This Privacy Notice applies from 8 April 2019.

Privacy policy

Who we are

The Office of Product Safety and Standards (OPSS) is part of the Department for Business, Energy and Industrial Strategy (BEIS) and responsible for operating the Cosmetic product notifications service. The OPSS is the data controller for the Cosmetic product notifications service. The Cosmetic product notifications service is a new system for maintaining a database of cosmetic products in the UK.

Our Privacy Commitment

OPSS is committed to protecting your privacy. This “Privacy Notice”, explains what personal information we collect about you either directly or indirectly and how we use, share and look after that information for the Cosmetic product notifications service. We encourage you to review this Privacy Notice carefully. In addition to the commitments set out in this Privacy Notice, we operate in accordance with a set of data privacy rules which apply to the processing of all personal data by the entire Department of BEIS. These privacy rules can be found at the BEIS Personal Information Charter.

Other Websites

This Privacy Notice only applies when you are using the Cosmetic product notifications service and alternative privacy notices may apply when you are using other sections of For example, if you are using the OPSS section of, the following privacy notice will apply.

What Personal Data is

Personal Data is any information which we collect about you that can be used to identify you and includes any information, such as your name, address, IP address.

It is our intention to provide you with as much information as possible about what we do with that Personal Data, so that when you provide the Personal Data to us, you do so with an awareness of how it will be used.

What Personal Data we collect

We collect the following Personal Data:

  • name, email address and telephone number of all users who create an account
  • address and name of the ‘Responsible Person’
  • name, email address and phone number of the ‘contact person’
  • questions, queries or feedback you might provide if you contact us
  • internet Protocol (IP) address, and details of which version of web browser used.
  • information on how the site, cookies and page tagging techniques are used (please see the analytics section below for more information).

What Special Categories Personal Data we collect

We do not process Special Categories Personal Data in relation to the Cosmetic product notifications service. If this changes you will be notified of the details of any such processing and the legal basis on which we rely to do so.

How we collect your Personal Data

We collect Personal Data from various sources including:

  • from you directly when you use the Cosmetic product notifications service
  • from third parties who are acting on your behalf when they use the Cosmetic product notifications service

How we use your Personal Data

We use your information for the following purposes:

  • to identify and/or contact you and/or your company to monitor compliance with legislation (i.e. manufacturing cosmetic products safely).
  • to identify and/or contact you and/or your company for potential enforcement action relating to a cosmetic product.
  • to contact about healthcare issues relating to a cosmetic product.

How we use analytics

We may use analytics software, such as Google Analytics, to collect information about how the website is used. We do this to help make sure the site is meeting the needs of its users and to help us make improvements, for example improving site search. Google Analytics stores information about: the pages you visit, how long you spend on each page, how you got to the site, and what you click on while you’re visiting the site. We do not collect or store your personal information as part of the analytics process so this information cannot be used to identify who you are. We also collect data in order to: improve the site by monitoring how you use it, gather feedback to improve our services, for example our email alerts, respond to any feedback you send us, if you’ve asked us to, send email alerts to users who request them, allow you to access the Cosmetic product notifications service and enter data as well as provide you with information.

What Legal Basis we rely on

For all processing of Personal Data in relation to the Cosmetic product notifications service our legal basis for processing is the performance of a task in the public interest that is set out in law and is statute based namely the draft Product Safety and Metrology etc. (Amendment) (EU-Exit) Regulations 2019.

How we share your data

We share your personal data (specifically contact person, and Responsible Person) in the following ways:

  • With the National Poisons Information Service (NPIS) for healthcare purposes
  • With Market Surveillance Authorities for investigating or alerting people to product safety issues
  • Where we use third party service providers who process personal data on our behalf in order to provide services to us, for example, our IT services provider
  • With scientific advisers that offer opinions to the Secretary of State on cosmetic ingredients
  • With other government departments for reporting purposes
  • If we are required to do so as part of our regulatory oversight enforcement operations or by law – for example, by court order, or to prevent fraud or other crime.

We ensure that any third parties with whom we share Personal Data to process it on our behalf adopt equivalent or superior data protection standards to our own.

How we transfer your Personal Data overseas

We do not send or store your Personal Data outside of the European Economic Area. If this changes you will be notified of the details of any such transfer and the adequacy mechanisms put in place to ensure the security of your Personal Data.

How long we keep your Personal Data

We will only retain your Personal Data for as long as it is needed for the purposes set out in this document or the law requires us to. We may retain it for a longer period if directed to do so by law enforcement authorities and/or in connection with criminal proceedings.

Where your Personal Data is processed and stored

We choose our systems carefully to make sure that your data is as safe as possible while under our control. Your Personal Data will be hosted using a Platform as a Service product located in the UK and will not be stored outside of the UK at any time.

How we protect your Personal Data and keep it secure

We are committed to doing all that we can to keep your Personal Data secure. We have set up systems and processes to prevent unauthorised access or disclosure of your Personal Data, for example, we protect your data using varying levels of encryption and run regular penetration tests to assess our security standards.

Your information rights

You have a number of rights in relation to your personal data. These include the right to:

  • be informed about how we use your personal data;
  • obtain access to your personal data that we hold;
  • request that your personal data is corrected if you believe it is incorrect, incomplete or inaccurate;
  • request that we erase your personal data in the following circumstances:
    • if we are continuing to process personal data beyond the period when it is necessary to do so for the purpose for which it was originally collected;
    • if we are relying on consent as the legal basis for processing and you withdraw consent;
    • if we are relying on legitimate interest as the legal basis for processing and you object to this processing and there is no overriding compelling ground which enables us to continue with the processing;
    • if the personal data has been processed unlawfully (i.e. in breach of the requirements of the data protection legislation);
    • if it is necessary to delete the personal data to comply with a legal obligation;
  • ask us to restrict our data processing activities where you consider that:
    • personal data is inaccurate;
    • our processing of your personal data is unlawful;
    • where we no longer need the personal data but you require us to keep it to enable you to establish, exercise or defend a legal claim;
    • where you have raised an objection to our use of your personal data;
  • request a copy of certain personal data that you have provided to us in a commonly used electronic format. This right relates to personal data that you have provided to us that we need in order to perform our agreement with you and personal data where we are relying on consent to process your personal data;
  • object to our processing of your personal data where we are relying on legitimate interests or exercise of a public interest task to make the processing lawful. If you raise an objection we will carry out an assessment to determine whether we have an overriding legitimate ground which entitles us to continue to process your personal data;
  • not be subject to automated decisions which produce legal effects or which could have a similarly significant effect on you

Changes to this policy

We may change this privacy policy. In that case, the ‘last updated’ date at the bottom of this page will also change. Any changes to this privacy policy will apply to you and your data immediately. If these changes affect how your Personal Data is processed, OPSS will take reasonable steps to let you know.

You can see previous versions of this page.

Contact us or make a complaint

Contact the Data Protection Officer (DPO) if you have any questions about anything in this document or think that your Personal Data has been misused or mishandled.

BEIS Data Protection Officer,

Department for Business, Energy and Industrial Strategy,

1 Victoria Street, London SW1H 0ET


You can also make a complaint to the Information Commissioner, who is an independent regulator.


Telephone: 0303 123 1113

Textphone: 01625 545860

Monday to Friday, 9am to 4:30pm

Information Commissioner’s Office

Wycliffe House

Water Lane


Cheshire SK9 5AF

Last updated: 8 April 2019

Cookies policy

What are cookies?

Cookies are small text files that are saved on your device to help the website perform a number of functions. On your first visit to our website, a popup banner asked you to accept our use of cookies and similar technologies. The information these cookies collect is based on your browsing device’s IP-address (hardware identifier).

What do the cookies do?

The cookies we use:

DO NOT: store personally identifiable information about you; store information such as passwords (and cannot) allow us to access other information stored on your device, store information about you others could understand, compromise your security

DO: allow us to see how many people use our website and monitor their activities; allow us to see how people arrive at our site (e.g. via search engine); allow us to gather geographic location and browser information.

What cookies does this website use?

This website uses two types of cookies:

  1. Persistent cookies, which remain on your device to capture and remember your preferences (if chosen) for any future re-visit (e.g. your location).
  2. Session cookies, which are deleted when your browser is closed. These cookies are used for analytical services provided by Google Inc. in the US on our behalf. The analysis allows an insight into where and how our website is used so that we can continuously work on its improvement. Google will not associate your IP address with any other data held by Google. However, if you do not wish to be part of this analysis, feel free to amend your browser settings or to opt-out.

The cookies we use, what they are used for and how long they remain on your device are set out below:

Google Analytics

Name Purpose Lifetime of cookie
_ga This helps us count how many people visit our site by tracking if you’ve visited before. 2 years
_gid This helps us count how many people visit our site by tracking if you’ve visited before. 24 hours
_gat Used to manage the rate at which page view requests are made. 1 minute

Cosmetic product notifications service

Name Purpose Lifetime of cookie
_cosmetics_session This stores information relating to recent actions that have been taken. For example, partial information from a wizard. When you close your browser

You can opt out of Google Analytics cookies.

How are cookies deleted?

To delete or stop cookies being placed on your device, please check the help menu of your internet browser. Blocking cookies may reduce the functionality of this website.

For more information

To learn more about cookies and similar technologies, we recommend you visit: