Personal information charter

Our standards for requesting or storing personal information.

This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the General Data Protection Regulation (GDPR), Data Protection Act 2018 and the law Enforcement Directive.

We are now required by law to process your data in a way that is transparent regardless of what the process is where your data is used, unless this information is being used in alignment with criminal enforcement.

Privacy notices

Once we have gathered your information as part of the business activities listed below, we retain the right to share your data with the Department for Environment, Food and Rural Affairs, its Executive Agencies, and the European Union and are obligated to.

We may also share your information with other organisation that are listed below for each business area within the MMO. This means that we do not require your permission to do so once you have acknowledged this privacy notice.

The data you provide will not be transferred outside of the European Economic Area.

Individual’s Data

The data collected and its reason for processing, along with your rights, will change depending on the service that you access so individual privacy notices will have been provided on this basis. We will ensure that you are made aware of the privacy notice(s) relevant to you prior to processing your personal information.

If anything changes during our processing we will ensure that the privacy notice(s) are changed to reflect this and notify you. Please be aware that in order to contact you, we will need up to date contact information so ensure that this is accurate.


The EU’s Article 29 Data Protection Working Party has issued guidance on transparency requirements necessary to comply with GDPR:

Transparency is an overarching obligation under the GDPR applying to three central areas: (1) the provision of information to data subjects related to fair processing; (2) how data controllers communicate with data subjects in relation to their rights under the GDPR; and (3) how data controllers facilitate the exercise by data subjects of their rights. Insofar as compliance with transparency is required in relation to data processing under Directive (EU) 2016/6803, these guidelines also apply to the interpretation of that principle.

Transparency is a long established feature of the law of the EU5 [France, Germany, Italy, Spain, and United Kingdom]. It is about engendering trust in the processes which affect the citizen by enabling them to understand, and if necessary, challenge those processes. It is also an expression of the principle of fairness in relation to the processing of personal data expressed in Article 8 of the Charter of Fundamental Rights of the European Union.

Under the GDPR (Article 5(1) (a) 6), in addition to the requirements that data must be processed lawfully and fairly, transparency is now included as a fundamental aspect of these principles. Transparency is intrinsically linked to fairness and the new principle of accountability under the GDPR. It also follows from Article 5.2 that the controller must be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject.

Personal Data

Any kind of information that can be used to personally identify an individual either directly or indirectly. These are just a few examples of this; name, date of birth, address or reference number.

Some personal data is more sensitive in nature and requires more careful handling. GDPR defines “special categories of personal data” which means data relating to a living person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning someone’s sex life or sexual orientation.


The ICO has set out its view on who GDPR applies to:

  • The GDPR applies to ‘controllers’ and ‘processors’.
  • A controller determines the purposes and means of processing personal data.
  • A processor is responsible for processing personal data on behalf of a controller.
  • If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
  • However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
  • The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
  • The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

You have the following rights with GDPR which you can exercise the:

  1. right to be informed
  2. right of access
  3. right to rectification
  4. right to erasure
  5. right to restrict processing
  6. right to data portability
  7. right to object
  8. rights in relation to automated decision making and profiling.

There is full information regarding the new rights you have and are listed on the Information Commissioner’s website.

’# How we use your data?

We process your personal data in a number of ways to deliver Public Services. We will look to inform you at the point of collection via a Privacy Notice, the reason(s) we need your information, how your information is being collected what we will do with it and who we will share it with. In some cases we may pass it on to our agents/representatives to do these things on our behalf.

When we share your personal data

We share or disclose personal data where we are required to so by law or to provide Services to fulfil our public task. Where we know there is a requirement to share your personal data we will tell you why and who we will share your personal data with. We will ensure that the data processor agrees to handle your data in conformity with your rights.

Published personal data

Public bodies are required to be transparent about the use of money, for example, and in some cases this may require the publication of personal information. Data published in these cases will balance the needs for transparency compared to your privacy rights. Examples where we publish personal data are:

  • public registers
  • anonymised statistics for the purpose of business improvement
  • high level expenses and salaries information

We may have to release personal data and commercial information under the Environmental Information Regulations 2004 and the Freedom of Information Act 2000.

Anonymised or non-personal data may be shared in support of public tasks, and where possible disclosed under an Open Government Licence.

Retention of data

Public bodies retain information for various reasons, primarily to ensure accountability. When we no longer need personal data, arrangements are made to securely delete or destroy it. Records periods are set in line with statutory, regulatory, legal, security reasons or for their historic value. Details will be on the relevant Privacy notice.

Inaccurate or incomplete data

If you discover that the personal data we hold about you is inaccurate, or incomplete, please contact us so we can update your records. When doing so, please explain where you have seen it and what data you feel is inaccurate. We will aim to respond to you within one month but may extend this period to two if the request is complicated. Our contact details are at the bottom of this document.

Where we maintain that the original information held was accurate, we will explain why. If you do not agree with our decision, you have the right to complain to the Information Commissioner’s Office, as detailed in this Personal Information Charter.

Access to information that we hold about you

You can ask to see what data we hold about you. This is called a ‘subject access request’. Send your written request to us at the email address below.

On receipt of your request we will acknowledge it and may ask for proof of your identity.

We will respond within one month, and exceptionally extend this by up to two months in complex cases. If we determine that the costs and or resources to provide you with all of the data requested, due to the volume, we may have to refuse your request or ask you to provide a contribution to meet these costs. When you ask to see information we hold it is helpful to include as much information as possible to help us find the data you want, for example, tell us the functions, schemes, or transactions and dates that you want to know about.

Putting data on hold

Where other legislation is not affected you may wish to put your data on hold while a decision to adjust, access or delete your information is processed.

Data that is transferred outside of the European Economic Area

There are instances where personal data is stored outside the European Economic Area. In most cases Personal data is not transferred or stored outside of the European Economic Area. If your personal data is processed outside the United Kingdom or European Economic Area, you will be informed of this and the safeguards that are in place.

You have the right to request that (1) we no longer process your personal data and (2) request that we delete your personal data at any time. However, agreement may not be assumed as we may have to refuse your request should the data be required to comply with a legal obligation, performance of a contract or public interest task or exercise of official authority. We may also refuse for the purposes of public health purposes, exercise or defence of legal claims or archiving purposes in the public interest, scientific research, historical research or statistical purposes. Where this is the case and agreement is not required we will advise you of this. Prior to deletion we may anonymise and hold data for data analysis.

Consequence of not supplying requested personal data

If you do not supply the requested personal data it is more than likely that the Service you are applying for or wish to use will not be available to you. This may have consequences in terms of non-compliance, for example not complying with specific legislation. We try to ensure that we only collect the minimum personal data that is necessary for us to offer the Service(s) to you.

Automated decision making

Your personal data may be subject to automated decision making. You will be informed where automated decision making applies including profiling, and the envisaged consequences of such processing.

It is highly unlikely that the MMO with use automated decision making.

Complaints regarding the handling of your data

If you think your data has been misused or that our holding it hasn’t kept it secure, you should contact us.

Contacting us

For day to day use, please look to contact the team you are already communicating with. They are best placed to manage general enquiries or to update the accuracy of your data, or provide you with information. However, if they cannot help you, or you have a complaint about how your data is being handled, please use following contacts, making clear which right you wish to exercise:

To make a complaint

How your personal data has been handled please follow the Marine Management Organisations complaints procedure

To report a data breach

Contact the Defra Helpline on 03459 33 55 77 (UK) +44 20 7238 6951 (from outside the UK) or online.

For all other enquiries,

For example to tell us your details are inaccurate or incomplete, to ask to see the data we hold about you or to withdraw my consent or request my personal data be deleted, please contact the Defra Helpline on 03459 33 55 77 (UK) +44 20 7238 6951 (from outside the UK) or online at:

If you’re unhappy with our response or if you need any advice you should contact the Information Commissioner’s Office (ICO) who are the supervisory authority.

Information Commissioner's Office
Wycliffe House
Water Lane

Telephone: 0303 123 1113


Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts. Should you wish to exercise that right full details are available on the Information Commissioner’s website.

We keep our Personal Information Charter under regular review. This Personal Information Charter was last updated on 17 May 2018.

Privacy notices

This file may not be suitable for users of assistive technology. Request an accessible format.

If you use assistive technology (such as a screen reader) and need a version of this document in a more accessible format, please email Please tell us what format you need. It will help us if you say what assistive technology you use.