Corporate report

Transport sanctions privacy notice

Updated 19 November 2024

Department for Transport (DfT) is responsible for ensuring that transport sanctions are properly understood, implemented and enforced in the UK: this work is carried out within DfT by the Centre for Transport Sanctions. In carrying out these functions, DfT processes personal data, which makes DfT the controller.

This notice outlines how DfT uses personal data to ensure transport sanctions are understood, implemented and enforced in the UK. It also explains data subjects’ rights under the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA).

Types of data we process

Personal data means any information relating to an identified or identifiable natural person. The types of personal data we process can include:

  • names
  • transport assets
  • contact details
  • nationality
  • citizenship
  • documentation that enables identity verification
  • occupation and/or employment details
  • gender
  • financial details

How we obtain personal data

Where a person has reasonable cause to suspect, that a person has committed an offence under aircraft sanctions regulations or shipping sanctions regulations or they have knowledge or cause for suspicion, they must report information to the Transport Secretary.

The Transport Secretary may also request a person to provide information if they believe that the person may be able to provide information in relation to a suspected or known offence under the aircraft sanctions regulations or shipping sanctions regulations.

If the person does not comply with this request they could be convicted of a criminal offence, punishable by fine or/and imprisonment.

Some of the personal data we process is provided to us directly by the data subjects, for example, for one of the following reasons:

  • when engaging with DfT to query a sanctions
  • applying for a licence to allow the movement of transport that would otherwise be prohibited

We also receive personal data about data subjects indirectly, for example for one of the following reasons:

  • through reporting obligations and information request powers outlined above
  • reporting to us that you have frozen transport assets belonging to a designated person
  • the Foreign, Commonwealth and Development Office (FCDO) may provide details of a designated person or transport assets for DfT to investigate
  • information may be provided by law enforcement agencies or government partners or identified for example, as part of an investigation into a suspected breach of transport sanctions

We will also collect data from open sources.

DfT will not invite or enable self-incrimination by persons reporting information.

Why we process personal data

DfT uses personal data in the performance of its public task to ensure transport sanctions are understood, implemented and enforced in the UK. This includes:

  • publicising the details of persons subject to civil monetary penalties to assist with the implementation of transport sanctions
  • maintaining details of transport sanctions breaches in the UK
  • investigating and taking enforcement action on suspected breaches of transport sanctions
  • assisting the public and other stakeholders who contact us with queries about transport sanctions

Processing personal data for civil enforcement purposes

The legal basis for the processing of personal data for civil enforcement purposes as set out in 3.0 will be under Article 6(1)(e) of UK General Data Protection Regulation (UK GDPR): the processing is necessary for the performance of the public task of imposing a civil monetary penalty on a person if the Transport Secretary is satisfied, on the balance of probabilities, that the person has breached a prohibition, or failed to comply with an obligation, imposed by or under sanctions regulations.

Data sharing

Sometimes, we may need to share personal data with third parties for law enforcement purposes and to assist them in delivering their statutory functions. When we do this, it is with due regard to our obligations under UK GDPR, including ensuring any disclosures are necessary and proportionate and the relevant safeguards are in place. This includes sharing data with:

  • law enforcement agencies (in the UK and overseas) to support the prevention of crime or for national security purposes
  • the Foreign, Commonwealth and Development Office (FCDO), other government departments, regulators and devolved administrations as necessary for them to deliver their statutory duties and public functions when enforcing UK sanctions
  • international partners on a limited basis when co-ordinating the enforcement of UK sanctions
  • other bodies or individuals where we are required to do so by law

In the event that personal data needs to be transferred to a country that is not covered by UK adequacy regulations, the transfer will only take place if it is both necessary and proportionate for important reasons of public interest recognised in UK law or necessary for the establishment, exercise or defence of a legal claim.

Data security

We have appropriate technical and security measures in place to protect the personal data we process; and we limit its access to employees, suppliers and third parties we choose to share it with for investigative purposes.

Retention period

Personal data connected to sanctions breaches of any kind may be retained by DfT for up to 5 years period before deletion. This data may be held longer than 5 years if there is a business need, but its ongoing retention will be subject to regular review.

Automated decision making

We do not engage in any automated decision making (including profiling) and the personal data we hold is securely destroyed when no longer needed.

Data protection rights and further information

Alongside this privacy notice for civil monetary penalties, DfT has set out information on your data protection rights, including your right of access and your right to lodge a complaint with the Information Commissioner’s Office. It also outlines how to contact the department’s Data Protection Officer and the standards you can expect when we ask for or hold your personal information.

See DfT’s personal information charter for more information.