The ICO exists to empower you through information.

Purpose and lawful basis for processing

Our purpose for collecting personal data during the fee payment process is so that we can contact you about your fee payment or about any other queries relating to your compliance with the legislation we oversee. We may also send you information about our guidance or events to help you comply with the legislation we oversee or contact you to request your feedback about the services we provide. 

The lawful basis we rely on to process your personal data is article 6(1)(e) of the UK GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

This applies to all organisations or sole traders required to pay a data protection fee.

What we need

If you are required to pay a fee, we need to take certain personal information from you during the course of the process. This includes the name and contact details of the person who is responsible for paying the fee and your Data Protection Officer (DPO) if you have one. We’ll also take payment information including account details if you are paying via direct debit.

Why we need it

We need to collect payment information, for example your credit or debit card, or your bank account details, so that we can process your payment.

We need contact information to send fee payment reminders, to raise any queries we may have about your payment and to send you additional information to help you comply with the legislation we oversee. 

We may also contact you if we have a query outside the fee process, about how your organisation processes personal data, if we don’t have a separate contact point for queries.

What we do with it

We will use the payment and contact details you provide to process your payment of the data protection fee.

We include some of the information you provide in a register of fee payers, which we make publicly available to search on our website and download as a dataset.

This will include the name and address of your organisation. As a controller, you are required to make an address available for data subjects to easily make contact with you in the event that they want to exercise their rights or ask you questions.

If you are a sole trader or small organisation we understand that the address you use in the course of your business might be a domestic address. If this is the case, and you do not want the address to be made public on the register of controllers, please provide a PO Box or alternative address instead. 

If you provide DPO details, we’ll publish their contact details. We’ll also ask if we can publish their name. If you select ‘yes’, their name will be published. We encourage you to be transparent about the identity of your DPO.

We may share some of your registration and contact details with HMRC to help us identify businesses registered with HMRC that may also need to pay us the data protection fee.

If we issue you with a Penalty Notice and you fail to pay the fee and/or penalty within the stated timeframe we will pass registration information including the name and address of the person we sent the Penalty Notice to, onto our external solicitors so they can recover the outstanding amount.

We may send you information about our guidance or events to help you comply with the legislation we oversee.

We may also contact you to ask if you would be interested in participating in a customer satisfaction survey or similar research about the services we provide. If you would like to be included, we will pass your name and email address onto a third party to complete the survey on our behalf.

How long we keep it

For information about how long we hold personal data, see our retention schedule.

If you agree to participate in the customer experience survey, ICS will keep your survey response for 30 days from the survey closes. They will keep your name and email address for 9 months from the survey expiry date.

What are your rights?

We process personal data contained in fee payments and send you information about our guidance or events, in our capacity as a regulator, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

If you need to change the details we hold please contact us.

If you prefer not to receive information about guidance or events to help you comply with the legislation we oversee, please email [email protected] with your registration reference number, (eg Z5347709) and the name of your business, or your name if you are a sole trader and we’ll stop sending this information to you.

For more information on your rights, please see ‘Your rights as an individual’.

Do we use any data processors?

Yes. We use Global Payments to take card payments. For direct debit payments, we use a third party service provided by Data-8 to check that bank account and sort code information is correct, and the BACS service to process the payment.

We use external solicitors for the recovery of unpaid fees and penalties.

We use Corporate Document Services Ltd for our mailing where we are required to send correspondence by post.

We use Exela Technologies who provide a digital mailroom service for opening and scanning our post.

We use the Institute of Customer Service (ICS) as a data processor to run our customer satisfaction surveys.

We use PA Consulting for stakeholder research and engagement.