The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Purpose and lawful basis for processing

Our purpose for collecting personal data during the fee payment process is so that we can contact you about your fee payment or about any other queries relating to your compliance with the legislation we oversee. 

The lawful basis we rely on to process your personal data is article 6(1)(e) of the UK GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

This applies to all organisations or sole traders required to pay a data protection fee. 

What we need

If you are required to pay a fee, we need to take certain personal information from you during the course of the process. This includes the name and contact details of the person who is responsible for paying the fee and your Data Protection Officer (DPO) if you have one. We’ll also take payment information including account details if you are paying via direct debit.

Why we need it

We need to collect payment information, for example your credit or debit card, or your bank account details, so that we can process your payment.

We need contact information to send fee payment reminders and to raise any queries we may have about your payment. 

We may also contact you if we have a query outside the fee process, about how your organisation processes personal data, if we don’t have a separate contact point for queries.

What we do with it

We will use the payment and contact details you provide to process your payment of the data protection fee.

We include some of the information you provide in a register of fee payers, which we make publicly available to search on our website and download as a dataset.

This will include the name and address of your organisation. As a controller, you are required to make an address available for data subjects to easily make contact with you in the event that they want to exercise their rights or ask you questions.

If you are a sole trader or small organisation we understand that the address you use in the course of your business might be a domestic address. If this is the case, and you do not want the address to be made public on the register of controllers, please provide a PO Box or alternative address instead. 

If you provide DPO details, we’ll publish their contact details. We’ll also ask if we can publish their name. If you select ‘yes’, their name will be published. We encourage you to be transparent about the identity of your DPO.

If we issue you with a Penalty Notice and you fail to pay the fee and/or penalty within the stated timeframe we will pass registration information including the name and address of the person we sent the Penalty Notice to, onto our external solicitors so they can recover the outstanding amount.

How long we keep it

For information about how long we hold personal data, see our retention schedule.

What are your rights?

We process personal data contained in fee payments in our capacity as a regulator, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. 

If you need to change the details we hold please contact us.

For more information on your rights, please see ‘Your rights as an individual’.

Do we use any data processors?

Yes. We use Global Payments to take card payments. For direct debit payments, we use a third party service provided by Data-8 to check that bank account and sort code information is correct, and the BACS service to process the payment.

We use external solicitors for the recovery of unpaid fees and penalties.

We use Corporate Document Services Ltd for our mailing where we are required to send correspondence by post.

We use Restore Document Management who provide a digital mailroom service for opening and scanning our post.