Food Standards Scotland and the Food Standards Agency (FSA) are joint controllers of the personal data provided to us.
What information do we hold?
The personal information we hold consists of the name and email address of the applicant, and may include the name, address, telephone number and email address of representatives working on behalf of the applicant and/or representative of an organisation providing information to support the application.
Why we need it
We need to collect and process your personal information in order to:
- Administer your application
- Assess and authorise your application
- Communicate with you, the applicant, representative, or the representative of the organisation providing information in support of the application
What is the legal basis for our use of your personal data?
As joint controllers, we process this information for the above purposes as it is necessary for the performance of a task carried out in the public interest and/or in the exercise of official authority vested in the FSA and FSS. In particular, we do this in line with the performance of our statutory duties to assess and authorise regulated products before they enter the market.
Where we get this information from?
Food Standards Scotland and the Food Standards Agency obtains this information directly from you the applicant or representatives operating on your behalf, or directly or indirectly from organisations providing information in the support of your application.
What we do with it
We store the information that you provide in the initial Web form to register your application and use it to set up a unique repository for you to securely upload the dossier in support of your application.
Your information may be passed to experts in other government departments, including those in the devolved administrations, analytical laboratories or to scientists, including our Scientific Advisory Committees, where necessary to assess your dossier and application.
No other third parties will have access to your personal data unless there is a lawful or legal basis for the sharing. In line with this commitment, we may also share personal information about you:
- with third parties who are directly involved in dealing with any request, enquiry or correspondence submitted by you;
- where we are legally required to do so (e.g. in connection with criminal investigations, legal proceedings or prospective legal proceedings).
- where necessary for establishing, exercising or defending our legal rights and permitted by law
In addition, we use or work with contractors and other third-party service providers, such as IT service providers, who will process your personal data on our behalf. These third parties are our data processors and can only process your personal data on our instruction or with our agreement for a specified purpose to enable us to maintain, improve and provide our services in order to fulfil our public task.
We will publish information relating to an authorised regulated product on a digital register. This information will be anonymised, which means that you cannot be identified from it.
We retain your personal information only for as long as necessary to carry out these purposes, and in line with our retention policy.
This means that your applicant name and email address will be retained for 1 year from decision date.
Any personal information contained in the application and dossier will be retained. We need to keep a record of your application to understand the basis for the product being on the market. This allows us to refer to the original complete information used to support the authorisation, if concerns are raised with the safety of the product once on the market.
All the personal data we process is primarily located on servers within the UK and the European Economic Area (EEA), which means that they are deemed adequate in terms of data protection by the UK government. In addition, our cloud- based services have been procured through the government framework agreements and these services have been assessed against the national cyber security centre cloud security principles. For financial and technical reasons, we may on occasion use the services of a supplier outside the UK and European Economic Area (EEA), which means that your personal information is transferred, processed and stored outside the EEA. However, we take steps to ensure that these organisations have in place suitable technical and organisational safeguards either through the agreements we hold with them or by confirming they operate in accordance with the EU-U.S. Privacy Shield Framework.
What are your rights?
You have a right to see the information we hold on you by making a request in writing to the email addresses below. If at any point you believe the information we process on you is incorrect you can request to have it corrected. If you wish to raise a complaint on how we have handled your information, you can contact our Data Protection Officer who will investigate the matter.
If you are not satisfied with our response or believe we are not processing your information in accordance with the law you can complain to the Information Commissioner’s Office (ICO) at www.ico.org.uk.
Our Data Protection Officer at Food Standards Scotland is the Director of Policy, Science, Finance and HR who can be contacted at the following email address: firstname.lastname@example.org.
Last updated 8 December 2020