may also check data regarding your suspected or actual criminal behaviour, criminal records or proceedings regarding criminal or unlawful behaviour but only for the purposes of ensuring DBT’s compliance with legal and regulatory obligations and/or to the extent we are allowed by UK and local overseas laws.

Our legal basis for processing your information

Depending on the processing in question, we will rely on one of the following lawful bases (under Article 6 of the GDPR) to process your personal data:

  • to perform our tasks and functions as a government department
  • to take steps prior to entering into a contract with you
  • to fulfil our obligations under a contract we already have with you
  • to comply with legal or regulatory obligations to which DBT is subject
  • to exercise our legitimate interests or those of a third party.
  • where you have consented to the processing
  • where the processing is necessary to protect your life or the life of another person

Please refer to any privacy notice you have been provided for more specific information.

How we may share your information

We may share your personal data with third parties, including for the purposes set out in the ‘Why we need your information and how we use it’ section of this notice.

Our third-party data processors are required to take appropriate security measures to protect your personal information in line with our policies.

We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

In addition to our data processors, we may share your data with other recipients, including the following categories of recipient:

  • other government departments, public agencies or bodies
  • third party service providers (where not our data processors)
  • event partners and sponsors, where you register to one of our events
  • other businesses, companies and organisations, in the course of our services
  • law enforcement agencies and regulators
  • the National Archives, for archival purposes

Where not exempt, we may be required to disclose your information in response to information requests, for example under Freedom of Information (FOI) law or the Environmental Information Regulations (EIR).

Where necessary in order to exercise, establish or defend a legal claim, we may disclose your information to a court, tribunal or other party.

We will not:

  • sell or rent your data to third parties
  • share your data with third parties for their own marketing purposes.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature.

However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with our Data Protection Policy [in progress]. Aggregated analysis of information may be shared with the Information Commissioner’s Office (ICO), the Government Internal Audit Agency (GIAA), and the National Audit Office (NAO).

For more information about Aggregate Data, or for a copy of our Data Protection Policy, please contact our DPO at data.protection@businessandtrade.gov.uk (full contact details are provided in the section on “contacting us”).

We will also share your data if we are required to do so by law or regulation, or to counteract fraud or other crime.

Information provided whilst using our digital services - including personal information - may be published or disclosed in accordance with the Freedom of Information Act 2000 (FOIA). For this purpose, we will anonymise or aggregate information as appropriate to ensure minimisation, privacy and confidentiality. For more information, please contact the Head of Information Rights Unit (details provided in the section on “contacting us”).

How long we keep your information

DBT will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Different retention periods apply for different types of personal data and purposes for processing. Please refer to any specific privacy notice you were provided for more specific information.

If we decide that we need to process your personal data for a reason which is incompatible with the purposes for which we collected it for, we will contact you to explain why we are doing this and why it is lawful to do so.

For more information, please refer to our specific privacy or contact the DPO at data.protection@businessandtrade.gov.uk (full contact details are provided in the section on “contacting us”) who will be able to share our refer to DBT’s Retention and Disposal Policy and Schedules if required. When it is no longer necessary to retain your personal information, we will delete or anonymise it.

How we protect your data and keep it secure

We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach.

We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so. Our third-party data processors are required to take appropriate security measures to protect your personal information in line with our policies.

If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org.

From time-to-time your personal data may be stored in or accessed from countries outside the UK or European Economic Area. Where is the case we always will always implement an appropriate safeguard, such as putting in place an international data transfer agreement with the recipient, to ensure your data is adequately protected, unless an exception applies.

Your rights

Under data protection legislation, you have several rights in connection to your information and the way we use it. Some of these rights only apply in certain situations. This section explains what rights you have, what these mean and how they apply to the way we use your information.

Access your information

You can ask for:

  • confirmation that we process your personal information
  • a copy of your personal information that we hold and
  • other information about how we process your information

We will provide you with a copy of your personal information which we hold unless the data protection laws provide an exception that we rely on.

Have your information rectified

You can ask us to rectify your information if it is not accurate, complete or up to date.

We will update or correct your information, although sometimes we may need to ask you to provide evidence to confirm the changes.

Have your information erased

This is also known as the right to be forgotten.

You can ask us to delete your information where:

  • we no longer need it
  • we rely on your consent to use your information and you withdraw it
  • you object to our processing it and we have no overriding legitimate grounds to continue processing it or
  • we are legally required to delete it

This right does not apply if we need the data:

  • to comply with a legal obligation
  • to fulfil our tasks carried out in the public interest or in the exercise of our official authority to exercise our right of freedom of expression and information
  • for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing, or
  • if we need the information to establish, exercise or defence of legal claims.

Restrict our processing of your information

You may ask us to restrict our processing of your personal information where:

  • you believe the information we hold about you is inaccurate while we check whether it is accurate
  • we no longer need your information, but you need it to establish, exercise or defend a legal claim

We will not process your personal information whilst we consider your request. However, we will still be able to process your personal information for the purposes of any ongoing court or other legal proceedings.

We will inform you if we begin processing your personal information again and explain why.

Have your information transferred to you and/or a third party

This is also known as the right to data portability. You can ask us to provide you with a copy of the information which you have provided to us and which we hold electronically.

This right only applies to the information which you have provided to us which we hold electronically. It does not apply to information that we collect to comply with our legal obligations.

We will provide this information to you in a commonly used and machine-readable format.

Object to our processing of your information, including profiling

You can object to our use of your information, including profiling unless:

  • we have compelling legitimate grounds for using your information
  • we need to use your information to establish, exercise or defend a legal claim, for example where there are ongoing court proceedings

Not to be subject to an automated decision

This right is not applicable to you since we do not perform any processing activity based solely on automated decision.

Timeline for responding to a data subject right

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the DPO in writing at data.protection@businessandtrade.gov.uk. For full contact details, please refer to the section on “contacting us”.

We will always do our best to respond to your request within one month of receiving an information right request and any additional information we need to confirm your identity and understand your request.

However, sometimes we may need some more time to deal with your request, particularly if it is complicated. Where this happens, we will write to you within one month and let you know why we need some more time and when we will provide you with our response.

If we are unable to carry out your request, we will send you a response explaining why.

Contacting us

To exercise any of your privacy rights, make a complaint about how your personal data has been processed, or ask any questions about this privacy notice, contact us at:

Data Protection Officer
Department for Business and Trade
Old Admiralty Building
Whitehall
LONDON
SW1A 2DY
Email: data.protection@businessandtrade.gov.uk

The Data Protection Officer (DPO) provides independent advice and monitoring of our use of personal information.

We hope that the DPO can resolve any query or concern you may raise about our use of your information.

You can also submit a complaint to the Information Commissioner’s Office (ICO) at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
Website: https://ico.org.uk/
Tel: 0303 123 1113

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Changes to this privacy notice

We reserve the right to update this privacy notice at any time and we will provide you with a new privacy notice if we make any substantial updates.

Identity and contact details

DBT are registered as a Data Controller under the General Data Protection Regulation and Data Protection Act 2018.

Our contact details are:

Data Protection Team
Old Admiralty Building
Whitehall
LONDON
SW1A 2DY

Email: data.protection@businessandtrade.gov.uk

Privacy notices for great.gov.uk services

See more detailed privacy notices for specific DBT services.

Privacy notices

Something went wrong. Please try again.

Was this page useful?

Thanks for letting us know

Can you tell us why this page was useful?

Do not share any personal or commercially sensitive information.

Cancel

Thanks for letting us know

Can you tell us more about your feedback?

Do not share any personal or commercially sensitive information.

Cancel

Thanks for your feedback