Visa Fees Reimbursement Scheme for Scale Ups (VFRS4SU) privacy notice
Published 3 July 2026
The Visa Fees Reimbursement Scheme for Scale Ups (VFRS4SU) provides funding to UK-based scale-ups in priority sectors (notably Clean Energy, Life Sciences and Digital and Technologies) to reduce hiring frictions for critical skills by reimbursing visa fees for eligible hires and their dependants (spouse and children).
The Department for Business and Trade (DBT) has financial accountability for the VFRS4SU scheme and will collect personal data as part of the application, delivery, administration and review of the scheme.
DBT is committed to protecting the privacy and security of your personal data.
This privacy notice describes how we collect and use your personal data in accordance with data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).
This notice explains how we process your personal data and your rights. It complies with Articles 13 and 14 of the UK GDPR.
Data protection principles
DBT will comply with data protection legislation.
This means that the personal data we hold about you must be:
-
used lawfully, fairly and in a transparent way
-
collected only for valid purposes and not used in any way that is incompatible with those purposes
-
adequate, relevant and limited to what is necessary for the purposes for which it is processed
-
accurate and kept up to date
-
kept in a form that identifies you for only as long as necessary (however, personal data may be stored for longer periods for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes)
-
kept securely
Types of personal data we hold about you
Personal data is information that relates to an identified or identifiable individual and only includes information relating to natural persons who:
-
can be identified, or are identifiable, directly from the information in question
-
can be indirectly identified through all reasonable means from that information in combination with other information
DBT will receive the following personal data from applicant businesses relating to you and your dependants:
-
name, address and contact details
-
date of birth
-
nationality
-
passport and visa details, including the Unique Reference Number (URN) and expiry date
-
UK bank account payment details
-
job title, employment contract and salary details, which may include National Insurance (NI) numbers and a unique reference number
-
CV to confirm area of business and/or expertise to confirm skills held
-
family members’ names and contact details (if receiving support through the VFRS4SU scheme)
-
family members’ dates of birth and nationality (if receiving support through the VFRS4SU scheme)
-
family members’ passport and visa details (if receiving support through the VFRS4SU scheme)
Due to our role as a government department with responsibility for funding the grant scheme (including pursuing debts where required), we may also hold high-level aggregate data about the take-up, delivery and success of the grant scheme. High-level aggregate data is not considered to be personal data.
Purpose
DBT will process personal data collected through the VFRS4SU scheme for the purposes of:
-
assessing the eligibility of an organisation to receive support
-
assessing the eligibility of a job vacancy
-
monitoring the performance of individual grant agreements under the scheme
-
ensuring that grants have been paid out in line with the eligibility and subsidy allowance conditions for the scheme
-
evaluating and reviewing the impact, performance and costs of the scheme
-
researching the effectiveness of the scheme and supporting future policy development
-
preventing and detecting payments made in error or fraud, or taking action to mitigate the risk of fraud
-
recovering any irregular grant payments, for example payments issued in error or obtained through fraud
Legal basis of processing
DBT relies on the following lawful bases under UK GDPR to process your personal data.
Processing is carried out under Article 6(1)(e) (public task), where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in DBT. This is the primary legal basis for our activities, including grant administration, compliance, enforcement and fraud prevention.
We may also rely on Article 6(1)(c) (legal obligation) where processing is necessary to comply with a legal obligation, such as statutory reporting, audit requirements or obligations relating to fraud prevention and investigation.
We will only use your personal data in accordance with data protection law. Specifically, we may use your personal data to:
-
carry out any of our lawful functions
-
administer and manage grant schemes, including assessing eligibility, monitoring compliance and ensuring the appropriate use of public funds
-
verify that the information we hold is accurate and up to date
-
prevent, detect, investigate and prosecute fraud and other criminal offences
-
undertake case management activities, including evidence gathering, analysis, storage and meeting disclosure obligations
-
recover grant funds that have been incorrectly awarded or paid
-
bring civil proceedings or take administrative action where necessary
-
respond to enquiries, including requests from Parliament and Select Committees
-
produce statistical analysis, research and evaluation to assess the performance, impact and effectiveness of grant schemes and inform policy development
-
assess scheme uptake, outcomes, performance and costs
-
support research and policy development
Sharing of your personal data
As part of the application due diligence process, a designated DBT officer will share personal data relating to you and your dependants with the Home Office (HO) Data Service Analytics Team (DSA) to access immigration data. These checks will be carried out before releasing grant payments to successful applicant businesses.
We will not share your personal data with any third parties for the purposes of direct marketing.
DBT will share your personal data with third parties acting as data processors on behalf of DBT. We will have contracts or memoranda of understanding in place with these processors. They are only permitted to process your personal data in accordance with DBT’s instructions.
Special category data
In certain circumstances, we may process your special category data.
Where DBT processes special category personal data (including information revealing racial or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, genetic or biometric data, health data, or data concerning a person’s sex life or sexual orientation), this will be done where necessary for reasons of substantial public interest under Article 9(2)(g) of the UK GDPR, including the prevention and detection of unlawful acts and the protection of public funds. Appropriate safeguards will be in place in line with the Data Protection Act 2018.
We will ensure that any processing of your personal data is limited to what is relevant and necessary for the purposes outlined in this notice and is carried out in accordance with data protection principles.
Law enforcement purposes
DBT is a competent authority for the purposes of Part 3 of the DPA.
Any processing of personal data for law enforcement purposes (that is, the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, including safeguarding against and preventing threats to public security) will comply with Part 3 of the DPA.
Consent
We do not normally rely on consent to process your personal data.
However, in limited circumstances where consent is required, we will clearly ask for your consent before processing your data. You have the right to withdraw your consent at any time.
Withdrawal of consent does not affect the lawfulness of any processing carried out before consent was withdrawn.
Data security
We have put in place measures to protect the security of your personal data.
We treat the security of your personal data very seriously. We have strict security standards, and all staff and other people who process personal data on our behalf receive regular training on keeping information safe.
Where possible, personal data is minimised, aggregated or anonymised, for example when reporting on performance or estimated losses.
We have put in place appropriate technical, physical and managerial procedures to safeguard the information we collect about you.
In addition, we limit access to your personal data to those people or agents who have a business or legal need to access it.
We have put in place procedures to deal with any suspected data security breach and will notify you and the relevant regulator where we are legally required to do so.
Where your personal data is shared with the Home Office, it will be stored in Home Office secure folders. All organisations we work with are required to move, process and destroy data securely in line with the principles set out in the HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information.
Retention of your personal data
Personal data is retained in accordance with the DBT retention and disposal policy.
We, and third parties (including the Home Office) that we share it with, will retain your personal data for as long as necessary for the purposes for which it is used and in line with our retention and disposal policy.
In some circumstances, DBT will anonymise your personal data so that it can no longer be associated with you. Where this happens, we may use that information without further notice to you.
Your data protection rights
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason and lawful basis for processing your information.
Your right of access
You have the right to request information about how your personal data is processed and to request a copy of that personal data. This right always applies. There are some exemptions, which means you may not always receive all the information we process.
Your right to rectification
You have the right to ask us to correct information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
Your right to erasure
You have the right to ask us to erase your personal data in certain circumstances.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing
You have the right to object to processing carried out as part of our public tasks or in our legitimate interests.
Your right to data portability
This only applies to information you have given us. You have the right to ask us to transfer the personal data you gave us from one organisation to another, or give it to you. This right only applies if we are processing personal data based on your consent or for the performance of a contract, or during steps taken before entering into a contract, and the processing is automated.
Automated decision-making
Personal data collected by DBT will not be subject to automated decision-making.
International transfers
Personal data will be processed in the UK.
Your personal data will not be transferred outside the UK and European Economic Area (EEA), or by an international organisation.
Contact DBT’s Data Protection Officer (DPO)
You can write to:
Data Protection Officer
Department for Business and Trade
Old Admiralty Building
Admiralty Place
London
SW1A 2DY
Email: data.protection@businessandtrade.gov.uk
Complaints
If you think your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner’s Office, which is the UK’s independent regulator for data protection.
You can write to:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Email: casework@ico.org.uk
Telephone: 0303 123 1113
Textphone: 01625 545860
Opening hours: Monday to Friday, 9am to 4:30pm
Making a complaint to the Information Commissioner’s Office does not affect your right to seek redress through the courts.
Changes to this privacy notice
We keep our privacy notices under regular review.
If there are any changes, we will update this page to let you know, for example about any new uses of your personal data.
Check this page regularly to make sure you are aware of what information we collect, how we use it and the circumstances in which we may share it with other organisations.
From time to time, we may also tell you about changes to the processing of your personal data in other ways.