Full privacy notice for DIT clients
- I am an individual who belongs to Department for International Trade (DIT) Clients. These include UK exporters, UK or foreign importers, third party suppliers, other public sector’s organisations, private corporate investors, etc.
- I am an individual who is interested in trading or planning to open a trading enterprise.
- I am an organiser of – or attendee to - DIT trade events or roadshows.
- I am a visitor at DIT premises.
The purpose of this document
This privacy notice explains what personal data (information) we will hold about you, how we collect it, and how we will use and may share information about you during the application process. We are required to notify you of this information, under data protection legislation. Please ensure that you read this notice and any other similar or shorter notices we may provide you with from time to time when we collect or process personal information about you.
The Department for International Trade is committed to protecting the privacy and security of your information in accordance with UK Data Protection legislation, including the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
DIT is a “controller”. This means that we are responsible for deciding how we hold and use personal information about you.
What data we collect about you
We process (collect and use) the following personal information about you:
- private contact information (such as name, business postal address including country and city, business e-mail address, and business phone number)
- business contact and other information (such as job title, department, name of company, size of your company, industry the company is in, how you heard about DIT and information about your dealings with DIT)
Why we need your data and how we use it
We will typically collect and use this information for the following purposes.
To perform a task in the public interest
- to let you create a User Account on great.gov.uk and sign into that User Account with your email address
- providing you with relevant information about investing in the UK or abroad
- matching you to the right UK trade and investment opportunities
- directing you to appropriate advice, events and services
- understanding barriers to trade and investment and design policies or implement measures to overcome them
- designing effective and intelligent trade and investment policies, and services
- researching, developing and improving products and services
- developing and maintaining digital services which will support the objectives in the public interests of DIT
- managing relationships with businesses, maintaining and promoting contact with existing and prospective clients, and development,
- targeting financial support at businesses to secure trade and investment opportunities
To take steps to enter - or fulfil - a contract with you
Legal and/or regulatory compliance, such as:
- trade control, anti-money laundering, bribery and corruption laws, or any other applicable law or regulation.
- for litigation and defence of legal claims.
Business management and execution, including:
- financial management, account management, customer service, implementation of controls, management reporting, analysis
- performing budgetary analysis, reporting budget to the Treasury
- registering you for trade events and taking your payments
- internal audits and investigations
- granting you access to our websites and prospectuses, monitoring use of the site to identify security threats
- authentication of individual status and access rights
When you provide your personal information when you contact us, you may be given the option to provide your consent for us to contact you by email or telephone for direct marketing communications. You will only receive these communications if you have given your consent. If you provide your consent for direct marketing, you have the right to unsubscribe at any time. For email marketing, you can do so using the ‘unsubscribe’ link included in the marketing emails. For telephone marketing, you should inform the caller that you no longer wish to be contacted. * Execution and analysis of market surveys and marketing strategies
Health, safety and security including;
- protection of DIT employees and assets
- building access and security at premises
- security and health and safety when organising and holding trade events and roadshows
- occupational health and safety
- protection of an individual’s life
Communicating with you
We will use the personal information you provide us with to contact you about the specific service/s you have used or enquiries you have made.
Failure to provide us with accurate information about you will impact our ability to communicate with you, to provide you with a level of service that meets your expectations, or our ability to enter into a contract with you or continuing to contract with you.
We seek to ensure that our information collection and processing is always proportionate. We will notify you of any changes to information we collect or to the purposes for which we collect and process it.
Where do we obtain your information from?
Information that you give us
You give us your information in many ways, including:
- by visiting our websites, interacting with our tools, using our digital services. For example
- when visiting Great.gov.uk and
- creating a company profile on our websites
- populating our online forms and/or completing our surveys
- when you download our investment prospectus
- when you contact us about investing capital in the UK and/or buying from the UK
- in any communications you make with us via phone, email, post, websites, social media or otherwise
- when you visit us at our buildings and premises and your image is captured on our CCTV cameras
- when you register, pay for, and attend trade events
Information we may obtain about you
In order to fulfil our duties in the public interest, protect our employees and assets, and comply with legal and regulatory obligations, such as trade control, anti-money laundering, bribery and corruption laws and other regulatory requirements, DIT may carry out checks on existing or potential Commercial Clients both on pre-contract basis and post-contract periodically.
We may verify the background of individuals - such as directors, officers, sole traders, shareholders and key stakeholders - of our current or potential Commercial Clients.
We may check you against:
- publicly available information about your company or business activities
- any government’s issued sanctions lists or blacklists
- against media sources – including social media.
We may also check data regarding your suspected or actual criminal behaviour, criminal records or proceedings regarding criminal or unlawful behaviour but only for the purposes of ensuring DIT’s compliance with legal and regulatory obligations and/or to the extent we are allowed by UK and local overseas laws.
Our legal basis for processing your data
The personal data covered by this privacy notice are processed:
- to perform our public tasks
- for the exercise of our functions as a government department
- in order to take steps prior to entering into a legal contract
- to fulfil a contractual obligation DIT has already entered with you
- where it is necessary to comply with legal or regulatory obligations to which DIT is subject to
- for our legitimate interests or those of a third party. Where our processing of your information is based solely on our legitimate interests (or those of a third party), you have the right to object to that processing if you give us specific reasons why you are objecting, which are based on your particular situation. If you object, we can no longer process your information unless we can demonstrate legitimate grounds for the processing, which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims. Please refer to the section on “Your rights” for more information on how to exercise your right to object or contact our DPO at firstname.lastname@example.org
- to protect your life where necessary
- with your explicit consent – for example, for marketing communications. When our processing is based on your consent - and subject to applicable local laws - you have the right to withdraw your consent at any time. This will not affect the validity of the processing prior to the withdrawal of consent.
- To withdraw your consent, please contact the Data Protection Team at email@example.com (details provided in the “Contacting us” paragraph at the end of this notice). Once we have received notification that you have withdrawn your consent, we will no longer process your application and, subject to our retention policy, we will dispose of your personal data securely and in line with our Retention and Disposal Policy. Please refer to section “How long we keep your data” or contact our DPO at firstname.lastname@example.org.
From time to time, after you have contacted us or you have signed up to one of our websites, used our tools or services, we may send you related information which we feel would benefit your business or would enable DIT to understand your business needs and improve our services. These include:
- information on trade related events
- the latest overseas business opportunities
- industry news related to trade and investment
- new publications
- information about our services and those of our partners
You have the right to opt-out at any time from receiving such information by writing to our Information Rights Team or to our Data Protection Officer. For contact details, please refer to section on “Contacting us” at the end of this notice.
How we may share your information
We will only share your personal information with third parties for the purpose of taking steps to enter a contract with you, or to fulfil our contractual obligations to you. Other purposes are also listed in the section on “Why we need your data and how we use it” above. All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
Where the law allows us, we may share your data with other recipients, e.g. Government Departments, public agencies or bodies, business companies, third-party service providers, or markets applied for. These may include:
- Government Digital Service (GDS)
- Her Majesty Government (HMG) IT services
- Her Majesty’s Revenue and Customs (HMRC)
- Other UK Government’s Departments, including but not limited to the Foreign and Commonwealth Office, the Department for Business, Energy and Industrial Strategy, the Department for International Development and UK Export Finance, Ministry of Defence (MOD), Office for National Statistics
- National Cyber Security Centre (NCSC)
- UK Shared Business Services
- Local Enterprise Partnerships and trade bodies
- Devolved Administrations
- UK Regional Delivery Partners
- Investment Support Service (ISSs)
- Metropolitan Police
- Serious Fraud Office (SFO)
- GOV Pay
- Amazon Web Services (AWS)
- UK CLOUD
- Organisations contracted by DIT to deliver investment support services, including Ernst & Young and OCO Global
- Organisations contracted by DIT to provide marketing and communications services, including M&C Saatchi, Manning Gottlieb OMD, TMW Unlimited, Aventri and Populus
- Kantar Public
- Gyro (and subsidiary Fetch)
- Google Analytics
- DIT’s delivery partners Bray Leino and M Integrated Services
- DIT’s overseas delivery partners
- Overseas Buyers
- Event organisers
- EU (for steel and aluminium)
Data will also be shared with the Marketplaces which are applied for, e.g.:
- China Britain Business Council
- UK Export Finance
- Amazon France, Germany, Italy, Spain, Canada, USA, India, Mexico, Japan, China, Spain, UAE, Australia
- Royal Mail T-Mall
- Mercado Libre
- Trade Me
- Newegg.com, Newegg Business, Newegg Canada
- JD Worldwide
- The Iconic
- SF Best
- JD Worldwide
- Newegg.com, Newegg Business, Newegg Canada
- SF Best
- Trade Me
We will not:
- sell or rent your data to third parties
- share your data with third parties
for their own marketing purposes.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with our Data Protection Policy [in progress]. Aggregated analysis of information may be shared with the Information Commissioner’s Office (ICO), the Government Internal Audit Agency (GIAA), and the National Audit Office (NAO).
For more information about Aggregate Data, or for a copy of our Data Protection Policy, please contact our DPO at email@example.com (full contact details are provided in the section “Contacting us”).
We will also share your data if we are required to do so by law or regulation, or to counteract fraud or other crime.
Information provided whilst using our digital services - including personal information - may be published or disclosed in accordance with the Freedom of Information Act 2000 (FOIA). For this purpose, we will anonymise or aggregate information as appropriate to ensure minimisation, privacy and confidentiality. For more information, please contact the Head of Information Rights Unit (details provided in “Contacting us” section).
How long we keep your data
We will keep your personal information while you have an account with us or we are providing our services to you. Thereafter, we will keep your personal information for as long as is necessary:
- to respond to any questions, complaints or claims made by you or on your behalf;
- to show that we treated you fairly;
- to keep records required by law.
We will not retain your personal information for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of personal information.
For more information, please or contact the DPO at firstname.lastname@example.org (full contact details are provided in “Contacting us” section) who will be able to share our refer to DIT’s Retention and Disposal Policy and Schedules if required. When it is no longer necessary to retain your personal information, we will delete or anonymise it.
How we protect your data and keep it secure
We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
This is in line with our DIT Information Security Policy. If you have any questions – or want to see a copy of our DIT Information Security Policy – please contact the DPO at email@example.com (full details in “Contacting us” section).
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org.
From time to time information may be stored in or accessed from countries outside the European Economic Area. Where this may happen, we always make sure that there are appropriate safeguards in place, such as standard contractual clauses, binding corporate rules or the EU-US Privacy Shield, to guarantee that your information – and your rights – are protected to the same high standard as under UK Data Protection legislation.
Your information is generally stored on servers and filing systems in the UK or the European Economic Area. From time to time, it may be stored in or accessed from countries outside the European Economic Area. Where this may happen, we always make sure that there is:
- an adequacy decision between the EU and the third country or
- the EU-US Privacy Shield, for transfers from the EEA to the US. In the absence of the above, appropriate safeguards must in place, such as:
- a legally binding and enforceable instrument between public authorities or bodies, which provides appropriate safeguards for your rights and freedoms and it is legally binding and enforceable
- binding corporate rules
- standard contractual clauses adopted by the European Commission, which have been recognised as providing adequate protection to personal information transferred outside the EEA
When these clauses are included in a contract with one of the companies we work with, it means that if they transfer your information outside the EEA, they must make sure that your information is just as safe as it is in the EEA. This includes:
- standard data protection clauses adopted by a supervisory authority and approved by the European Commission similar to those adopted by the Commission (per above), but they will be first adopted by the supervisory authority and then approved by the Commission
- a code of conduct approved by a supervisory authority together with binding and enforceable commitment to it by the receiver outside the EEA
- certification under an approved certification mechanism together with the binding and enforceable commitment of the receiver outside the EEA
- contractual clauses authorised by a supervisory authority (Note: At present the ICO is not authorising such contractual clauses)
- administrative arrangements between public authorities or bodies (e.g. a Memorandum of Understanding) which include enforceable and effective rights for the individuals whose personal data is transferred, and which have been authorised by a supervisory authority You can obtain a copy of the safeguards we have in place by writing to our DPO at firstname.lastname@example.org (for full contact details, please refer to section “Contacting us”).
Exemptions under art 49(1) GDPR
In the absence of an adequacy decision or appropriate safeguards, the law allows us to go ahead with the transfer outside the EEA if:
(a) you have explicitly consented to the proposed transfer, after we have informed you of the possible risks of such transfers;
(b) the transfer is necessary for the performance of a contract between DIT and yourself or the implementation of pre-contractual measures taken at your request;
(c) the transfer is necessary for the conclusion or performance of a contract concluded in your interest between DIT and another natural or legal person;
(d) the transfer is necessary for important reasons of public interest;
(e) the transfer is necessary for the establishment, exercise or defence of legal claims;
(f) the transfer is necessary in order to protect your or someone else’s life, where the data subject is physically or legally incapable of giving consent;
(g) the transfer is made from a public register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest
(h) we are making a one-off restricted transfer and it is in our compelling legitimate interests.
Your rights in connection with personal information
Under current data protection legislation, you have several rights in respect of your information and the way we use it. Some of these rights only apply in certain situations. We explain below what rights you have, what these mean and how they apply to the way we use your information.
Access your information
You can ask for:
- confirmation that we process your personal information
- a copy of your personal information that we hold and
- other information about how we process your information
We will provide you with a copy of your personal information which we hold unless the data protection laws provide an exception that we decide to rely on, for example where there are ongoing court proceedings. We may also edit out the names of any other individuals to protect their privacy.
Wherever possible, we will provide you with a copy of your personal information in the same manner you make your request unless we agree otherwise with you.
Have your information rectified
You can ask us to rectify your information if it is not accurate, complete or up to date.
We will update or correct your information, although sometimes we may need to ask you to provide evidence to confirm the changes.
Have your information erased
This is also known as the right to be forgotten.
You can ask us to delete your information where:
- we no longer need it
- we rely on your consent to use your information and you withdraw it
- you object to our processing it and we have no overriding legitimate grounds to continue processing it or
- we are legally required to delete it This right does not apply if we need the data:
- to comply with a legal obligation
- to fulfil our tasks carried out in the public interest or in the exercise of our official authority to exercise our right of freedom of expression and information
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing, or
- if we need the information to establish, exercise or defence of legal claims.
Restrict our processing of your information
You may ask us to restrict our processing of your personal information where:
- you believe the information we hold about you is inaccurate while we check whether it is accurate
- we no longer need your information, but you need it to establish, exercise or defend a legal claim
We will not process your personal information whilst we consider your request. However, we will still be able to process your personal information for the purposes of any ongoing court or other legal proceedings.
We will inform you if we begin processing your personal information again and explain why.
Have your information transferred to you and/or a third party
This is also known as the right to data portability. You can ask us to provide you with a copy of the information which you have provided to us and which we hold electronically.
This right only applies to the information which you have provided to us which we hold electronically. It does not apply to information that we collect to comply with our legal obligations.
We will provide this information to you in a commonly used and machine-readable format.
Object to our processing of your information, including profiling
You can object to our use of your information, including profiling unless:
- we have compelling legitimate grounds for using your information or
- we need to use your information to establish, exercise or defend a legal claim, for example where there are ongoing court proceedings.
Not to be subject to an automated decision
This right is not applicable to you since we do not perform any processing activity based solely on automated decision.
Timeline for responding to a data subject right
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the DPO in writing at email@example.com. For full contact details, please refer to section “Contacting us”. We will always do our best to respond to your request within one month of receiving an information right request and any additional information we need to confirm your identity and understand your request.
However, sometimes we may need some more time to deal with your request, particularly if it is complicated. Where this happens, we will write to you within one month and let you know why we need some more time and when we will provide you with our response.
If we are unable to carry out your request, we will send you a response explaining why.
If you have any of these requests or have questions about this privacy notice and how we handle your personal information, contact:
Data Protection Officer
Data Protection Officer (DPO) is responsible for independent advice and monitoring of DIT’s use of personal information.
Contact the DPO with any concerns about how DIT handles your personal information.
Data Protection Officer
Department for International Trade
Old Admiralty Building
The DPO provides independent advice and monitoring of our use of personal information.
We hope that the Data Protection Officer can resolve any query or concern you may raise about our use of your information.
The General Data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted using the details below.
Information Commissioner's Office
0303 123 1113
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time and we will provide you with a new privacy notice if we make any substantial updates.
Identity and contact details
The Department for International Trade are registered as a Data Controller under the General Data Protection Regulation and Data Protection Act 2018.
Our contact details are:
Data Protection Team
Old Admiralty Building