Contents

1 - Introduction	9 - How we protect your personal data
2 - About us	10 - How long will we keep your personal data?
3 - The legal basis for using your personal data	11 - Who do we share your personal data with?
4 - When do we collect your personal data?	12- Processors and Data Transfers
5 - What sort of personal data do we collect?	13 - Your rights over your personal data
6 - How and Why Do We Use Your Personal Data	14 - How  to exercise your rights
7 - Indirect data gathering	15 -  Automated Decision making
8 - Consumer complaints	16 - Last updated

 

1 - Introduction

This Privacy Notice sets out the types of personal data we collect, how we use that information, and the measures we take to keep it safe, in accordance with the UK GDPR, GDPR and relevant and applicable Data Protection Legislation. It applies to the processing of personal data across our public-facing activities, including technician registration services, accredited training centres, trade association memberships, consumer complaint handling, and interactions involving technicians affiliated with OFTEC, as well as other engagements with OFTEC in the UK and Republic of Ireland.

If you are an employee or job applicant, please contact dataprivacy@oftec.org to request a copy of our employee privacy notice.

We may update this Privacy Notice periodically, and we encourage you to check for updates regularly. 

2 - About us 

OFTEC is the trading name for OFTEC Limited, a not-for-profit company registered in the UK and Republic of Ireland (registration number 2739706).

OFTEC is registered with the ICO under reference number ZA235152.

Throughout this notice OFTEC may also be referred to as 'we' or 'us'.

We are the Data Controller for the information we process and operate the following services/divisions:

• Registration Services: Administering a register for technicians working with liquid fuel, solid fuel, heat pumps, and other technologies.
• Trade Association: Representing manufacturers, fuel storage providers, and training organisations.
• Accredited Training Centres: Working with approved training providers to deliver certification schemes and ongoing professional development.
• OFTEC Direct: Retailing tools, technical publications, and consumables for technicians.

3 - The legal basis for using your personal data

In line with UK GDPR/GDPR, we process your personal data under the following lawful bases:

• Contract: To provide services you have requested, such as registration schemes, training, or trade membership.
• Legitimate Interests: To communicate essential updates, reminders, and technical notices, or to monitor professional competence.
• Consent: For marketing activities or optional services (e.g., newsletters, competitions, or feedback surveys).
• Legal Obligation: To comply with regulatory or law enforcement requirements, such as fraud prevention.

We may also process personal data under other lawful bases available under Article 6 of the UK GDPR or GDPR, where applicable.

4 - When do we collect personal data?

We collect your personal data in a variety of circumstances, and usually directly from you, including:

• When you apply for registration or membership.
• When you enrol in a training course via an accredited training centre.
• When you purchase products or services.
• When you make an enquiry or complaint.
• Through surveys, competitions, or events.
• Via cookies or account creation on our websites.
• When you engage with us, whether we are delivering a service/product to you, or you are delivering a service/product to us.

5 - What sort of personal data do we collect?

The type of data we collect depends on the activity. Examples include:

• Registrants: Name, address, email, phone number, qualifications, photographic ID, and payment details.
• Training Participants: Details of your attendance, certification, results, and any correspondence related to training.
• Trade Members: Business name, personnel details, contact information, and payment details.
• General Enquiries: Contact details and enquiry specifics.
• Consumers: Contact information and details about your complaint/query
• Service Providers: Name, business name, contact details

6 - How and Why Do We Use Your Personal Data?

We use your personal data for the following purposes:

• To process applications for registration or trade membership.
• To maintain your training records and certifications.
• To issue identity cards, certificates, and technical updates.
• To fulfil orders for products or services.
• To send regulatory or safety communications.
• To assess and verify professional competence through surveillance or inspections.
• To comply with legal obligations, such as fraud prevention or responding to law enforcement requests.
• To manage and respond to enquiries, complaints, or feedback.
• To manage event attendance or participation in training courses, conferences, or meetings.
• To maintain and update our records to ensure they remain accurate and relevant.
• To carry out internal audits, quality assurance, and governance checks.
• To conduct research or analysis to improve our services, systems, or communications.
• To promote awareness of industry standards or OFTEC initiatives.
• To manage relationships with accredited training centres and ensure compliance with OFTEC’s standards.
• To provide evidence of compliance or competence to third parties, where required (e.g. insurers, regulators, or consumers).

7 - Indirect Data gathering 

We may process data provided indirectly, such as:

• Property details included in technical reports.
• Training submissions or certifications from accredited training centres.
• Details submitted by consumers or third parties during complaint investigations or inspections.
• Information supplied by your employer.

When data is provided by your employer, we rely on the employer to ensure that:

• They have obtained any necessary permissions or informed you about the data sharing.
• They have a valid legal basis for sharing your data with OFTEC.

If you have concerns about how your data has been shared with us, please contact us.

.

8 - Consumer complaints

How OFTEC Processes and Shares Complaint Data

OFTEC processes complaint-related personal data under Legitimate Interests (Article 6(1)(f) UK GDPR) to investigate technical compliance issues, resolve disputes, and uphold industry standards.

Legitimate Interests for Processing Complaint Data

OFTEC processes personal data related to complaints under Legitimate Interests (Article 6(1)(f) UK GDPR). The legitimate interests we rely on include:

✔ Ensuring Technical and Safety Compliance – Investigating complaints to determine whether work carried out by OFTEC-registered technicians meets industry regulations, safety standards, and technical requirements.

✔ Maintaining Industry Standards – Ensuring that OFTEC-registered technicians uphold the standards expected of them, addressing non-compliance, and taking corrective action where necessary.

✔ Facilitating Fair Complaint Resolution – Allowing consumers to raise concerns, ensuring registered technicians have an opportunity to respond, and working towards an impartial resolution.

✔ Protecting Consumer Interests and Safety – Identifying and addressing cases where unsafe or substandard work has been carried out, ensuring consumers receive guidance on possible next steps.

✔ Preventing Fraud and Misuse of Registration – Ensuring that complaints and disputes are handled fairly and that registration with OFTEC is not misused by businesses or individuals failing to comply with required standards.

We carefully balance our legitimate interests against your rights and freedoms, ensuring that:

• Only necessary and relevant personal data is processed.
• Complaint-related data sharing is proportionate and only with relevant parties.
• Consumers are informed of how their data is processed and their rights.

We complete legitimate interest assessments where we rely on it as a legal basis.

Why We Share Complaint Information

Necessary for Compliance Investigations – To determine whether work meets regulatory and safety standards, we may need to share relevant details with the registered technician or business involved in the complaint.

Expected as Part of Registration – OFTEC-registered technicians and businesses are contractually obligated to engage in complaint investigations as part of their registration terms.

Proportionate and Limited Data Sharing – We only share essential complaint details, ensuring that no excessive or unrelated personal data is disclosed.

Sharing with Third Parties – In certain cases, complaint-related information may be shared with relevant regulatory bodies, insurers, or other dispute resolution organisations (e.g., Trading Standards) where this is necessary to progress the complaint.

Opt-Out of Data Sharing

If you have concerns about your personal data being shared and would prefer that we do not share certain details with technicians or third parties, you may contact us to discuss your preferences.

However, please note:

• If data sharing is essential to progressing your complaint, we may be unable to proceed with an investigation.
• We will assess requests on a case-by-case basis to determine whether adjustments can be made while still fulfilling our complaint-handling obligations.

To discuss your concerns, please contact compliance@oftec.org as soon as possible. 

9 - How we protect your personal data

We treat your data with the utmost care, implementing industry-standard security measures:

• Secure databases hosted in protected environments.
• HTTPS protocols for website transactions.
• Access controls for sensitive information.

·         Implementation of two-factor authentication (2FA) to enhance account security and verify user identity..

10 - How long will we keep your personal data?

We only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including compliance with legal, regulatory, or contractual obligations.

Retention periods may vary depending on the nature of the data and the reason for processing it.

We review our retention practices periodically to ensure they remain aligned with current laws, regulations, and business needs.

You can request a copy of our retention schedule by emailing us.

11 - Who do we share your personal data with?

To deliver the services you request, we may share your personal data with:

• Accredited Training Centres: To facilitate training and certification.
• IT Providers: To support digital services.
• Payment Processors: To handle transactions securely.
• Publishers: To deliver communications like newsletters.
• Regulatory Bodies: For compliance or audits.
• Public Authorities: To process applications, verify eligibility, or report on the use of public funds tied to training initiatives. To comply with legal requirements, such as reporting to tax authorities or regulators overseeing training schemes. To respond to lawful requests from law enforcement agencies as required under applicable laws.
• Technicians: To resolve your complaint.

We may offer you the option to hear from selected third parties about products or services that may be relevant to your role or industry.

We will only do this in specific circumstances having first gained your consent.  For example, if you tick a box on your application form to grant consent to be contacted from organisations offering services related to your profession, these are currently our preferred partners offering OFTEC registered business additional services as follows:

• Trade Direct Insurance Services
• Fleetmaxx Solutions (suppliers of fuel cards)
• Which? Trusted Traders (log in to view)

You can change your preferences or withdraw your consent at any time by contacting us.

Where data is routinely shared with independent controllers, we put appropriate Data Sharing Agreements in place.

12 - Processors and Data Transfers 

We work with third-party processors who act under contractual agreements to ensure your data is handled securely and in compliance with our instructions. Processors can include software, individuals, or organisations that process personal data on our behalf. For example, this may involve IT service providers managing our systems, payment processors handling transactions, or external providers supporting certification and training processes.

We do not transfer data outside the EEA without safeguards such as Standard Contractual Clauses.

13 - Your rights over your personal data 

Under the UK GDPR and GDPR, you have specific rights in relation to the personal data we process about you. However, these rights are not absolute and may be subject to certain exemptions or limitations depending on the legal basis for processing your data and other factors.

Right to Access

You have the right to request a copy of the personal data we hold about you. This is sometimes referred to as a Subject Access Request (SAR).

Exemptions: Access may be restricted if it would infringe on another person's rights (e.g., confidentiality or intellectual property rights).

 

Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data we hold about you.

You can ask us to delete your personal data in certain circumstances, such as whenThe data is no longer needed for the purpose it was collected.You withdraw your consent (where consent was the legal basis for processing).You object to the processing, and we have no overriding legitimate interest to continue.Exemptions: This right does not apply where data must be retained to comply with a legal obligation or for the establishment, exercise, or defence of legal claims.

Right to Restrict Processing 

You can request that we restrict the processing of your data in certain situations, such as if you contest the accuracy of the data or object to its processing.

Impact: Restriction means we may store your data but not actively process it until the issue is resolved.

Right to Object 

You can object to processing based on legitimate interests or for direct marketing purposes.

Exemptions: We may continue processing your data if we have compelling legitimate grounds that override your objection, or if the data is needed for legal claims.

Right to Data Portability 

You can request that your data be provided to you in a structured, commonly used, and machine-readable format, or that it be transferred directly to another organisation where feasible.

Conditions: This right applies only to data processed by automated means based on consent or a contract.

Right to Withdraw Consent

If you have provided consent for the processing of your data, you have the right to withdraw that consent at any time.

Limitations: This right applies only where consent is the legal basis for processing. Withdrawal does not affect the lawfulness of processing carried out before the consent was withdrawn.

Right to Lodge a Complaint

If you believe your rights have been violated or your data has been processed unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). Their contact details can be found here Make a complaint about how an organisation has used your personal information | ICO

14 - How to Exercise Your Rights 

To exercise any of your rights, please contact our Data Protection Coordinator:

Email: dataprivacy@oftec.org

Address: 25 Riduna Park, Station Road, Melton, Woodbridge, Suffolk IP5 1QT

We will respond to your request within one month, unless the complexity of the request or volume of requests requires an extension.

15 - Automated Decision-Making 

We do not currently engage in any automated decision-making that produces legal or significant effects.

16 - Updates 

This Privacy Notice was updated April 2025.