The Official Controls Regulation 2020 privacy notice
Updated 30 September 2022
Applies to England, Scotland and Wales
Who collects your data
The data controller is the Department for Environment, Food and Rural Affairs (Defra). Contact Defra’s data protection manager at data.protection@defra.gov.uk.
If you have questions about how Defra is using your personal data and your associated rights, contact data.protection@defra.gov.uk.
The data protection officer responsible for monitoring how Defra is meeting the requirements of the legislation can be contacted at DefraGroupDataProtectionOfficer@defra.gov.uk.
What data we collect
If you are a sole trader or a partner of an unincorporated partnership, your personal data would likely be:
- the name of the sole trading business or partnership
- other information relating to your company
Section 5(1)(a) of The Official Controls (Plant Protection Products) Regulations 2020 requires that each operator notifies the competent authority (Defra) of the:
- name of the operator (the company name)
- activities carried out by the operator that relate to plant protection products (PPPs) and components being placed on the market and pesticides being sustainably used
- addresses where those activities are carried out
Operators must provide an email address and telephone number as part of their registration. In some cases, these might be personal data if they are the contact details of a specific individual or employee of the organisation.
Where we get your data from
Defra obtains personal data listed in the ‘Form’ sheet in the PPP registration forms submitted to Defra.
Why we need your data
The competent authorities in Great Britain (Secretary of State for England, Scottish Ministers for Scotland, Welsh Ministers for Wales) are required by the retained Regulation (EU) 2017/625 of the European Parliament and of the Council to draw up and keep an up-to-date list of operators that either place on the market or use professional PPPs and components in Great Britain.
Operators in Great Britain are also required by section 5 of The Official Controls (Plant Protection Products) Regulations 2020 to notify the competent authorities of their business activity in respect of PPPs and components being placed on the market and professionally used.
To fulfil the legal obligations, Defra is gathering information from operators on behalf of Scottish and Welsh governments. This includes:
- company names
- site addresses
- site contact details
Site contact details may include the contact details of an employee or agent who is authorised to act on behalf of each operator, in respect of the operator’s inclusion on the list.
The list of operators will be used by the Health and Safety Executive to select businesses for official controls according to Regulation (EU) 2017/625 and The Official Controls (Plant Protection Products) Regulations 2020.
Our legal basis for processing your data
There are 2 legal bases in data protection law for Defra’s use of personal data. These are:
- when the processing (use) of personal data is necessary to comply with a legal obligation that the controller (Defra) is subject to, under Article 6(1)(c) of the UK GDPR
- when the processing (use) of personal data is necessary in the exercise of official authority vested in the controller, under Article 6(1)(e) of the UK GDPR
Your legal obligation to provide your data
As an operator, you are required by law under section 5(1)(a) of The Official Controls (Plant Protection Products) Regulations 2020 to notify the competent authority (Defra) of the:
- name of the operator (ie the company name)
- activities carried out by the operator that relate to PPPs and components and the sustainable use of pesticides
- addresses where those activities are carried out
If you are a sole trader or partner of an unincorporated partnership, this would likely be your personal data. The law requires you to provide this information.
The Official Controls (Plant Protection Products) Regulations 2020 do not specifically include the contact details of the company sites. However, these details are reasonably required by Defra to:
- ensure that completed forms submitted by or on behalf of operators are genuine
- check and confirm the details provided by the company
What happens if you do not provide the data
If you are an operator and do not provide information about your company, you will not meet your legal obligation to notify the competent authority (Defra) under Regulation 5 of The Official Controls (Plant Protection Products) Regulations 2020.
Failure to provide data required is an offence which may lead to enforcement action being taken.
Defra is not specifically asking for personal data but instead requires contact details for company sites. These may include the personal data of an employee or agent authorised to act as a representative of the company. If an employee does not wish to provide their personal data for such purposes, the details of another person authorised to act as a representative of the company should be submitted.
Who your data will be shared with
Defra will share your personal data with The Health and Safety Executive (HSE) for the purposes of applying The Official Controls (Plant Protection Products) Regulations 2020.
Defra will also share data from operators that have sites in Scotland and Wales with Scottish and Welsh governments respectively. This is in accordance with Regulation 4 of The Official Controls (Plant Protection Products) Regulations 2020.
How we protect your data and keep it secure
We are committed to doing all that we can to keep your data secure. We have set up systems and processes to prevent unauthorised access or disclosure of your data. For example, we protect your data using varying levels of encryption.
We also make sure that any third parties that we deal with keep all the personal data they process on our behalf secure.
How long we keep your data for
We will keep data submitted through the PPP registration forms for as long as we need to maintain an up-to-date list of PPP operators. We are required to do this as a competent authority, under Article 10 of the retained Regulation (EU) 2017/625.
We will only delete data relating to a site or business after 2 years if we are notified, or become aware, that:
- a site has permanently closed
- the business has stopped trading for any reason
Your rights
Find out about your individual rights under data protection law.
Complaints
You have the right to make a complaint to the Information Commissioner’s Office at any time.
Defra’s personal information charter
Defra’s personal information charter explains more about your rights over your personal data.