HETAS Privacy Notice

HETAS is a not for profit organisation which offers a Competent Person Scheme for installers of wood, biomass and solid fuel heating as well as other registration schemes for retailers, chimney sweeps and servicing technicians, a range of training courses, and approval of appliances and fuels.  

We understand that your privacy is important to you. This privacy notice explains how HETAS will use your data, how we keep it secure, and when we may need to share it with others. We are listed with the Information Commissioner’s Office (ICO) as a “controller” of the personal information that you provide to us. We follow the requirements of the EU General Data Protection Regulation (GDPR) which is mandatory in the UK from 25th May 2018. 

Personal Data we collect 

When you are a customer of a registered business 

If you are a customer of a HETAS-registered business, we may receive information about the provision of that service or product which could include some of your personal data (as defined by GDPR). This is what we record: 

  • Installations notified to HETAS – when a HETAS Registered Installer self-certifies that an installation is compliant with regulations, they notify HETAS of the installation details: 
  • For all notifications – property address, appliance(s) installed, date of installation 
  • Where applicable – address to send certificate (if different from installation address) 
  • Optional – installers may provide HETAS with contact details for the work – customer name, phone number and email. Typically for these items, the installer business will be Data Controller and HETAS would be in the role of Data Processor.  
  • HETAS inspections – when a HETAS Approved Inspector carries out a site visit to assess a registrant’s work, or is involved in investigating a safety incident, typically this data will be recorded and shared with the Approved Inspector: 
  • Property address 
  • Contact details (name and phone number) for the appointment 
  • Date(s)/time(s) for the appointment 
  • Details of the installation or other work at that property – typically, the appliance(s), date of installation, relevant property construction information, commissioning process and/or maintenance regime  
  • Comments on the usage/operation of fuels or appliances 
  • Where applicable, report of concerns raised about safety and compliance 
  • Where applicable, record that a Warning Notice has been issued to the owner/user. 

If you raise a complaint about a HETAS-registered business, we will ask for your contact details and for full information on your complaint. If we decide we need to investigate further, we will request further information on the installation/product/service. Where applicable, we may seek evidence from other businesses who have been involved.  

HETAS also manages a whistleblower process so that concerns about potential breaches of regulations and unsafe practices can be reported. Some of these cases may involve consumers who have not used HETAS-registered businesses. We record:  

  • Name and contact detail of the whistleblower  
  • Names and contact details of consumers affected 
  • Names and details of suppliers/installers including (where applicable) businesses and individuals not registered with us 
  • Further background on incidents or concerns.  

When you make enquiries with us 

You may make an enquiry with HETAS, by phone, email, webform or post, giving your contact details and explaining your enquiry. 

If you visit the HETAS website to find information, in running and maintaining our websites we may collect and process data about you. Please refer to our website privacy and cookie policy here: https://www.hetas.co.uk/privacy-policy/ 

When you apply for HETAS registration 

When you apply to join one of the HETAS schemes (including listings run by us on behalf of regulatory authorities), renew your registration, take one of our training courses, or give us your details for an event or another industry activity, we collect the following personal information: 

  • Name, address, email address and phone number 
  • Photograph of the applicant 
  • National insurance number 
  • Company details and your role within it 
  • Qualifications and membership of relevant trade bodies 
  • Details of insurance policies held 
  • Payment details (i.e. bank account number, sort code, card details) 

If a registrant does not provide us with all of the personal information that we need to enable us to deliver a specific scheme, that may prevent us from accepting application and it may affect the services and benefits we can deliver. 

Information from other sources 

As well as information about you supplied by you, for the purposes of assessing scheme applicants or registrants, we may receive supporting information on finances, individuals’ competence and business conduct. These sources may include: 

  • Public information on your website(s), webpages, social media or internet listings  
  • HETAS inspectors and auditors 
  • Training Centres and awarders of qualifications 
  • Businesses registered/registering with us, who wish to include you on their registration 
  • Professional bodies  
  • Other certification or assessment bodies who operate or support registration schemes  
  • Companies House, for limited companies and directorships 
  • Credit rating agencies and court judgements 
  • Local Authorities, or other enforcement bodies  
  • Customers of your work  
  • Whistleblowers who raise concerns about your suitability to be registered on our schemes 
  • Current or prior employers in the industry. 

Copies or notes of information received may be retained by us with your application or registration records. 

Reasons why we need your personal information  

Necessary for contract 

As a Certification Body, our purpose is to assess against criteria to allow for an assessment of competence and compliance.  To do this, certain information must be collected.  We collect personal information so that we can award qualifications, manage your registration, administer HETAS certificates and deliver goods and services that are purchased from us. HETAS uses this information to: 

  • For registrants, assess your eligibility to meet the scheme requirements of our schemes 
  • Provide training certificates and supporting documentation 
  • Provide scheme services and registration documentation.  
  • List registrant business details and categories of registration, for potential customers, on our public websites and (where applicable) in printed directories  
  • For installations notified to HETAS, process any Local Authority notification and/or consumer certification required in that region 
  • Process payments of scheme fees and other items purchased from HETAS 
  • Manage registration account(s) including annual renewal communications and reminders of scheme requirements 
  • Set up your online account(s), enabling you to access services and manage your preferences 
  • Organise inspections and events. 
  • Process shop payments and deliver goods 

Legal obligations 

HETAS is named by statute as a Competent Person Scheme (CPS) operator in the Building Regulations for England and for Wales. HETAS Registered Installers can self-certify installation work in various categories. The CPS rules set wide-ranging requirements for use of data including:  

  • Ensure customers of installations get certificates of Building Regulations compliance 
  • Ensure each Local Authority is notified of installations self-certified in their area 
  • Monitor registered installers 
  • Offer an effective complaints service to recipients of self-certified installations 
  • Periodic reporting to government 
  • Accreditation by the United Kingdom Accreditation Service (UKAS) that HETAS operates to the required standards. 
  • HETAS are contracted by Department for Environment, Food and Rural Affairs (Defra) to run the assessment of Appliances and Fuels under the Clean Air Act 1993 
  • The Companies Act 2006 requires us to maintain accounts for our businesses, and related documents including income and payment records 
  • Trading Standards may require witness statements from us, in criminal proceedings such as unauthorised use of logos/marks and enforcement of consumer protection legislation. 

Legitimate interests 

We also process and store the personal information of consumers in pursuit of our organisation’s legitimate interests, as defined under GDPR. The following are business activities of HETAS, in our role as safety and standards organisation, which use personal information about consumers, candidates, applicants, registrants and members of the industry: 

  • Assess applicants/registrants – check whether the work and/or products of applicants/registrants comply with regulations and with scheme rules. This may involve getting feedback from consumers. We may request inspections/audits on-site at those businesses’ customers. We may ask you to comment on whether faults have been rectified 
  • Certificates – issue consumers with HETAS installation certificates, if requested, including property address, appliance(s) and date completed. If you ask for a replacement for the original certificate, we may ask you for evidence that you are the customer or owner/occupier/user of the installation 
  • Complaints – investigate complaints received over the work done (or the products supplied) by scheme applicants, current registrants or ex-registrants 
  • Whistleblowing – investigate allegations over the work done (or the products supplied) by businesses or individuals in the industry 
  • Safety assurance – where there are serious safety concerns relating to the work done (or products supplied) by a business or individual, we may endeavour to contact relevant consumers from our records, in order to:  
  • Seek evidence on the work/product of the business/individual being investigated 
  • Request permission for an inspection, audit or quality check  
  • Alert consumers to possible safety risks, and suggest next steps. 
  • Unauthorised use of brands and marks – investigate whether businesses or individuals are falsely claiming to have accreditation from HETAS. 
  • Periodic reminders – alert consumers that chimney sweeping, maintenance or audit may be due 
  • Public awareness – share information publicly on safety campaigns and technical developments in the industry  
  • Industry statistics – collate reports and analyse industry trends, and share with government departments, Local Authorities or other trade bodies 
  • Respond to your questions, suggestions and feedback. 

Opt-in consent 

We may ask you if we can process your personal information for other purposes, such as for direct marketing. Where we do so, we will seek your opt-in consent, in accordance with GDPR. As an example, we may ask your consent to be contacted by HETAS Insurance Services (a trading name of Rhino Trade Insurance) about industry-specific insurance and risk products. 


Personal data we publish 

HETAS publish details online of registered businesses, so that consumers and prospective customers can search for a supplier or validate the credentials of a business or tradesperson. We may issue printed listings with some of the same information, and we also answer similar requests by phone or email. Note that Registered Businesses not wishing to be listed publicly must make that request in writing giving their justification for their details not being available to consumers.  

How we protect your data 

HETAS do not publish listings of consumers. If we want the opportunity to publish details of your case, or photographs (or other material) supplied by you, to support HETAS campaigns, we will ask your permission in advance.  

Sharing your data with other businesses 

To facilitate HETAS schemes, it is often necessary to share your information with third party service providers. These suppliers may process personal information on our behalf for purposes requested by us and are subject to written contractual conditions. This includes but not limited to: 

  • HETAS Inspectors 
  • Database maintenance  
  • HETAS website provider 
  • Accountancy processing 
  • Secure third party payment processing ie Paypal 
  • Marketing and SMS third party tools 
  • Providers of postal fulfilment 
  • Legal advice  

Where your personal information is stored 

HETAS stores your personal information on servers, email accounts and scheme databases which are protected in secure environments hosted in the UK. Your data is accessed by our staff and contractors only for the purposes set out above. Where printed files are required, these are stored at secure business premises. 

How long we keep your personal information 

As a safety and standards organisation, our policy on retention of consumer data is summarised here: 


Personal Data 

Period retained 

Financial – sales of certificates, purchases, registration 

Payments and orders from consumers or businesses 

Seventh financial year after the transaction 


Property address 

Contact information 



Work/product at property 



Remedial work and progress 

The latter of:  

  • Seven years after the visit/testing took place  
  • Two years after HETAS last operates a scheme in that category 

Training course candidates 

Contact information 


NI number 

Evidence of eligibility 


The latter of:  

• Six years after their last training course  

• Two years after HETAS last offers training in that category 

Businesses/operatives accredited with HETAS or seeking accreditation 

Contact information 


NI number 

Application and assessments 

Evidence of competence 

Registration history 

Notifications and work record 



The latter of:  

• Seven years after their last registration expired or was cancelled  

• Two years after HETAS last operates a scheme for that trade 

Installations notified through HETAS 

Property address 

Contact information 

Work at property 


The latter of:  

  • Seven years after the installation was notified  
  • Two years after HETAS last operates a scheme in that category 

Complaints or whistleblowing 

Contact information 


Case reviews 


Insurance policies/claims 


The latter of: 

  • Seven years after the complaint was raised  
  • Two years after HETAS last operates a scheme in that category 


Where personal data is processed and retained by HETAS solely for the purposes of providing listing or other services to a regulatory authority, that data will be deleted (or returned to that authority) if instructed by the authority. 

Summary of Your Rights under GDPR 

Under the GDPR, as a data subject you have the right to:  

  • Request access to, deletion of, or correction of, your personal data held by us 
  • Complain to a supervisory authority 
  • Be informed of what data processing is taking place 
  • Restrict processing and/or object to processing of your personal data 
  • Data portability. 

To enforce any of the foregoing rights or if you have any other questions about our use of your data or this Privacy Policy, please contact us using the details set out below. 

Special GDPR restrictions would apply if we wished to automate decision-making about individuals or to “profile” them based on personal data. Decisions at HETAS are made by staff and are not automated. We do not profile individuals.  

This section should be read in conjunction with our GDPR policy document.  

Your communication preferences 

If you would like to request changes to your contact settings, or if you want to know more about the data we hold on you, or have any queries about our privacy notice, this is how you can get in touch: 

  • To unsubscribe from HETAS newsletters, click on “unsubscribe” at the foot of any of the emails  
  • Email our dedicated mailbox for any GDPR queries, including requests to change or delete your personal data, or confirmation of the data which we hold: [email protected] 
  • Call us on 01684 278170 
  • Contact us in writing at Severn House, Unit 5, Newtown Trading Estate, Green Lane, Tewkesbury GL20 8HD. 

If you are dissatisfied with our protection of your personal data, you have the right to raise a complaint with the Information Commissioner’s Office at www.ico.org.uk 










Data Processing Annexe 


Data Protection Legislation: (i) unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998. 

1 Data Protection 

1.1 In so far as required, both parties agree that they will comply with all applicable requirements  of the Data Protection Legislation. This Annexe is in addition to, and does not relieve, remove or  replace, a party’s obligations under the Data Protection Legislation 

1.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the business  registered with or applying to the scheme (“the Registrant”) is the data controller and HETAS is the data processor (where Data Controller and Data Processor have the meanings as defined  in the Data Protection Legislation). Schedule 1 sets out the scope, nature and purpose of processing by HETAS, the duration of the processing and the types of personal data (as defined in the Data Protection Legislation, Personal Data) and categories of Data Subject. 

1.3 Without prejudice to the generality of clause 1.1, the Registrant will ensure that it has all  necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to HETAS for the duration and purposes of this agreement. 

1.4 Without prejudice to the generality of clause 1.1, HETAS warrants and undertakes that it shall, in relation to any Personal Data processed in connection with the performance by HETAS of its  obligations under this agreement: 

(a) conform to the HETAS Consumer Privacy Notice in processing the data detailed in Schedule 1. 

(b) if additional processing is required beyond what is stated in 1.4 (a) above, process that  Personal Data only on the written instructions of the Registrant unless the Provider is  required by the laws of any member of the European Union or by the laws of the European  Union applicable to the Provider to process Personal Data (Applicable Laws). Where the Provider is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Provider shall promptly notify the Registrant of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Provider from so notifying the Registrant; 

(c) ensure that it has in place appropriate technical and organisational measures to protect  against unauthorised or unlawful processing of Personal Data and against accidental loss or  destruction of, or damage to, Personal Data, appropriate to the harm that might result from  the unauthorised or unlawful processing or accidental loss, destruction or damage and the  nature of the data to be protected, having regard to the state of technological development  and the cost of implementing any measures (those measures may include, where appropriate,  pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability  and resilience of its systems and services, ensuring that availability of and access to Personal  Data can be restored in a timely manner after an incident, and regularly assessing and  evaluating the effectiveness of the technical and organisational measures adopted by it); 

(d) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; 

(e) not transfer any Personal Data outside of the European Economic Area; 

(f) assist the Registrant, at the Registrant’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 

(g) notify the Registrant without undue delay on becoming aware of a Personal Data breach; 

(h) at the written direction of the Registrant, delete or return Personal Data and copies thereof to the Registrant on termination of the agreement unless required by Applicable Law to store the Personal Data; and maintain complete and accurate records and information to demonstrate its compliance with this Annexe (and allow for audits by the Registrant or the Registrant’s designated auditor). 

1.5 The Registrant consents to HETAS appointing third-party processors of Personal Data under this  agreement. A list of the third-party processers is included in HETAS’s Consumer Privacy Notice.  HETAS confirms that: 

(a) it has entered or (as the case may be) will enter with the third-party processors into a written  agreement substantially on that third party’s standard terms of business or incorporating  terms which are substantially similar to those set out in this Annexe 

(b) as between the Registrant and HETAS, HETAS shall remain fully liable for all acts or omissions  of any third-party processor appointed by it pursuant to this Annexe 

(c) if HETAS changes the third-party processors that it uses under this agreement, a notice will  be shown in the HETAS Consumer Privacy Notice at least 30 days before the change. To  object to changes in sub-processing, Registrants can write to HETAS describing their reasons for objection within 14 days of the notice. HETAS will resolve the objection by correcting our use of the third-party processor, or by deleting any data supplied by you under this Annexe which is not required for legal obligations as set out in the Consumer Privacy Notice 

1.6 Each party agrees to indemnify and keep indemnified and defend at its own expense the other  party against all costs, claims, damages or expenses incurred by the other party or for which the  other party may become liable due to any failure by the first party or its employees or agents to  comply with any of its obligations under this Annexe. 




Schedule 1 – Processing, Personal Data and Data Subjects 1 Processing by HETAS 

1.1 Scope 

In connection with operating HETAS schemes, receive and process details of properties and customers 

1.2 Nature 

Ensure notification of installations to Local Authorities 

Ensure customers of installations get certificates of Building Regulations compliance Assess Registrants for compliance with scheme rules 

1.3 Purpose of processing 

Comply with the requirements of the Building Regulations Comply with the mandatory requirements to operate the Competent Person Scheme and other regulated schemes 

Monitor registrants for compliance with scheme rules Safety and efficiency within the industry 

1.4 Duration of the processing 

(a) During the period the Registrant is registered with HETAS 

(b) If the Registrant is no longer registered with the HETAS scheme to which this Annexe applies,  HETAS may retain and use the data in accordance with the HETAS Retention Policy 

(c) For applicants to the scheme, for the period the application to HETAS is processed and recorded 

2 Types of personal data 

Property address, appliance(s) installed, date of installation. 

Where applicable – address to send certificate (if different from installation address) Contact details for the customer – name, phone number and/or email address Usage/operation of fuels and/or appliances 

Arrangements for inspections/audits, including address, contact details, and available date(s)/ time(s) to visit, and (where applicable) 

Customer complaints, or concerns raised about safety and compliance 

3 Categories of data subject 

Customers of a HETAS-registered business or applicant Customers of a Woodsure-registered business or applicant Users of an appliance, fuel or product. 


HETAS, Severn House, Unit 5 Newtown Trading Estate, Green Lane, Tewkesbury, GL20 8HD