Purpose and legal basis for processing

Our purpose for collecting personal data during the fee payment process is so that we can contact you about your fee payment or about any other queries relating to your compliance with the legislation we oversee. 

The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

This applies to all organisations or sole traders required to pay a data protection fee. 

What we need

If you are required to pay a fee, we need to take certain personal information from you during the course of the process. This includes the name and contact details of the person who is responsible for paying the fee and your Data Protection Officer (DPO) if you have one. We’ll also take payment information including account details if you are paying via direct debit.

Why we need it

We need contact information to send fee payment reminders and to raise any queries we may have about your payment. 

We may also contact you if we have a query outside the fee process, about how your organisation processes personal data, if we don’t have a separate contact point for queries.

What we do with it

We include some of the information you provide in a register of fee payers, which we make publicly available on our website.

This will include the name and address of your organisation. As a controller, you are required to make an address available for data subjects to easily make contact with you in the event that they want to exercise their rights or ask you questions.

If you are a sole trader or small organisation we understand that the address you use in the course of your business might be a domestic address. If this is the case, and you do not want the address to be made public on the register of controllers, please provide a PO Box or alternative address instead. 

If you provide DPO details, we’ll publish their contact details. We’ll also ask if we can publish their name. If you select ‘yes’, their name will be published. We encourage you to be transparent about the identity of your DPO.

How long we keep it

For information about how long we hold personal data, see our retention schedule.

What are your rights?

We process personal data contained in fee payments in our capacity as a regulator, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. 

For more information on your rights, please see ‘Your rights as an individual’.

Do we use any data processors?

Yes – we use Barclaycard to take payments.