Privacy and protection of personal information
BRCGS Directory Privacy Notice
Last updated: 03 October 2025
1. Introduction
1.1 This Privacy Notice explains how BRC Trading Limited (Company number 04281617) (“BRCGS”, “we”, “our”, “us”) collects and uses personal data via the BRCGS Directory (the “Directory”).
1.2 For the purpose of the Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679 (the “GDPR”), we are the controller of the personal data we process about you. We are registered with the Information Commissioner’s Office with registration number: Z1303163. We also control and operate the Directory. This policy sets out how we collect, process, store and protect your personal data.
1.3 This policy applies to:
1.3.1 Customers;
1.3.2 registered users of the Directory;
1.3.3 individuals whose personal data is contained within an audit published on the Directory;
1.3.4 representatives of certification bodies; and
1.3.5 representatives of accreditation bodies.
2. How we collect your personal data
2.1 Our customers may be registered companies, sole traders or partnerships. Where our customer is a registered company, we will process personal data in relation to our contact at that company.
2.2 We will collect personal data from you when we engage with you directly or your personal data may be provided to us by the company you work for in order to set up an account on the Directory for you. We also collect information when you use the Directory.
2.3 Your personal data may be processed on the Directory as part of audits that are uploaded onto the directory.
2.4 We may also process personal data which is in the public domain, such as on Companies House.
2.5 The personal data we collect may include:
2.5.1 your name;
2.5.2 your job title, employer’s name, work address, work email address and work telephone number;
2.5.3 records of written and verbal communications between us;
2.5.4 financial information about your transactions with us; and
2.5.5 Internet Protocol (IP) address.
3. How we use your personal data
3.1 We use your personal data in the following ways:
3.1.1 to set up and maintain your account on the Directory;
3.1.2 to communicate with you by phone, email and post;
3.1.3 to ensure that the content of the Directory is presented to you effectively;
3.1.4 for customers and Directory users, we use your personal data to provide you with our services during and following your relationship with us and in order to obtain feedback from you about our services and your experience with us; and
3.1.5 to send you information in relation to updates or additional services which we think you may be interested in.
4. Our legal basis for processing
4.1 We process your personal data on the basis of the following purposes, as appropriate:
4.1.1 for the performance of any contract that we enter with you or to take steps at your request prior to entering into a contract;
4.1.2 for the purposes of our legitimate interests in ensuring that we provide you with the best service possible in all our interactions with you, which may include providing you with information about our services which may be of interest to you. We may also have a legitimate interest in processing personal data for potential new projects where we have a commercial interest in pursuing the project; and
4.1.3 for compliance with any legal obligation to which we are subject.
5. Sharing your personal data
5.1 We only share your personal data with third parties where it is necessary for us to do so in order to fulfil our obligations to you under our contract, or where we are required to do so in order to comply with a regulatory or legal provision. This includes third party companies who are also part of the same group of companies as BRCGS. Such intra-group disclosure may be necessary to provide you with our services or to manage our business.
5.2 We will never sell your personal data for direct marketing.
6. Transfers of your personal data
If we need to transfer your personal data outside the European Economic Area we will take all steps reasonably necessary to ensure that any such transfer is made securely and that there is adequate protection in place in order to protect your personal data.
7. How we protect and secure your personal data
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, other third parties who act on our behalf and have a business need to process your data. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
8. How long do we keep your personal data?
8.1 For customers and Directory users, we will retain your personal data for as long as is necessary to manage our relationship with you and in order to contact you with any important information regarding the Directory.
8.2 Directory accounts will be deleted if they are inactive for a period of two (2) years.
8.3 We will retain copies of audits on the Directory indefinitely in order to retain a full record of the audits. For any other circumstances, we will not process personal data for longer than it is necessary to fulfil the reasons for processing.
9. What are my data protection rights and what can I do to enforce them?
9.1 Your personal data is protected under data protection laws and you have a number of rights (explained below) which you can seek to exercise. Please contact us using the details provided below if you have any queries in relation to your rights.
9.2 If you seek to exercise your rights we will explain to you whether or not the right applies to you; these rights do not apply in all circumstances.
9.2.1 Right of access – You have a right to access the personal data we hold about you upon request. This is known as a “Data Subject Access Request”. You can exercise this right by making a request in writing, by email or by telephone using the contact details in the contact and complaints section below.
9.2.2 Right of rectification – You can ask us to correct or update your personal data to ensure it is accurate and complete.
9.2.3 Right to erasure and right to restrict processing – You can ask us to stop processing and/or to delete your personal data in certain circumstances (for example, where it is processed with your consent, or it is no longer necessary for us to process it).
9.2.4 Right to data portability – You have a right to ask us to provide you with your personal data in a form that suits you, and/or to provide your information to a third party.
9.2.5 Right to object – You have a right to object to our processing of your personal data.
9.2.6 Profiling and automated decisions – You have a right not to be subject to automated decisions which have a legal effect and to be protected by safeguards in respect of any profiling. We do not undertake any automated decision making or profiling.
9.2.7 Right to object to direct marketing – Where you have consented to receive direct marketing, you can change your mind at any time by contacting us or following the link to “unsubscribe” provided in each email we send to you. Please allow a few days for us to action your request.
10. Changes to this Privacy Notice
We may change this Privacy Notice from time to time. We encourage you to periodically review this Privacy Notice for the latest information on our privacy practices.
11. How to contact us
11.1 We have appointed a Data Protection Officer (“DPO”) to oversee compliance with this Privacy Notice. If you have any questions about this Privacy Notice or how we handle your personal data, please contact the DPO by sending an email to dpo@tlt.com.
11.2 You also have the right to lodge a complaint with a supervisory authority (the Information Commissioner's Office or “ICO”) by writing to Information Commissioner's Office, Water Lane, Wilmslow, SK9 5AF or calling 0303 123 1113. Further information about how to do this can be found at: www.ico.org.uk.