GCA privacy notice
Updated 18 May 2023
This privacy notice sets out details about the way the Groceries Code Adjudicator (GCA) processes personal data collected from and about you and how your information may be used in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).
1. Who is the GCA
The GCA is a public authority. The GCA is a Crown Appointee and Corporation Sole and is operationally independent of Government. The sponsor department of the GCA is the Department for Business, Energy and Industrial Strategy (BEIS). The GCA was created by the Groceries Code Adjudicator Act 2013, which came into force on 25 June 2013.
The GCA is the independent regulator for the groceries sector, ensuring that the designated retailers treat their direct suppliers lawfully and fairly. Mark White is the current GCA and is responsible for monitoring and ensuring compliance with and enforcing the Groceries Supply Code of Practice (the Code).
The Code covers retailers in the United Kingdom (UK) with an annual turnover of more than £1 billion with respect to the retail supply of Groceries in the UK, and which are designated in writing as a Designated Retailer by the Competition and Markets Authority (CMA). The CMA carries out an annual review of retailers to determine whether any additional retailers should be designated.
2. Responsibilities
The GCA has adopted a modern regulatory approach, working collaboratively with the designated retailers to respond to issues raised by suppliers and others and bring about beneficial change in sector. The GCA can launch investigations if he has reasonable grounds to suspect that one or more designated retailers have broken the Code. The GCA can also arbitrate in disputes between suppliers and designated retailers. The GCA may receive information about designated retailers and retailers which have the potential to be designated (collectively ‘Retailers’).
3. Purpose of processing
There are a limited number of reasons why the GCA would obtain your personal data. These reasons are set out below together with the legal basis for processing in each case.
3.1 The GCA website
The GCA website is part of GOV.UK, which is provided by Government Digital Service, part of the Cabinet Office. The privacy notice for GOV.UK is available here.
3.2 Stakeholder engagement
There are some instances when people will contact the GCA. These will generally be in connection with the GCA’s regulatory work.
When you contact the GCA, personal information will be collected to allow the enquiry to be dealt with. This may include:
-
your name
-
email address/correspondence address
-
details of the matter raised
All information received is dealt with on a confidential basis and the GCA has a legal duty to keep confidential the identity of those providing him with information about Retailer behaviour. The GCA makes use of IT services provided by BEIS. BEIS does not have access to GCA data.
The EQS Group is the data processor for the whistleblowing platform Tell the GCA. EQS’ privacy policy can be accessed here.
Use of your personal data
The lawful basis for collecting and using your personal data will depend on the specific context in which it is collected. Where you have contacted the GCA, the lawful basis relied on is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the GCA.
The GCA will use the personal data you have provided to handle the issue raised by your correspondence. The GCA may contact you to clarify and respond to your correspondence.
Disclosure of your personal data
The GCA will not disclose your personal data to a third party without your consent.
Newsletter and events subscription
When you subscribe to the GCA’s newsletter service or ask to be notified of events the following information may be collected:
-
your name
-
email address
-
subscription preferences
-
type of contact, i.e. if you are a supplier/Retailer/private sector
-
the name of the business you work for
-
telephone number
-
dietary requirements
The GCA appointed GetResponse as data processor to handle information collected for newsletter subscriptions. GetResponse’s privacy policy is available here.
The GCA may also use the third-party provider Microsoft Forms to create forms for event registrations. Microsoft’s privacy statement is available here.
When you subscribe to the GCA mailing list or sign-up to an event the GCA will notify you about what information is being collected and the intended uses. The GCA will also make clear what information is required and what is optional.
In order to carry out the GCA’s functions, it is necessary for the GCA to maintain lists of relevant stakeholders and/or contacts with whom communication may be required. The GCA will make clear to these contacts that they can request to be removed from these lists.
All email lists are managed in-house using the GCA IT system, which is provided by BEIS.
Use of your personal data
The lawful basis for collecting and using your personal data will depend on the specific context in which the GCA collects it. Where you have signed up to receive any GCA email alerts or to subscribe to bulletins through the GCA’s website, the lawful basis of consent is relied upon.
Where your personal information is contained in a list of contacts, the GCA is relying upon the lawful basis that processing is necessary for the performance of a task carried out in the exercise of an official function of the GCA.
Responding to consultations/research
The GCA occasionally carries out consultations/research to find out sector views on Code-related issues. When conducting a consultation or research the GCA may collect the following information:
-
your name
-
email address
-
job role
-
name of the business you work for
-
type of contact, i.e. if you are a supplier/Retailer/private sector
-
your views on Code-related issues.
When the GCA collects your data, it will notify you about what information is being collected and the intended uses.
Use of your personal data
The lawful basis for collecting and using your personal data will depend on the specific context in which the GCA collects it. Where you have agreed to respond to a GCA consultation/research, the lawful basis of consent is relied upon.
The GCA will use the personal data you have provided for consultation/research purposes only. The GCA may contact you in order to obtain further information.
Disclosure and security of your personal data
The GCA may publish consultation responses/research findings. All information received is dealt with on a confidential basis and the GCA has a legal duty to keep confidential the identity of those providing him with information about Retailer behaviour. The GCA will not publish your personal data in an identifiable form without your consent.
While most research is handled in-house using GCA systems, sometimes third-party research agencies are used. Where the GCA uses third-party research agencies, information in relation to the third party and its privacy notice will be provided to you when you provide your personal data.
3.3 Regulatory activity
When carrying out regulatory activity the GCA may collect personal data which may consist of the following:
-
your name
-
email address/correspondence address
-
date of birth
-
details of employment and job role
-
details of your involvement in Code-related issues.
Use of your personal data
The lawful basis for collecting and using your personal data will depend on the specific context in which it is collected. Where you or a third party have provided the GCA with your personal data in relation to GCA regulatory activity, the GCA is relying upon the lawful basis that:
-
you have consented to the processing for GCA regulatory activity; or
-
the processing is necessary for the performance of a task carried out by the GCA for its regulatory activity.
In relation to any sensitive personal data, the GCA is relying upon the lawful basis that:
-
you have consented to the processing for GCA regulatory activity; or
-
the processing is strictly necessary for the regulatory activity and is necessary for the exercise of a function conferred on the GCA by an enactment or rule of law and is necessary for the reasons of substantial public interest.
The GCA has in place a GDPR policy which sets out how the GCA complies with GDPR and data protection principles.
The GCA will handle the personal data you have provided, or the GCA has collected, in connection with the regulatory purposes only. The GCA may contact you in order to obtain further information in relation to the regulatory activity.
Disclosure of your personal data
All information received is dealt with on a confidential basis and the GCA has a legal duty to keep confidential the identity of those providing him with information about Retailer behaviour. However, your data may be provided under appropriate safeguards to third parties engaged by the GCA to assist with regulatory functions.
3.4 Recruitment/procurement
When carrying out recruitment the GCA uses Civil Service Jobs. Civil Service Jobs’ privacy statement is here.
Procurement activity is primarily undertaken by making use of the services of Crown Commercial Services or UK SBS. Crown Commercial Services’ privacy policy is here and UK SBS’s privacy notice is here.
As part of these processes, it may be necessary for the GCA to obtain your personal data. This may include:
-
your name
-
email address/correspondence address
-
date of birth
-
details of current/previous employment and job role
-
details of current pay
-
details of referees
-
details of qualifications and educational establishments attended
-
this may consist of special categories of personal data such as your racial/ethnic origin and disability information
Use of your personal data
The lawful basis for collecting and using your personal data will depend on the specific context in which the GCA collects it. Where you have applied for a job vacancy or participated in procurement activity the GCA is relying on the lawful basis of consent and legitimate interest, namely the recruitment of employees and fair procurement of services.
The information you provide during the recruitment/procurement process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
The GCA will use the contact details you provide to contact you to progress your application. Other information provided will be used to assess your suitability for the role for which you have applied.
Disclosure of your personal data
The information you provide in relation to recruitment or procurement activity will not be made available to any staff outside the immediate team(s) dealing with it.
Disclosure of your information
It may be necessary for the GCA to disclose your personal data to third parties when permitted to do so. The GCA will only disclose your personal data to a third party for the following reasons:
- with your consent
- for specific reasons set out in this notice
- if the GCA has a lawful basis for doing so
- if the GCA is under a duty to disclose or share your personal data in order to comply with any legal obligation
Where you have consented to the use of your personal data, this consent can be withdrawn at any time. Any withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
4. Your rights
You have rights as an individual which you can exercise in relation to the information the GCA holds about you. You can exercise these rights either verbally, by email or by post to the address below.
In particular you have the following rights:
-
right to access your personal data (also known as a subject access request)
-
right to rectification or erasure of your personal data
-
right to the restriction of processing concerning your personal data
-
right to object to the processing of your personal data
-
right to data portability
More information on your individual rights can be found on the Information Commissioner’s Office’s (ICO) website.
5. Storage and retention of your personal data
The GCA has in place a records management policy which ensures retention periods are appropriate to the types of data collected. At the end of the relevant retention period your personal data will be disposed of securely.
If you have subscribed to an email alert or subscription service, the GCA will keep your personal data for as long as you are subscribed to that service. If you make a request to be removed from this service, then your personal data will be deleted.
6. How we protect your data and keep it secure
We are committed to doing all that we can to keep your data secure. We have set up systems and processes to prevent unauthorised access or disclosure of your data.
We also make sure that any third parties that we deal with keep all personal data they process on our behalf secure.
7. Our commitment to you
The GCA will provide the information you request in relation to any of the above rights without undue delay and, in any event, within one month of receipt of the request.
Where requests are complex or numerous, the GCA can extend this by a further two months. If an extension is required the GCA will inform you, within one month of receipt of your request, of the extension and the reasons why it is necessary. If requests are manifestly unfounded or excessive, in particular because they are repetitive, the GCA may:
-
charge a reasonable fee taking into account the administrative costs of providing the information; or
-
refuse to respond
When this occurs, the GCA will provide you with an explanation of the manifestly unfounded or excessive character of the request.
Where the GCA refuses to respond, wholly or in part, the GCA will explain to you why your request has been refused without delay and at the latest within one month of receipt of your request.
Where the GCA has refused to respond, you have the right to complain to the ICO and to seek a judicial remedy.
Where the GCA has reasonable doubts concerning your identity, additional information may be necessary to confirm your identity.
There may be instances where the GCA can rely upon an exemption and/or refuse, wholly or in part, your request. In these instances, the GCA will explain to you the reasons for the decision and your right to make a complaint.
8. Changes to this privacy notice
The GCA keeps this privacy notice under regular review. This privacy notice was last published in May 2023.
9. Data Protection Officer
To contact the GCA data protection officer about this privacy notice or any other GDPR or data protection queries you can email Enquiries@GroceriesCode.gov.uk or write to:
Data Protection Officer
Groceries Code Adjudicator
7th Floor
25 Cabot Square
Canary Wharf
London
E14 4QZ
10. Complaints or queries
The GCA aims to meet the highest standards when collecting and using personal information. The GCA encourages people to say if they think that the way the GCA collects or uses information is unfair, misleading or inappropriate.
This privacy notice does not provide exhaustive detail of all aspects of the GCA’s collection and use of personal information. However, the GCA is happy to provide any additional information or explanation needed. Any requests for this should be sent to the address above.
The GCA asks that you address any initial complaints to the GCA, however if you are still dissatisfied then you have the right to lodge a complaint with the ICO.