Skip to main content

Data protection notice for enquirers and professional partners

This notice sets out how the university deals with the personal information of people:

  • who make enquiries for information on studying at the University
  • who make enquiries for information, or to book, events being run by the University
  • who have a professional relationship with the university (such as lay members of boards, teachers, careers advisers, collaborators, external assessors, professional partners/learners etc.)
  • who sign up to receive marketing information from us

If you apply to the university or become a student your information will be dealt with under our Applicant and Student Data Protection notice.

Identity and contact details of the Data Controller

As a Data Controller, Cardiff University is legally responsible for processing your personal data in accordance with Data Protection legislation. This notice may be updated from time to time to ensure continued compliance with current legislation and to reflect best practices.

The University is registered as a Data Controller with the Information Commissioner's Office (ICO) to process personal data. Reg no Z6549747.

What personal information do we collect about you?

At initial enquiry, you will be asked for your name and contact details (this could be postal, email or other electronic means).

On some occasions where we might wish to monitor the demographics of enquirers and requirements of attendees at events you may be asked to voluntarily supply further information such as:

  • your gender
  • your age or date of birth
  • your nationality
  • your access requirements
  • your dietary requirements

We may also collect:

  • equality of opportunity monitoring data which will include sensitive categories of data (e.g. ethnicity, religion, sexual orientation)
  • how  your studies are funded, including fee information and any sponsorship details
  • details of your qualifications achieved and details of any professional body registration
  • details of any academic support provided

Where do we get your personal data from?

  • From you when you contact us for information on our services and provide preferences and requirements where you attend our events
  • From third-party organisations (e.g. student recruitment communications agencies). When we obtain your personal data from third-party sources, we will undertake the necessary checks to ensure that the transfer of your personal data to us is lawful

What is our legal basis for processing your personal data?

There are several legal ways in which we can process the most relevant data:

Legal basisExplanation

(1)

By enquiring or by booking to attend an event, we will be required to collect, store, use and otherwise process information about you for any purposes deemed necessary for entering into or for the performance of your contractual agreement with the university. See GDPR Article 6(1)(b).

(2)

The university will obtain consent from you. See GDPR Article 6(1)(a).

(3)

Processing of your personal data may also be necessary for the pursuit of our legitimate interests or by a third party’s legitimate interests - but only where the processing does not fall within our core public function, is not unwarranted and will not cause a prejudicial effect on the rights and freedoms, or legitimate interests, of the individual. See GDPR Article 6(1)(f).

(4)

Processing of your personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the university (see GDPR Article 6(1)(e)) and for statistical and research purposes. See GDPR Article 89.

(5)

Processing is necessary for compliance with a legal obligation to which the Data Controller is subject.

(6)

Processing of Special Categories data is necessary for statistical and research purposes in accordance with Article 89(1) based on the duties in the Equality Act 2010. See GDPR Article 9(2)(j).

For what purposes will your information be used?

  • to provide you with any advice and information which you have requested (2)
  • to consider and provide support for disability or health-related adjustments (5)
  • where you have opted into marketing, to contact you with further information we think you might be interested based on, where possible, your chosen preferences (2)
  • to support the constitutional framework and facilitate roles as members of boards (4,3)
  • to monitor the effectiveness of marketing material by analysing opened mail returns and click-throughs (3)
  • in some instances where you may have supplied further information, to monitor equality of opportunity (5,6)
  • to update you on activities within the University in which you have shown an interest previously (3)
  • to undertake trend analysis and to seek feedback from you regarding service delivery and improvement (3)
  • to provide you with information on events which you have booked and to provide suitable facilities and dietary requirements (1, 3, 5, 6)
  • to occasionally serve you with relevant digital advertising on platforms such as Facebook, Instagram, Twitter, Snapchat or TikTok (3)
  • to create lookalike audiences to advertise to users with similar characteristics on platforms such as Facebook, Instagram, Twitter, Snapchat or TikTok. You can update your preferences by accessing your privacy settings on these sites (3)

Where you have made an application to the University, see the Applicant and Student data privacy notice.

Who will have access to your data?

Employees within the University will have access to your data if they need to do so to perform their roles within the University. Only members of staff who need access to relevant personal data will be authorised.

Sharing information with others

Where necessary the University will disclose, outside the University, relevant items of your personal data.

Disclosure toDetails
NHS Test, Trace, Protect ServiceWhen you attend an event in person, we may provide your name and contact number to comply with COVID-19 regulations.
Professional bodies (e.g. Solicitors Regulation Authority)To confirm your qualifications, accredit your course and, where required, maintain the standards of the profession. We may also share de-identified demographic information where required to fulfil equality of opportunity monitoring obligations.
FundersTo monitor and report your attendance and further professional development need to maintain the standards of the profession. We may also share de-identified demographic, reach and course performance information where required to fulfil funders' monitoring obligations.

For general enquiries, we will not share your details with any other organisation outside of the University unless this is necessary to fulfil your enquiry.

For information supplied for attendance at an event, we may share it with partners who have organised or funded the organisation of an event.

Any disclosures that the University makes will be in accordance with Data Protection legislation and your interests will always be considered.

How long your information will be held?

Cardiff University will retain your personal information in line with the University's Records Management Policy and Records Retention Schedules.

Security of your information

Data Protection legislation requires us to keep your information secure. This means that your confidentiality will be respected, and all appropriate measures will be taken to prevent unauthorised access and disclosure. Information about you in electronic form will be subject to password and other security restrictions, while paper files will be stored in secure areas with controlled access. You can find out more by referring to the University's Information Security Policies.

Some processing may be undertaken on the University’s behalf by an organisation contracted for that purpose. Organisations processing personal data on the University’s behalf will be bound by a contractual obligation to process personal data under data protection legislation and the University's instructions.

Where you provide us with equality of opportunity monitoring data this will be collected in a way which restricts the possibility of identification. It will be held securely and deidentified as soon as possible after collection with access restricted to members of staff who perform this task.

Your rights

Further information on your rights can be found on the University's website.

Under Data Protection legislation you have a qualified right to a copy of your personal data held by the University. Any request for such a copy should be made to the Data Protection Officer under a Subject Access Request.

If we are relying on your consent to receive marketing information you have the right to withdraw this consent at any time. If you wish to withdraw your consent you should be able to do so by unsubscribing to emails via the link included in the last email you received or by contacting the department of the university who contacted you directly.

Do we transfer information to other countries outside the UK?

Generally, the information you provide to us is stored on our secure servers or our cloud-based systems. These are located within the UK or in countries/areas which are considered to have adequate privacy and information security provisions, such as the EEA. However, there are times when we will need to store information outside these locations and where we do we will carry out transfer risk assessments where required to ensure that appropriate security measures are taken to protect your privacy rights. This may mean imposing contractual obligations on the recipient of your personal information where no other relevant safeguards exist. Technical measures such as encryption will also be considered.

How to raise a concern or complaint

If you still have queries, concerns, or wish to raise a complaint details of how you can contact the University data protection officer and Information Commissioner’s Office are available on Data protection.

Updated: February 2023