Suffolk County Council Trading Standards Privacy Notice

Suffolk Trading Standards is committed to protecting your personal data when you use our services.

General information

Suffolk Trading Standards is responsible for providing services to businesses, to ensure they understand their legal obligations and trade in a fair and safe manner. Our work includes licencing, prevention of fraudulent trading, detection and prosecution in line with our enforcement policy, and advice to businesses. On occasions we may need to collect and use personal data in order to fulfil these duties.

The processing of personal data is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), as amended by the Data (Use and Access) Act 2025 (DUAA), collectively referred to as data protection law.

This privacy notice explains how Suffolk Trading Standards uses information about you when you contact us or use our services, and how we protect your privacy.

Suffolk County Council is the controller for the personal information that is being processed. If you have a question about the ways in which Trading Standards are collecting or using your personal data, please contact:

Marc Titford, Principal Trading Standards Officer:

marc.titford@suffolk.gov.uk

Contact details for the council’s Data Protection Officer and Compliance Manager can be found in the council’s corporate privacy notice, which is available on the council’s website.

What is personal data?

Personal data includes information about you, which can be used to identify you as an individual. Examples include:

  • Your name
  • Your date of birth
  • Your contact details
  • Your image

Special category data is the most sensitive type of personal data and includes:

  • Information about your health or any social care services that you may use
  • Information that could identify your racial or ethnic origins
  • Information that could identify your political beliefs
  • Information that could identify your religious or philosophical beliefs
  • Information that could identify your trade union membership
  • Genetic data
  • Biometric data (where used to identify you, e.g. use of fingerprints to access online services)
  • Information about your sex life, or sexual orientation

The types of personal data that we process and where it comes from

The personal data that we collect includes:

  • Date of birth/age and place of birth
  • Gender and marital status
  • Children
  • Contact details and preferred contact method
  • National Insurance Number and other identifiers
  • Job/profession and other information about qualifications, employment history and current employment
  • Photographs, audio and video records
  • Income and other financial information
  • Services or products provided to individuals and information about the services or products
  • Devices and technology used
  • Passport and information contained in other documents
  • Information from the Electoral Register
  • Social relationships and emergency contacts
  • Personal and social history.

The special category data that we collect includes:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic and bio-metric data
  • Sexual orientation
  • Health including disabilities.

We also collect information concerning criminal convictions and offences.

As well as information that you provide to us, we collect information from:

  • Other members of the public
  • Citizens Advice Consumer Helpline (CitA)
  • Police
  • Other enforcers or regulators, including HMRC, Health and Safety Executive
  • Other businesses or employers
  • Judicial agencies – courts, bailiffs, lawyers and the Crown Prosecution Service
  • Government Departments/agencies including Food Standards Agency
  • Other local authorities, including Trading Standards Services
  • Voluntary organisations and charities
  • Witnesses, including expert witnesses
  • Trade and/or sector associations

Why do we process your personal data?

Suffolk Trading Standards deliver services, regulate, or contribute in some way to a number of priority areas including, but not limited to the following:

  • Animal health and welfare, contingency planning and disease prevention and control
  • Business advice
  • Implementation of No Cold Calling Zones
  • Food authenticity, composition and safety
  • Feed safety and hygiene
  • Licensing - petroleum, explosives and performing animals
  • Product safety including electrical goods, toys and cosmetics with a focus on control at point of entry into the UK
  • Safety of sports grounds
  • Fair trading including doorstep crime; consumer and business mass marketing scams; pricing; distance selling and misleading offers

Information is used to receive and investigate consumer complaints, and to monitor, research, analyse and report intelligence requirements.

We respond to service requests from businesses and individuals to facilitate enforcement of consumer protection legislation and prevent unfair trading, and to ensure service delivery, planning and improvement.

We may also use information in other ways compatible with the above purposes to enable us to deliver Trading Standards services to the residents of Suffolk.

Our legal basis for processing your information

Personal data

Under data protection law, Suffolk Trading Standards can only process your personal data if it is lawful to do so. Please see the details below of the lawful bases that we rely on for processing different types of personal data.

For processing personal data, we rely on the following lawful basis:

  • UK GDPR Article 6(1)(e) – where processing is necessary for us to perform a task which is in the public interest (public task). A list of the different pieces of legislation that govern Trading Standards functions can be accessed on our website here: Legislation Enforced List

Special category data

When we process special category data, we rely on the following additional lawful bases:

  • UK GDPR Article 9(2)(f) – where processing is necessary to establish, carry out or defend legal claims
  • UK GDPR Article 9(2)(g) – where processing is necessary for reasons of substantial public interest, specifically:
  • for statutory and government purposes (Schedule 1, Part 2, section 6, DPA 2018)
  • for preventing or detecting unlawful acts (Schedule 1, Part 2, section 10, DPA 2018)
  • to protect the public against dishonesty (Schedule 1, Part 2, section 11, DPA 2018)
  • for preventing fraud (Schedule 1, Part 2, section 14, DPA 2018)
  • for the safeguarding of children and of individuals at risk (Schedule 1, Part 2, section 18, DPA 2018)

Criminal offence data – general processing

Suffolk Trading Standards also processes criminal offence data which may include:

  • Information about any criminal record or criminal history
  • Allegations of criminal behaviour, including unproven allegations
  • Absences of convictions, for example the results of DBS checks, or Police National Computer checks
  • Personal data of victims and/or witnesses
  • Personal data about criminal penalties that may have been awarded

In addition to the lawful bases that we have identified under “Personal data” above, we process criminal offence data under the following condition(s) of Schedule 1 of the DPA 2018:

  • where processing is necessary for statutory and government purposes (Schedule 1, Part 2, section 6, DPA 2018)
  • where processing is necessary for preventing and detecting unlawful acts (Schedule 1, Part 2, section 10, DPA 2018)
  • where processing is necessary for protecting the public against dishonesty (Schedule 1, Part 2, section 11, DPA 2018)
  • where processing is necessary for preventing fraud (Schedule 1, Part 2, section 14, DPA 2018)
  • where processing is necessary for legal claims (Schedule 1, Part 3, section 33, DPA 2018)

Law enforcement purposes

Suffolk Trading Standards is a competent authority for the purposes of Part 3 of the DPA 2018, and we process personal data so that we can prevent, investigate, and prosecute criminal activities, or exercise criminal penalties

This means that we can process personal data for law enforcement purposes when there is a basis in law for personal data to be processed and:

  • When you have provided your consent for us to process your personal data for law enforcement purposes; OR
  • When processing is necessary to enable us to perform a task that is being carried out for law enforcement purposes

In addition to the above, we undertake sensitive processing for law enforcement purposes when:

  • We have consent from you to process your personal data in this way; OR
  • When processing is strictly necessary and cannot be achieved in any other way and meets the following conditions from Schedule 8 of the DPA 2018:
  • Where processing is necessary for statutory purposes (Schedule 8, section 1, DPA 2018)
  • Where processing is necessary for the administration of justice (Schedule 8, section 2, DPA 2018)
  • Where processing is necessary to establish, carry out or defend legal claims (Schedule 8, section 6, DPA 2018)
  • Where processing is necessary to prevent fraud (Schedule 8, section 8, DPA 2018)

Sharing your information

We share your personal information with:

  • Your family – in respect incidents of doorstep crime when we might need to identify support
  • Other residents in your area – in respect of No Cold Calling Zones
  • Other enforcers or regulators, including HMRC, Health and Safety Executive
  • Other local authorities outside of Suffolk, including Trading Standards Services
  • Other local authority departments within Suffolk
  • Government Departments/agencies – Department for Environment, Food & Rural Affairs, Department for Business, Energy & Industrial Strategy, Food Standards Agency
  • Police
  • Judicial agencies – courts, bailiffs, lawyers and the Crown Prosecution Service
  • Voluntary organisations and charities
  • Witnesses, including expert witnesses
  • Other businesses

Any information which is shared will be shared securely, with appropriate individuals, and only the minimum information needed will be shared.

Whether we intend to transfer your information to another country

We do not transfer any personal data to any countries or international organisations outside of the EU, the EEA (European Economic Area), or any other country that does not have an equivalent level of data protection to the UK.

How long we keep your information

Suffolk Trading Standards keeps personal data for as long as we need it to fulfil the purpose that it was collected for, and in line with any statutory or locally determined retention periods.

Your information is securely stored electronically on the County Council’s network. Information is also securely stored in other mediums, including email accounts, in paper files and our intelligence database.

We will stop using your data after 7 years from the conclusion of the matter for which it was collected or, where is it necessary and permitted for a longer specified period, in accordance with our retention policy.

Your data will be securely and permanently deleted one year after we stop using it.

Automated decision making

Suffolk Trading Standards does not use automated decision-making processes and/or profiling in respect of your information.

Your rights under data protection law

Under data protection law, you have the right to request access to the information

that we hold about you. If you would like to make a request to access your personal

information, please contact data.protection@suffolk.gov.uk.

You also have other rights regarding your personal data. You can find out more information about these rights by looking at the council’s corporate privacy notice.

Your right to independent advice

If you would like independent advice on this privacy notice or other matters about how Suffolk County Council processes your personal information, including complaints, you can contact the Information Commissioner's Office at:

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113

Email: casework@ico.org.uk