Privacy

Privacy Policy

This Privacy Policy includes important information regarding an individual’s personal data and should be read carefully. The British Oil Security Syndicate (BOSS), takes the privacy of personal data very seriously and this Policy sets out how and why BOSS collects, handles, stores and disposes of an individual’s personal data (as defined by legislation).  BOSS may also collect non-personal data during the course of its activities which are excluded from this policy.

Who we are

The British Oil Security Syndicate is a trade organisation working to reduce forecourt crime working closely with Police and its members who are primarily petrol retailers in the UK. It provides a variety of services to its membership for the prevention and detection of crime and the reduction of financial loss and includes schemes to recover outstanding fuel debts from customers who either did not have the means to pay at the time for fuel drawn, or have left the site with an outstanding debt for fuel drawn. In order to provide these services, it is necessary for the British Oil Security Syndicate (BOSS) to either obtain information from its customers or utilise personal data (vehicle registration numbers) to contact the registered keepers in order to resolve outstanding debts. In addition to customers, BOSS also gathers personal data from its members and their employees to manage and maintain the activities provided. As such BOSS is deemed to be both a Controller and a Processor of personal data.

 

BOSS also works with Police forces nationally and shares information and data where a crime, aggravating circumstances or multiple offences have been identified.

Purpose

This privacy policy outlines how BOSS fulfils its responsibilities under legislation and satisfies the following principles:

  • Lawfully collects personal data
  • For legitimate purposes
  • Data is adequate and relevant
  • Data is accurate and up to date
  • Only retained for as long as necessary
  • Recognises a Data Subjects rights
  • Securely stored
  • Retained within the EEA only

Scope

This policy applies to all BOSS staff, agents and sub-contractors and to its operations which include:

  • Forecourt Watch
  • Payment Watch
  • Retailer Information
  • Membership management

Lawful and legitimate basis for processing of personal data

BOSS operates schemes for its membership to reduce crime and financial loss on petrol stations which include the recovery of debts for fuel drawn by customers which remain outstanding at the time the customer leaves the petrol station.

All data collected are used either:

– for the recovery of debts

– as witnesses to the incident

– for the subsequent prosecution of multiple offenders in conjunction with the police

– where it is deemed that a crime or fraud has been committed

– membership management

 

BOSS therefore lawfully collects data under the following basis:

Consent

BOSS obtains consent to collect personal data through acceptance of electronic messaging on its website.

Legitimate Interests

In certain circumstances BOSS has a Legitimate Interest in collecting personal data, either from customers or its retailers and staff, to enable the recovery of debts and does not obtain consent from Data Subjects – such as under its Forecourt Watch and Payment Watch schemes. Where fuel is drawn and is not paid for at the time the individual petrol station investigates the matter and either obtains personal details to enable recovery of the debt, or obtains a vehicle registration and make, model and colour details plus a description of the customer along with cctv images. This data is reported to BOSS by the retailers and staff and used to obtain registered keeper details via the DVLA where BOSS is a registered and authorised trade organisation adhering to its rules of disclosure.

Types of relevant Data

In conducting its business BOSS and / or its agents processes the following data:

 

ActivityType of data collectedLawful Basis
Forecourt Watch

(Recovery of outstanding debts at the time fuel is drawn and no details are given)

–       Vehicle registration number

–       Vehicle colour, make, model

–       CCTV

–       Gender / Description

–       Registered keeper name and address

–       Multiple offender data

 

–       Legitimate Interest

Payment Watch

(Where a customer does not have means to pay for fuel drawn and provides personal data to the site and enters into a contract to pay)

–       Name

–       Address

–       Tel. No

–       E-Mail address

–       Vehicle registration number

–       Vehicle colour, make, model

–       CCTV

–       Gender / Description

–       Multiple offender data

 

–       Legitimate Interest

Retailer Information–       Name

–       Business address

–       Business tel. no

–       Gender

–       Legitimate Interest
BOSS Membership–       Name

–       Business address

–       Tel. No

–       E-Mail address

 

–       Consent

Current and Accurate data

BOSS and its sub-contractors obtains personal data from its member sites either electronically or via paper-based documentation and processes the data as soon as possible to minimise the risk of data becoming aged. Where personal data provided to BOSS by the petrol station are found to be inaccurate, steps are taken with the petrol station to review and correct the data as soon as the error has been identified and cease further inaccurate processing.

The petrol retailer carries out checks prior to reporting incidents to BOSS to minimise errors and inconvenience to customers.

Retention

Personal Data are only retained for as long as is necessary for BOSS to carryout its objectives. The length of time that data is required varies depending upon a number of factors:

  • Whether the customer pays a debt within agreed timescales
  • Length of time to obtain contact details for the customer
  • Whether or not multiple offences exist for the same person
  • Whether other aggravating circumstances exist

BOSS retains personal data – however obtained, for a maximum period of one year after which the likelihood of the data becoming inaccurate increases and data is destroyed using secure methods such as shredding or deletion. In the event personal data has been passed to an agent of BOSS then this may be retained for a longer period, pursuant to their individual Privacy Policy and or regulatory requirements.

Data Subject Rights

The General Data Protection Regulations give the Data Subject the following rights:

  • To be informed when personal data is collected.
  • To request from BOSS what data are held about them and how and why it is processed.
  • To correct or update any inaccurate personal data processed.
  • To request that their personal data is erased or its use restricted. Requests are however not automatic and subject to review by BOSS depending upon the specific circumstances.
  • To obtain and reuse their personal data for their own purposes across different services.
  • The right to be notified where automated decision making and profiling is undertaken.
  • To lodge a formal complaint with the Information Commissioners Office.

 

To access their data BOSS operates a Subject Access Request process that enables all data subjects to access this information. The data subject must:

  • Make the request in writing – either by e-mail to info@bossuk.org or by post to its registered office at Greville House, 10 Jury Street, Warwick. CV34 4EW, or
  • Verbally
  • Provide appropriate identification in support of their request

 

On receipt of the above, BOSS will release, delete or update the information on the data subject where appropriate and comply with any request within one month from receiving the written request.

 

A Data Subject has the right to withdraw consent (where this has been provided) and BOSS will seek to do so where possible. However where BOSS has a legitimate interest for retaining this data it will review the specific circumstances and advise the Data Subject of its decision.

 

Right to erasure of data (to be forgotten)

All data subjects have the right to request the deletion or removal of personal data where there is no compelling reason to continue processing the data. BOSS will remove data upon request subject to:

 

  • Not being subject to a legal obligation to retain it
  • Where the data is being processed to recover an outstanding debt consistent with a lawful and legitimate basis as referred to in this document

Secure storage

BOSS, its agents and sub-contractors obtain personal data either electronically, paper based or a mixture of both and takes care to ensure that all reasonable steps are taken to protect personal data against loss, misuse or inadvertent disclosure.

Electronic

All data are stored on the BOSS Electronic Reporting System (ERS) which is password protected and access controlled and is protected against malicious attack, theft and hacking.  Data are transferred to agents and sub-contractors in accordance with this policy. Data are only stored on secure servers housed in the UK and no Data are sent outside the EEA. Staff access to personal data is limited to authorised users and staff are prohibited from copying data. Computers are housed in secure locations and data backed up daily.

Paper based

All personal data sent to, or by BOSS or its authorised agents, are stored in secure cabinets or facilities. Wherever possible personal data is scanned to the ERS and paper-based documentation is shredded afterwards.

Data Sharing

BOSS, its sub-contractors and agents process personal data consistent with its stated legitimate purposes. It will share data with police forces where a crime or aggravating circumstances are suspected or multiple offences constituting fraud are identified, or where a legitimate specific request is made.

BOSS may also disclose personal data if required to do so by law, a court, a government agency or other legitimate reason.

Cookies

A “cookie” is a piece of software that attaches to the hard drive of your computer and remembers information about the configuration of your computer. This website uses cookies to help the site provide a better user experience. In general, cookies are used to retain user preferences, store information for things like shopping baskets, and provide anonymised tracking data to third party applications like Google Analytics. As a rule, cookies will make your browsing experience better. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser. We suggest consulting the Help section of your browser or taking a look at the About Cookies website www.aboutcookies.org.uk  which offers guidance for all modern browsers.

Please refer to the separate Cookie Policy for more information about the use of cookies

Exclusions

This Privacy Policy does not apply in the following circumstances:

Third Party Links

This Privacy Policy applies only to data collected by BOSS and its agents and sub-contractors. Links to third party websites outside the control of Boss are excluded from this policy and users should check individual Privacy Policies.

Aggregated personal data

BOSS regularly carries out research and analysis to identify patterns which may include personal data collected. As this data is aggregated it does not identify any individual personally and is therefore not deemed to be personal data as referenced in this policy.

Children

BOSS does not knowingly collect personal data from children under thirteen years of age. Its services and membership are aimed at an entirely different audience.

 

Policy Changes and Updates

This policy is regularly reviewed, it may be necessary from time to time to update or make changes to this Privacy Policy. BOSS reserves the right to do so at any time and will post a notice on its websites when there has been an update. It may also, where appropriate, issue e-mail notifications to its members where there is a material change. Please check the BOSS privacy policy regularly, and prior to entering any personal data.