Consumer Privacy Policy

Consumer Privacy Notice

1 Introduction 10 How long we keep your personal data
2 About us 11 Who we share your personal data with
3 The legal basis for using your personal data 12 Processors and data transfers
4 When we collect your personal data 13 Your rights
5 What personal data we collect 14 How to exercise your rights
6 How and why we use your personal data 15 Data protection complaints
7 Indirect data gathering 16 Automated decisions making
8 How we process and share complaint data 17 Updates
9 How we protect your personal data  

1

1 Introduction

This privacy notice explains how OFTEC collects, uses and protects personal data relating to consumers and members of the public who contact us with enquiries, concerns or complaints.

This notice applies to our public facing activities in the United Kingdom and Republic of Ireland. It does not apply to OFTEC registered technicians, businesses, training providers or certification scheme members, who are covered by separate privacy notices.

This notice is written in accordance with applicable data protection legislation including the UK GDPR, the EU GDPR and relevant data protection laws.

2 About us

OFTEC Limited is a not-for-profit company registered in the United Kingdom (company number 2739706). We provide services in both the UK and the Republic of Ireland.

We are registered with the Information Commissioner’s Office, who regulates Data Protection and Privacy Laws in the UK (ICO) under ZA235152 and act as the Data Controller.

OFTEC has voluntarily appointed a Data Protection Officer to oversee compliance with data protection law.

For any questions or concerns about how your personal data is handled, please contact OFTEC at dataprivacy@oftec.org . Correspondence will be directed appropriately, including to the Data Protection Officer where required.

3 The legal basis for using your personal data

We process your personal data under:

  • Legitimate interests – to investigate complaints, respond to enquiries including those submitted through our website or chatbot services, uphold industry standards, ensure safety and resolve disputes.
  • Contract – where you purchase a product, inspection or service directly from OFTEC, where available.
  • Legal obligation – where we must comply with regulatory, statutory or law enforcement requirements.

4 When we collect your personal data

We collect data directly from you when you:

  • submit a consumer complaint
  • submit a data protection complaint or rights request
  • make an enquiry by phone, email, through our website, via social media channels, or through messaging applications
  • complete an online form or contact us through social media
  • participate in surveys, competitions or events
  • interact with us about a registered technician or a service they have provided
  • provide information during a complaint investigation or follow-up
  • visit our website, including information collected through chatbots, cookies and analytics
  • request guidance or support related to technical or safety matters
  • correspond with us for any other reason, including providing feedback or requesting information
  • when you purchase products or services from us directly.·   

5 What personal data we collect

Depending on the nature of your enquiry or complaint, we may collect:

  • your name and contact details
  • details of your complaint or enquiry
  • property details relevant to the enquiry
  • correspondence exchanged with you
  • information supplied by third parties such as technicians or insurers
  • payment details and transaction information when you buy products or services
  • any other information you chose to provide us with.

We do not routinely collect special category data, such as health information, ethnic background, religious beliefs or other sensitive details. In limited situations, such as when this information is voluntarily or inadvertently provided during a complaint or investigation, we may process it if there is a legitimate need. When this happens, we rely on an appropriate Article 9 condition and apply additional safeguards to protect your information.

6 How and why we use your personal data

We use your data to:

  • investigate technical or safety complaints
  • contact you about your enquiry
  • ensure registered technicians meet required industry standards
  • process disputes between consumers and technicians
  • provide guidance on next steps
  • improve our services and maintain accurate records
  • meet regulatory or legal requirements.

Interactions with our chatbot or virtual assistant may be recorded and retained to help us respond to enquiries, improve our services and ensure appropriate use.

If you choose not to provide information needed for us to investigate your complaint or enquiry, we may be unable to progress the matter.

7 Indirect data gathering

We may receive information indirectly from:

  • registered technicians or their businesses
  • your insurer or another representative
  • Trading Standards or other regulators
  • technical reports or inspection findings.

We expect those who share data with us to ensure they have authority to do so.

8 How we process and share complaint data

We rely on Legitimate Interests (Article 6(1)(f) UK GDPR and EU GDPR) to process personal data relating to complaints. These interests include:

  • protecting consumers and ensuring their concerns are investigated
  • assessing whether work carried out by registered technicians meets required technical and safety standards
  • resolving disputes fairly
  • maintaining the integrity of the registration scheme.

When relying on Legitimate Interests, we consider how our processing affects you and ensure your rights and freedoms are not overridden. We carry out a Legitimate Interests Assessment to document this balance.

We may share relevant complaint information:

  • with the technician or business involved, so they have an opportunity to respond
  • with regulators, insurers or dispute resolution bodies where necessary
  • with law enforcement or public authorities where required by law.

We only share what is needed to progress the complaint or meet our obligations.

If you ask us not to share certain information, we will consider your request. However, if sharing that information is essential to investigating the complaint, we may not be able to continue with the complaint process.

9 How we protect your personal data

We use appropriate technical and organisational measures including:

  • secure, access-controlled systems
  • encrypted connections for online services
  • two-factor authentication for sensitive systems
  • regular security updates and monitoring
  • controls to ensure only authorised staff can access complaint information
  • regular staff training to ensure our team understand their responsibilities around privacy, data protection and information security
  • we operate largely paperless systems, and where paper records are used they are stored securely and disposed of safely.

We review our security measures regularly to ensure they remain appropriate for the level of risk.

10 How long we keep your personal data

We keep personal data only for as long as necessary for the purpose it was collected. Complaint information is kept for a longer period to meet regulatory, safety, audit and record-keeping requirements.
General enquiries are kept for a short period and deleted once the enquiry has been resolved, unless they form part of an ongoing matter.

You can request a copy of our retention schedule by emailing us.

11 Who we share your personal data with

We may share information with:

  • registered technicians or businesses where this is necessary to investigate and process a complaint
  • regulators, public authorities or law-enforcement bodies where we are required to do so
  • insurers or dispute resolution organisations involved in a case
  • authorised OFTEC staff, where access is necessary for their role
  • our consultants, where needed to ensure compliance with relevant laws
  • data processors, such as IT providers, secure storage services and communication service providers who process data on our behalf under contract
  • other data controllers, but only where this is necessary, lawful, and supported by an appropriate legal basis and justification
  • certification bodies involved in overseeing the installer or installation (for example, MCS), but only where this is necessary for complaint investigation or scheme governance.

We only share the minimum personal data required for the purpose.

Where we rely on consent for marketing communications, you may withdraw your consent at any time by opting out or contacting us.

12 Processors and data transfers

Some of our service providers may process personal data outside the United Kingdom or European Economic Area. Where this occurs, we ensure that risks are assessed and appropriate safeguards are in place in accordance with data protection law, such as adequacy regulations or approved Standard Contractual Clauses.

13 Your rights

You have several rights over your personal data, including:

  • Access – you can request a copy of the information we hold about you.
  • Rectification – you can ask us to correct inaccurate or incomplete information.
  • Erasure – in certain circumstances, you can ask us to delete your information.
  • Restriction – you can ask us to limit how we use your information in specific situations.
  • Objection – you can object to our use of your information where we rely on legitimate interests.
  • Data portability – you can ask to receive your information in a reusable format where this applies.
  • Withdraw consent – where we rely on your consent, you can withdraw it at any time.
  • Complain to the ICO – you can raise concerns with the Information Commissioner’s Office if you are unhappy with how we use your data.

Some rights may be limited depending on the circumstances, particularly where the information includes third-party data or where we must meet legal or regulatory obligations.

We take reasonable and proportionate steps to locate personal data when responding to access rights requests, in line with applicable data protection law.

14 How to exercise your rights

Contact: dataprivacy@oftec.org

Address: 25 Riduna Park, Station Road, Melton, Woodbridge, Suffolk IP5 1QT

We will action your rights request as soon as possible and in any case within one month, with the exception of more complex cases, where we may extend the response period by a further two months under UK GDPR / EU GDPR.

15 Data protection complaints

If you have concerns about how your personal data is used, please contact us first at dataprivacy@oftec.org so that we can review and try to resolve your concern.

We will acknowledge and respond to data protection complaints within 30 days. Where a matter is complex and requires additional time, we will keep you informed of progress. Your concern may be reviewed in consultation with our Data Protection Officer to ensure it is handled fairly and in line with data protection law.

If you are not satisfied with our response, you have the right to raise a concern with the Information Commissioner, the United Kingdom’s independent regulator for data protection and information rights.

Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website www.ico.org.uk

If you are located in the Republic of Ireland, you may also raise a concern with the Irish Data Protection Commission.

Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Website www.dataprotection.ie

16 Automated decisions making

We do not carry out automated decision-making that produces legal effects or similarly significant impacts on consumers or complainants.

We may use automated tools, including website chatbot or virtual assistant technology, to help respond to enquiries or direct requests to the appropriate team. These tools support our services but do not make decisions about individuals without human involvement.

17 Updates

Last updated 12th March 2026

Please wait ...