Official Controls Regulations Privacy Notice 2020
Who collects your data
The controller is the Department for Environment, Food and Rural Affairs (Defra). Contact Defra’s Data Protection Officer at [email protected]
If you have any questions about how Defra uses your personal data and your associated rights, contact [email protected]
The Data Protection Officer responsible for monitoring how Defra meets the requirements of the legislation can be contacted at [email protected]
What data we collect
If you are a sole trader or a partner in an unincorporated partnership, your personal data would likely be:
- the name of the sole proprietorship or partnership
- other information about your business
Section 5(1)(a) of the Official Controls (Plant Protection Products) Regulations 2020 requires each operator to notify the competent authority (Defra):
- operator name (company name)
- activities carried out by the operator which relate to plant protection products (PPPs) and their components placed on the market and pesticides used in a sustainable manner
- addresses where these activities are carried out
Operators must provide an email address and phone number as part of their registration. In some cases, it may be personal data if it is the contact details of a specific person or employee of the organization.
Where we get your data from
Defra obtains the personal data listed in the “Form” sheet of PPP registration forms submitted to Defra.
Why we need your data
Competent authorities in Great Britain (Secretary of State for England, Scottish Ministers for Scotland, Welsh Ministers for Wales) are bound by Regulation (EU) 2017/625 of the European Parliament and of the Council retained to establish and maintain an up-to-date list of operators who place on the market or use PPPs and professional components in Great Britain.
Operators in Britain are also required under section 5 of the Official Controls (Plant Protection Products) Regulations 2020 to notify the competent authorities of their trading activity in relation to PPPs and components placed on the market. market and used by professionals.
To fulfill legal obligations, Defra collects information from operators on behalf of the Scottish and Welsh governments. This includes:
- company names
- site addresses
- site coordinates
Site contact information may include contact information for an employee or agent authorized to act on each operator’s behalf, with respect to the operator’s listing.
The list of operators will be used by the Health and Safety Officer to select companies for official controls in accordance with Regulation (EU) 2017/625 and the Official Controls (Plant Protection Products) Regulations 2020.
Our legal basis for processing your data
There are 2 legal bases in data protection law for the use of personal data by Defra. These are:
- where the processing (use) of personal data is necessary to comply with a legal obligation to which the controller (Defra) is subject, pursuant to Article 6(1)(c) of the UK GDPR
- where the processing (use) of personal data is necessary for the exercise of official authority vested in the controller under Article 6(1)(e) of the UK GDPR
Your legal obligation to provide your data
As an operator, you are required by law under section 5(1)(a) of the Official Controls (Plant Protection Products) Regulations 2020 to notify the competent authority (Defra):
- operator name (i.e. company name)
- activities carried out by the operator that relate to PPPs and components and the sustainable use of pesticides
- addresses where these activities are carried out
If you are a sole trader or a partner in an unincorporated partnership, this will likely be your personal data. The law requires you to provide this information.
The Official Controls (Plant Protection Products) Regulations 2020 do not specifically include contact details for company locations. However, these details are reasonably required by Defra to:
- ensure that completed forms submitted by or on behalf of operators are genuine
- check and confirm the details provided by the company
What happens if you do not provide the data
If you are a trader and do not provide information about your business, you will not comply with your legal obligation to inform the competent authority (Defra) under Regulation 5 of the Official Controls (Products) Regulations 2020 phytosanitary).
Failure to provide the required data is an offense that may result in enforcement action being taken.
Defra does not specifically request personal data, but instead requires contact information for company sites. These may include the personal data of an employee or agent authorized to act as a representative of the company. If an employee does not wish to provide their personal data for such purposes, details of another person authorized to act as a representative of the company should be submitted.
With whom your data will be shared
Defra will share your personal data with the Health and Safety Executive (HSE) for the purposes of the enforcement of the Official Controls (Plant Protection Products) Regulations 2020.
Defra will also share data from operators who have sites in Scotland and Wales with the Scottish and Welsh governments respectively. This is in accordance with Regulation 4 of the Official Controls (Plant Protection Products) Regulations 2020.
When the Scottish and Welsh governments have received this data from Defra, it means that they have been made aware of the operators’ business activities as competent authorities. This notification is required by Regulation 5 of the Official Controls (Plant Protection Products) Regulations 2020.
How we protect your data and keep it safe
We are committed to doing everything possible to ensure the security of your data. We have systems and processes in place to prevent unauthorized access or disclosure of your data. For example, we protect your data using different levels of encryption.
We also ensure that the third parties we deal with keep securely any personal data they process on our behalf.
How long do we keep your data
We will retain data submitted via PPP registration forms for as long as we need to maintain an up-to-date list of PPP operators. We are required to do so as the competent authority, pursuant to Article 10 of Regulation (EU) 2017/625 retained.
We will only delete data relating to a site or a company after 2 years if we are informed or become aware that:
- a site has permanently closed
- the business has gone out of business for some reason
Find out about your individual rights under data protection law.
You have the right to to complain to the Information Commissioner’s Office at any time.
Defra Personal Information Charter
Defra’s personal information charter explains in more detail your rights in relation to your personal data.