Technician and Members Privacy Notice

1 Introduction	10 How long we keep your personal data
2 About us	11 Who we share your personal data with
3 Legal basis for using your personal data	12 Processors and data transfers
4 When we collect your personal data	13 Your rights
5 What personal data we collect	14 Automated profiling and decision-making
6 How and why we use your personal data	15 How to exercise your rights
7 Indirect data gathering	16 Data protection complaints
8 Legitimate interests	17 Updates
9 How we protect your personal data

1 Introduction

This Privacy Notice explains how we collect, use and protect personal data relating to technicians, registered businesses, scheme members and individuals who apply for, hold or renew OFTEC registration or otherwise interact with us in connection with our certification and registration schemes. It sets out the types of information we process, the purposes for using it and the rights available to you under data protection law.

We handle personal data in line with the UK General Data Protection Regulation, the Data Protection Act 2018 and other applicable legislation. Our services operate primarily in the United Kingdom, although some technicians and training centres may be based in the Republic of Ireland. Where this occurs, we apply the principles of EU GDPR to ensure that your data is handled lawfully, fairly and transparently.

We review this notice regularly and update it when our services or legal obligations change.

2 About us

OFTEC Limited is a not-for-profit company registered in the United Kingdom (company number 2739706). We provide services in both the UK and the Republic of Ireland.

We are registered with the Information Commissioner’s Office, who regulates Data Protection and Privacy Laws in the UK (ICO) under ZA235152 and act as the Data Controller.

OFTEC has voluntarily appointed a Data Protection Officer to oversee compliance with data protection law.

For any questions or concerns about how your personal data is handled, please contact OFTEC at dataprivacy@oftec.org. Correspondence will be directed appropriately, including to the Data Protection Officer where required.

3 Legal basis for using your personal data

We process technician data under the following lawful bases:

Contract
To administer technician registration, renewals, identity cards, inspection and surveillance activities, and training-related requirements.

Legitimate Interests
To monitor technical competence, ensure compliance with scheme standards, maintain industry quality, provide essential updates, protect consumers, and manage governance and audit requirements.

Legal Obligation
Where we must comply with regulatory requirements, fraud prevention checks or requests from law enforcement or public authorities.

Consent
For optional activities such as marketing communications or partner offers.

We explain our legitimate interests further in Section 8.

4 When we collect your personal data

We collect personal data relating to technicians and scheme members when you:

apply for initial registration
submit documentation or evidence for renewal
complete training or assessments through an accredited centre
participate in inspections or surveillance activities
respond to a complaint about your work
purchase products or services from OFTEC
communicate with us by phone, email, online forms or social media
attend events, meetings or training
provide information about employees within a registered business
use our website, including data collected through cookies and analytics and chatbots
act as the nominated contact, representative or account holder for a registered business or scheme membership.

We may also receive personal data from third parties, as explained in Section 7. In some cases, we may offer messaging services, such as WhatsApp, to allow technicians to contact our technical officers quickly for advice or support.

5 What personal data we collect

The personal data we collect about technicians or scheme members may include:

identification information such as name, address, date of birth, contact details and photographic ID
evidence of qualifications, certificates, assessment results and CPD records
technical inspection findings, non-compliance records and follow-up actions
registration details, renewal information and payment records
job-related technical reports
responses to complaints or enquiries
business details for registered companies, including staff lists
communications and correspondence
IT and audit logs for access and system use, where relevant.

The extent of personal data processed may vary depending on an individual’s role within a registered business or scheme membership.

We do not routinely collect special category data, such as health information, ethnic background, religious beliefs or other sensitive details. In limited situations, such as when this information is voluntarily provided during a complaint, investigation or to support training or assessment needs, we may process it. When this happens, we rely on an appropriate Article 9 condition and apply additional safeguards to protect your information.

6 How and why we use your personal data

We use your personal data to:

process applications and renewals for technician registration
verify identity and confirm qualification status
maintain accurate training and assessment records
issue identity cards and registration documents
carry out inspections, surveillance and technical audits
monitor and assess competence and compliance
respond to complaints or concerns involving your work
provide essential safety, regulatory and scheme updates
administer payments, billing and account management
conduct internal quality assurance and governance reviews
demonstrate compliance to regulators, insurers or accreditation bodies
improve our services, systems and communications
manage event attendance and training delivery
maintain business records and meet reporting obligations

Interactions with our website chatbot or virtual assistant may be recorded and retained to help us respond to enquiries, provide support and improve our services.

If you choose not to provide information required for registration, renewal or compliance checks, we may be unable to complete your application or maintain your registration.

7 Indirect data gathering

We may receive information about you from:

accredited training centres
consumers who raise complaints about your work
your employer or business
regulators, insurers or dispute resolution bodies
technical reports, inspections or audits carried out by approved assessors
public records where identity verification is required.

We expect those who share data with us to have the authority to do so and a lawful basis for providing it.

8 Legitimate interests

When we rely on legitimate interests, these include:

maintaining the accuracy and integrity of the registration scheme
ensuring technicians meet technical and safety standards
protecting consumers and upholding industry quality
investigating non-compliance and resolving concerns
providing scheme updates and essential regulatory information
ensuring effective governance, audits and quality assurance.

We balance these interests against your rights and expectations, and we complete a Legitimate Interests Assessment to document this.

9 How we protect your personal data

We use appropriate technical and organisational measures to keep your data secure, including:

secure, access-controlled systems
encrypted connections for online services
two-factor authentication for sensitive systems
regular security updates and monitoring
staff training on privacy, data protection and information security
operating largely paperless systems, with any paper records stored securely and disposed of safely.

We review our security arrangements regularly.

10 How long we keep your personal data

We keep your personal data only for as long as necessary for registration, compliance, audit and record-keeping purposes. This includes retention required by regulators, accreditation bodies and legal limitation periods.

General enquiries are kept for a shorter period and deleted once completed unless part of an ongoing matter.

You may request a copy of our retention schedule by emailing us.

11 Who we share your personal data with

We may share your personal data with:

consumers where necessary to respond to a complaint
regulators, accreditation bodies and public authorities where required
insurers or dispute resolution organisations involved in a case
authorised OFTEC staff who need access to carry out their work
our consultants where needed for compliance purposes or scheme activities
data processors, such as IT providers, secure storage services and communication service providers
other data controllers, but only where necessary, lawful and supported by an appropriate legal basis
MCS (Microgeneration Certification Scheme), where necessary for scheme oversight, certification activities, compliance monitoring, or the investigation of complaints.

We only share the minimum personal data required for the purpose. We do not sell your personal data.

12 Processors and data transfers

Some of our service providers may process personal data outside the United Kingdom or European Economic Area. Where this occurs, we ensure that risks are assessed and appropriate safeguards are in place in accordance with data protection law, such as adequacy regulations or approved Standard Contractual Clauses.

13 Your rights

You have several rights over your personal data, including:

Access – you can request a copy of the information we hold about you.
Rectification – you can ask us to correct inaccurate or incomplete information.
Erasure – in certain circumstances, you can ask us to delete your information.
Restriction – you can ask us to limit how we use your information in specific situations.
Objection – you can object to our use of your information where we rely on legitimate interests.
Data portability – you can ask to receive your information in a reusable format where this applies.
Withdraw consent – where we rely on your consent, you can withdraw it at any time.
Complain to the ICO – you can raise concerns with the Information Commissioner’s Office if you are unhappy with how we use your data.

Some rights may be limited depending on the circumstances, particularly where the information includes third-party data or where we must meet legal or regulatory obligations.

We take reasonable and proportionate steps to locate personal data when responding to access rights requests, in line with applicable data protection law.

14 Automated profiling and decision-making

We may use automated profiling as part of our assessment of ongoing competence, compliance or eligibility for registration and renewal. This may include automated checks based on training records, inspection outcomes, complaints, insurance status or certification validity.

Profiling is used to support risk assessment, compliance monitoring and prioritisation of inspections or reviews.

Where an automated assessment contributes to a decision that may affect your registration, you have the right to:

request human review
express your point of view
contest the outcome.

We do not make decisions solely by automated means that produce legal or significant effects without human oversight.

15 How to exercise your rights

Contact: dataprivacy@oftec.org

Address: 25 Riduna Park, Station Road, Melton, Woodbridge, Suffolk IP5 1QT

We will action your rights request as soon as possible and in any case within one month, with the exception of more complex cases, where we may extend the response period by a further two months under UK GDPR / EU GDPR.

16 Data protection complaints

If you have concerns about how your personal data is used, please contact us first at dataprivacy@oftec.org so that we can review and try to resolve your concern.

We will acknowledge and respond to data protection complaints within 30 days. Where a matter is complex and requires additional time, we will keep you informed of progress. Your concern may be reviewed in consultation with our Data Protection Officer to ensure it is handled fairly and in line with data protection law.

If you are not satisfied with our response, you have the right to raise a concern with the Information Commissioner, the United Kingdom’s independent regulator for data protection and information rights.

Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website www.ico.org.uk

If you are located in the Republic of Ireland, you may also raise a concern with the Irish Data Protection Commission.

Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Website www.dataprotection.ie

17 Updates

This Privacy Notice was last updated on 12th March 2026

Please wait ...

Technician and Members Privacy Policy