Privacy Policy

This Privacy Policy includes important information regarding an individual’s personal data and should be read carefully. The British Oil Security Syndicate (BOSS), takes the privacy of personal data very seriously and this Policy sets out how and why BOSS collects, handles, stores and disposes of an individual’s personal data (as defined by legislation).  BOSS may also collect non-personal data during the course of its activities which are excluded from this policy.

Who we are

The British Oil Security Syndicate is a trade organisation working to reduce forecourt crime working closely with Police and its members who are primarily petrol retailers in the UK. It provides a variety of services to its membership for the prevention and detection of crime and the reduction of financial loss and includes schemes to recover outstanding fuel debts from customers who either did not have the means to pay at the time for fuel drawn, or have left the site with an outstanding debt for fuel drawn. In order to provide these services, it is necessary for the British Oil Security Syndicate (BOSS) to either obtain information from its customers or utilise personal data (vehicle registration numbers) to contact the registered keepers in order to resolve outstanding debts. In addition to customers, BOSS also gathers personal data from its members and their employees to manage and maintain the activities provided. As such BOSS is deemed to be both a Controller and a Processor of personal data.


BOSS also works with Police forces nationally and shares information and data where a crime, aggravating circumstances or multiple offences have been identified.


This privacy policy outlines how BOSS fulfils its responsibilities under legislation and satisfies the following principles:

  • Lawfully collects personal data
  • For legitimate purposes
  • Data is adequate and relevant
  • Data is accurate and up to date
  • Only retained for as long as necessary
  • Recognises a Data Subjects rights
  • Securely stored
  • Retained within the EEA only


This policy applies to all BOSS staff, agents and sub-contractors and to its operations which include:

  • Forecourt Watch
  • Payment Watch
  • Membership management

Lawful and legitimate basis for processing of personal data

BOSS operates schemes for its membership to reduce crime and financial loss on petrol stations which include the recovery of debts for fuel drawn by customers which remain outstanding at the time the customer leaves the petrol station.


All data collected are used either:

  • for the recovery of debts
  • as witnesses
  • the subsequent prosecution of multiple offenders in conjunction with the police
  • where it is deemed that a crime or fraud has been committed
  • membership management


BOSS therefore lawfully collects data under the following basis:


BOSS obtains consent to collect personal data either through appropriate documentation completed and signed by the customer at the point of sale or through acceptance of electronic messaging on its website.

Legitimate Interests

In certain circumstances BOSS is unable to obtain consent from customers such as under its Forecourt Watch scheme. Where fuel is drawn and is not paid for at the time the individual petrol station investigates the matter and obtains a vehicle registration and make, model and colour details plus a description of the customer along with cctv images. This data is used to obtain registered keeper details via the DVLA where BOSS is a registered and authorised trade organisation adhering to its rules of disclosure.

Types of relevant Data

In conducting its business BOSS and / or its agents processes the following data:


ActivityType of data collected
Forecourt Watch

(Recovery of outstanding debts at the time fuel is drawn and no details are given)

–       Vehicle registration number

–       Vehicle colour, make, model

–       CCTV

–       Gender / Description

–       Registered keeper details inc. name and address

–       Multiple offender data

Payment Watch

(Where a customer does not have means to pay for fuel drawn and provides personal data to the site and enters into a contract to pay)

–       Name

–       Address

–       Tel. No

–       E-Mail address

–       Vehicle registration number

–       Vehicle colour, make, model

–       CCTV

–       Gender / Description

–       Multiple offender data

Membership–       Name

–       Address

–       Tel. No

–       E-Mail address



Current and Accurate

BOSS and its sub-contractors obtains personal data from its member sites either electronically or via paper-based documentation and processes the data as soon as possible to minimise the risk of data becoming aged. Where personal data provided to BOSS by the petrol station are found to be inaccurate, steps are taken with the petrol station to review and correct the data as soon as the error has been identified and cease further inaccurate processing.

The petrol retailer carries out checks prior to reporting incidents to BOSS to minimise errors and inconvenience to customers.


Personal Data are only retained for as long as is necessary for BOSS to carryout its objectives. The length of time that data is required varies depending upon a number of factors:

  • Whether the customer pays a debt within agreed timescales
  • Length of time to obtain contact details for the customer
  • Whether or not multiple offences exist for the same person
  • Whether other aggravating circumstances exist

BOSS retains personal data – however obtained, for a maximum period of one year after which the likelihood of the data becoming inaccurate increases and data is destroyed using secure methods such as shredding or deletion.

Subject Access Rights

All data subjects have the right to request from BOSS what data are held about them and how and why it is processed. Data Subjects can also ask BOSS to correct, update or delete any inaccurate personal data processed. BOSS operates a Subject Access Request process that enables all data subjects to access this information. The data subject must:


  • Make the request in writing – either by e-mail to or by post to its registered office at Greville House, 10 Jury Street, Warwick. CV34 4EW
  • Provide appropriate identification in support of their request
  • Pay an administration fee of £10


On receipt of the above, BOSS will

  • Release, delete or update the information on the data subject where appropriate
  • Comply with any request within 40 days from receiving the written request


Right to erasure of data (to be forgotten)

All data subjects have the right to request the deletion or removal of personal data where there is no compelling reason to continue processing the data. BOSS will remove data upon request subject to:


  • Not being subject to a legal obligation to retain it
  • Where the data is being processed to recover an outstanding debt consistent with a lawful and legitimate basis as referred to in this document


Secure storage

BOSS, its agents and sub-contractors obtain personal data either electronically, paper based or a mixture of both and takes care to ensure that all reasonable steps are taken to protect personal data against loss, misuse or inadvertent disclosure.


All data are stored on the BOSS Electronic Reporting System (ERS) which is password protected and access controlled and is protected against malicious attack, theft and hacking.  Data are transferred to agents and sub-contractors in accordance with this policy. Data are only stored on secure servers housed in the UK and no Data are sent outside the EEA. Staff access to personal data is limited to authorised users and staff are prohibited from copying data. Computers are housed in secure locations and data backed up daily.

Paper based

All personal data sent to, or by BOSS are stored in secure cabinets or facilities. Wherever possible personal data is scanned to the ERS and paper-based documentation is shredded afterwards.

Data Sharing

BOSS, its sub-contractors and agents process personal data consistent with its stated legitimate purposes. It will share data with police forces where a crime or aggravating circumstances are suspected or multiple offences constituting fraud are identified, or where a legitimate specific request is made.

BOSS may also disclose personal data if required to do so by law, a court, a government agency or other legitimate reason.


A “cookie” is a piece of software that attaches to the hard drive of your computer and remembers information about the configuration of your computer. This website uses cookies to help the site provide a better user experience. In general, cookies are used to retain user preferences, store information for things like shopping baskets, and provide anonymised tracking data to third party applications like Google Analytics. As a rule, cookies will make your browsing experience better. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser. We suggest consulting the Help section of your browser or taking a look at the About Cookies website  which offers guidance for all modern browsers.

Please refer to the separate Cookie Policy for more information about the use of cookies


This Privacy Policy does not apply in the following circumstances:

Third Party Links

This Privacy Policy applies only to data collected by BOSS and its agents and sub-contractors. Links to third party websites outside the control of Boss are excluded from this policy and users should check individual Privacy Policies.

Aggregated personal data

BOSS regularly carries out research and analysis to identify patterns which may include personal data collected. As this data is aggregated it does not identify any individual personally and is therefore not deemed to be personal data as referenced in this policy.


BOSS does not knowingly collect personal data from children under thirteen years of age. Its services and membership are aimed at an entirely different audience.


Policy Changes and Updates

This policy is regularly reviewed, it may be necessary from time to time to update or make changes to this Privacy Policy. BOSS reserves the right to do so at anytime and will post a notice on its websites when there has been an update. It may also, where appropriate, issue e-mail notifications to its members where there is a material change. Please check the BOSS  privacy policy regularly, and prior to entering any personal data.


Download Privacy Policy