Under the UK GDPR and EU GDPR, certain organisations are legally required to appoint a Data Protection Officer (DPO). This obligation applies when an organisation is (1) a public authority, (2) undertaking large-scale, regular, and systematic monitoring of individuals, or (3) processing large-scale special category data such as health, biometric, or genetic information.
Fernox has reviewed these requirements in the context of our business operations. While we do store and process a large volume of water testing data, the information is recorded primarily at the property address level. This data does not reveal an individual’s physical or mental health status and is therefore not classified as “special category” under the GDPR. We also do not conduct behavioural profiling or continuous monitoring of individuals — our data processing is focused on water quality results for properties, not on tracking people’s actions or health conditions.
Although some records may be associated with registered industry professionals who use our services, this processing is limited to standard business contact information and is not large-scale special category processing. As such, Fernox does not meet the legal thresholds that make the appointment of a DPO mandatory.
Nevertheless, we take our data protection obligations seriously and have internal departments to oversee data security, legal/privacy-related matters, to oversee compliance, respond to data subject requests, and act as a point of contact with the Information Commissioner’s Office (ICO) if needed.
By taking this approach, Fernox ensures we meet all our legal responsibilities under the GDPR while remaining proportionate to the nature of the data we handle.
For more information, you can review the Fernox Privacy Policy and Fernox App Terms & Conditions.
