1 - Introduction
On 18th May 2018 the General Data Protection Regulations (GDPR) came into force. This Privacy Notice explains the types of personal data we may collect when you interact with us. It also explains how we'll store, handle and keep data safe.
We may need to update our Privacy Notice from time to time. We recommend that you check this notice for updates on a regularly basis.
As a business, we interact with a diverse range of customers, such as home owners or their agents, government agencies, local authorities, heating professionals, etc. For the purpose of this document 'registrants' means individuals who have contacted us about our registration schemes. 'Members' means individuals who have contacted us about our Trade Association activity.
Whether you are interacting with our websites or with us by telephone, post, email or text message, OFTEC is the 'Data Controller'.
OFTEC is registered with the ICO under reference number ZA235152.
2 - What is OFTEC
OFTEC is the trading name for the Oil Firing Technical Association Limited. We are a not-for-profit company registered in the UK and Republic of Ireland under registration number 2739706. Throughout this notice OFTEC may also be referred to as 'we' or 'us'.
OFTEC operates a number of divisions:
- Registration Services – administers a register for heating technicians working with liquid fuel, solid fuel, solar, biomass and heat pump installations. Plus, those undertaking Part P electrical work
- Trade Association – represents the interests of liquid fuelled appliance, fuel storage tank and associated equipment manufacturers, plus a number of education and competency assessment providers.
- OFTEC Direct – is a retail outlet offering tools, technical publications, equipment and consumables to registered technicians.
3 - The legal basis for using your personal data
Laws on data protection specify the different reasons that a company may collect and process your personal data. These are:
We can collect and process data that you have given your consent for us to use. For example, this might be if you have ticked a box to receive an email, a newsletter or when you have completed an application form to join our registration scheme or join our trade association or when you have supplied us with your data for the purposes of applying for a job.
If you wish to join the OFTEC registration scheme or trade association we need to collect and hold your personal data for the purposes of fulfilling our services to you. We will also need to share certain elements of this data with third parties for us to deliver the service that you have requested. For example, external producers of identity cards, certificates or publishers of the Oil Installer magazine.
There are occasions, such as when there is a suspicion of fraud or other criminal activity, where we may be required by law to collect and process your data and pass on your details to the authorities responsible for law enforcement.
The processing of data under vital interest is very narrow in its scope and is typically restricted to the processing of data in the event of a medical emergency when an individual is incapable of giving consent to data processing. OFTEC does not hold data of vital interest in relation to registration, trade association or OFTEC Direct activities.
The processing of data under public task is very narrow in its scope and is typically restricted to request from authorities conducting tasks that are in the public’s interest. OFTEC will only process data under public task if it can be demonstrated as being necessary.
If you are a registrant, we will use your qualifications and registration history to send you timely reminders about training and renewing your registration. We will also keep records of surveillance performed on aspects of your work in order to carry out on going risk assessments of your ability to work compliantly and contact you to send you information relating to your registration. For example, technician eNews, technical notices or the Oil Installer magazine.
If you are a trade association member, we will contact you with information relating to membership and membership services.
If you purchase a product through OFTEC Direct, we may contact you regarding warranty or other information relating to items that you have purchased.
4 - When do we collect personal data?
We may collect your personal data:
- when you make an application to join our registration schemes.
- when you make an application to join trade membership.
- when you enquire about or purchase goods through OFTEC Direct.
- when you contact us to make changes to your registration details.
- When you 'Notify' work through our registration scheme.
- if you contact us with a technical enquiry.
- When you apply for a job (after three months, unsuccessful applicant's data will be deleted)
- if you contact us to make a complaint.
- when you visit any of our websites and create an account.
- when you visit any of our websites and apply changes to your account.
- if you purchase a product or service by phone, but don't have (or don't use) an account.
- when you book any kind of appointment with us or book to attend an event. For example, a heating show or industry meeting.
- when you enter a prize draw or competition.
- when you choose to complete any surveys we may send you.
- when you comment on or review our products and services.
- when you fill in any forms. For example, if an accident happens within the head office premises or at an event hosted by OFTEC.
- when you've given a third-party permission to share with us the information they hold about you.
Notification of work performed under our registration scheme.
Building Regulations in specific regions may, depending upon the nature of the work you perform, require the collecting and processing of information relating to your customer. This is commonly known as completing a “works notification”.
Our work notification system meets Building Regulation 2010, Part 5, Regulation 20. (See https://www.legislation.gov.uk/uksi/2010/2214/regulation/20/) Under this legislation, upon the submission of a works notification from a registered business, a certificate is generated and despatched to the building occupier or nominated individual. The contents of the certificate are also passed to the local authority building control body in a format devised by Department for Levelling Up Housing and Communities (DLUHC) and Local Authority Building Control (LABC). There is no personal data displayed on the certificate, only property details, a date, description of work undertaken and by whom.
You may optionally submit a certificate recipient email address should you require the works notification certificate to be despatched digitally. The submission form also contains optional fields for you to input your customers name and a telephone number, which we may use only for the purpose of arranging a surveillance visit at the property.
Optional information is not shared with the local authority building control body.
5 - What sort of personal data do we collect?
We will only collect data to deliver a service that you have requested from us.
To process and maintain a registration, we will collect your name, postal address, email address(s), telephone number(s), your national insurance number, a photographic image of you, your date of birth, details about qualifications relating to your scopes of registration, inspection records, payment details and details of complaints made against you. We may also collect details of other interactions that we have had with you. For example, when you notify us of changes in your circumstances.
To process and maintain a trade association membership, we will collect the name of the business, names of personnel in specific areas of the business, postal address(s), email address(s), telephone number(s), payment details and information relating to your declared interests.
To process a technical enquiry, dependent upon your method of contact with us, we may collect your name, postal address, email address(s), telephone number(s).
To process a complaint concerning work undertaken by a registrant or activities of a trade association member, we will collect the name(s), postal address(s), email address(s), telephone number(s), plus other relevant details to enable us to process the complaint. These may include details of the affected property/equipment and/or information relating to its owner(s) or appointed agent.
If you have accounts with us, we will also collect account log-in and payment details. For example, details relating to work notification, to access the restricted areas of our websites or to purchase products and services.
6 - Indirect data gathering
We may receive data relating to individuals that have not contacted us directly. For example, information relating equipment owners that is displayed on an installation or servicing report. We will only use such documents for the purpose for which it was provided, and we will not process data relating to an identified third party.
7 - How and why do we use your personal data?
For registrants, we use your personal data in order to identify you as an individual and to allow us to monitor your competency and registration status in line with our obligations to operate a registration scheme.
Some examples of how we use your personal data are listed below:
- Your national insurance number is used as your unique identifier.
- Your name, postal and email address(s) are used to communicate to you updates and information relative to the services or products that you have requested from us.
- A photographic image is used to produce your registration identity card.
- Details of your competency certificates allow us to monitor your registration status and notify you when you require reassessment and/or to re-register with us.
- Details of inspections or consumer feedback allows us to monitor and assess your competence and eligibility to apply for or remain on our register.
If you choose not to share your personal data with us, or refuse certain contact permissions, we may not be able to provide you with some of the services you have requested.
From time to time we will send you information that you require to maintain your competency as a heating technician. For example, technical updates, electronic news letters, the Oil Installer magazine or other important communications that you need to be aware of. These may include notifications relating to changes in legislation, working practices or safety.
Your details may need to be passed to a third party to supply or deliver products or services that you have requested from us. See section 10 for further information.
To protect our business and your account from fraud and other illegal activities, we may use your personal data to maintain, update and safeguard your account. We'll also monitor your browsing activity with us to quickly identify and resolve any problems and protect the integrity of our websites. We'll do all of this as part of our legitimate interest. For example, by checking your password when you log-in and using automated monitoring of IP addresses, to identify possible fraudulent log-ins from unexpected locations.
We may send you communications required by law, or which are necessary to inform you about our changes to the services we provide you. For example, updates to this Privacy Notice, product recall notices, and legally required information relating to the products and services that you have requested from us. These messages will not include any promotional content and do not require prior consent when sent by email or text message. If we do not use your personal data for these purposes, we would be unable to comply with our obligations.
To display the most interesting content to you on our websites, we will use data we hold about your favourite brands or products and so on. We do so on the basis of your consent for our website to place cookies or similar technology on your device. For example, we might display a list of items you've recently looked at or offer you recommendations based on your purchase history and any other data you've shared with us.
To comply with our contractual or legal obligations, we may share data with law enforcement agencies. For example, as part of a criminal investigation or to aid court proceedings.
We may send you survey and feedback requests to help improve our services. These messages will not include any promotional content and do not require prior consent when sent by email or text message. We have a legitimate interest to do so as this helps make our products or services more relevant to you.
8 - How we protect your personal data
We know how much data security matters to you. Therefore we will treat your data with the utmost care and take all appropriate steps to protect it.
We secure access to all transactional areas of our websites using 'https' technology. All production databases are hosted on dedicated servers within a secure environment, which are protected by firewalls, and where public access is not permitted.
9 - How long will we keep your personal data?
Whenever we collect or process your personal data, we'll only keep it for as long as is necessary for the purpose for which it was collected.
With regard to registrants, when you leave our registration scheme, no further processing of your personal data will take place. However, to fulfil contractual obligations, we will typically retain your personal data for a period of seven years. At the end of the retention period, your data will either be deleted completely or anonymised. For example, by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
If we have collected information that suggests that you or your previous activities present a risk to the general public, we will retain your personal information for a period of twelve years from leaving our registration scheme. This information is retained for the sole purpose of evaluating your eligibility to be granted registration in the future. For example, if your registration was previously revoked because of criminal activity, bringing OFTEC in to disrepute, or failure to carry out rectification work following surveillance or a complaint investigation.
With regard to trade association members, when you leave our association, no further processing of personal data will take place and it will be deleted after a period of two years. However, we will keep records of any complaint investigations against your business for a period of seven years.
With regard to technical enquiries, after providing a response to your enquiry, we will typically retain your personal data for a period of seven years (six years contractual limitation period plus one year to account for any delay that may arise in the execution of any work(s) following a technical enquiry). At the end of the retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
10 - Who do we share your personal data with?
In order to deliver the service(s) that you have requested, we sometimes share your personal data with trusted third parties. Examples of the kind of third parties we work with are:
- IT companies who support our website and other business systems
- Dotdigital our email platform
- operational companies such as parcel delivery couriers.
- external producers of identity cards, certificates or publishers of the Oil Installer magazine
- contracted inspection personnel
- payment solutions providers
- regional Trading Standards departments
- local Building Control Bodies
- government departments.
Here are the policies that we apply to those organisations to keep your data safe and protect your privacy:
- We provide only the information they need to perform their specific services.
- They may only use your data for the exact purposes we specify in our contract with them.
- We work closely with them to ensure that your privacy is respected and protected at all times.
- If a service is fulfilled or we stop using their services, any of your data held by them will either be deleted or rendered anonymous.
Sharing your data with third parties for their own purposes
We will only do this in very specific circumstances having first gained your consent. For example, if you tick a box to grant consent to be sent promotional information from:
- OFTEC Insurance Services
- providers of service benefits for registrants.
We may be required to share your personal information for the purposes of fraud management or criminal investigation.
For business development, we may, at any time, expand, reduce or sell OFTEC and this may involve the transfer of divisions or the whole business to new owners. If this happens, your personal data will, where relevant, be transferred to the new owner or controlling party, under the terms of this Privacy Notice.
To help facilitate your journey through our websites we currently use the following companies, who may process your personal data as part of the service they provide you, we suggest that you check the privacy notices of the following platforms before interacting with them:
11 - Your rights over your personal data
In line with GDPR data protection laws you have the right to request:
- a copy of the personal data we hold about you.
- the correction of your personal data if it is incorrect, incomplete or out of date.
- that we stop using your personal data for marketing of products or services (either through specific channels, or all channels).
- that we stop any consent-based processing of your personal data after you withdraw that consent.
- that your personal data is deleted once there is no compelling reason for it to be processed further.
To request a copy of the personal data we hold for you, please write to the Data Protection Coordinator atUnit 25, Riduna Park, Station Road, Melton, Woodbridge, IP12 1QT or email us at firstname.lastname@example.org with "Subject Access Request" as the title.
Registered users of this website can log in and then amend their personal data in the 'portal' if it is out of date or incorrect. Alternatively, you can email our Registration Team and request an update.
If we choose not to action your request, we will explain to you the reasons for our refusal.
Your right to withdraw consent
You can choose to withdraw your consent for us to use your personal data at any time.
Where we rely on our legitimate interest
If you ask us to stop processing your personal data, we must do so unless there is a legitimate overriding reason for us to continue processing your data.
We must comply with your request for us to stop using your personal data for direct marketing.
Checking your identity
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this privacy notice. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
12 - How can you stop the use of your personal data for direct marketing
There are several ways you can stop direct marketing communications from us:
- Click the 'unsubscribe' link in any email communication that you. We will then stop any further emails from that division, unless they are provided with legitimate interest.
- Log into your OFTEC account and go to the portal to change your preferences.
- Write to the Data Protection Coordinator at Unit 25, Riduna Park, Station Road, Melton, Woodbridge, IP12 1QT or email us at email@example.com with "GDPR Consent Withdrawal" as the title.
Please note, registered businesses or technicians choosing to "unsubscribe" from the Registered Technician's eNews will result in you not receiving important updates that affect your registration and/or competence and this may result in withdrawal of registration if the work you complete is found not to meet updated building regulations.
It may take a short period of time for our systems to be fully updated following a change to your preferences. During this time, you may continue to receive communications from us.
13 - OFTEC Direct
OFTEC Direct sells a range of products to help registered technicians perform their daily work.
We may sometimes include details of offers or new products within publications such as E-News or Oil Installer.
14 - Contacting the regulator
At any time, if you feel that we have not responded satisfactorily to your request, or if you feel that your data has not been handled correctly, it is within your rights to register a complaint with the relevant data protection regulator in your country of residence.
- UK, contact the Information Commissioner's Office via www.ico.org.uk
- Republic of Ireland, contact the Data Protection Commissioner via www.dataprotection.ie
15 - If you live outside the UK
For all non-UK and Republic of Ireland registrants and trade association members
Although the GDPR laws apply to the EU, we will apply the same policy for the processing of personal data held by us for residents outside this geographical area. We will honour your request for access to your personal data or request that we stop processing your data.
By giving us your personal data for the purposes of registration, you are giving us consent to hold and process your data outside of your country of residence. This includes disclosing elements of your personal data to third party business connected with the day to day running of our business.
This may occur because our information technology storage facilities and servers are located outside your country of residence and could include storage of your personal data on servers in the UK.
16 - Any questions?
We hope this privacy notice has been helpful in explaining how we handle your personal data and your rights.
If you have any further questions, please don't hesitate to contact our Data Protection Co-ordinator for further guidance:
Email us at firstname.lastname@example.org with 'Data Protection Enquiry' as the title.
Alternatively, write to the Data Protection Co-ordinator, at OFTEC, Unit 25, Riduna Park, Station Road, Melton, Woodbridge, IP12 1QT
From the UK, you may also wish to consult the Information Commissioner's Office via www.ico.org.uk or from the Republic of Ireland via www.dataprotection.ie
17 - Last updated
This notice was last updated on 21st December 2022