Skip to main content

Data privacy notice

The Data Innovation Accelerator at Cardiff University is committed to protecting the rights of individuals in line with the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR).

We will keep the information supplied to us by enquirers, event attendees, members of our mailing lists, recipients of a data innovation health check or collaborative research partners confidential and will not disclose it to any third party, unless we are required to do so by law, or have received consent.

For data the Welsh Government or the Welsh European Funding Office (WEFO) requires the Data Innovation Accelerator to collect (Section A below), the Welsh Government is the data controller and the Data Innovation Accelerator is the data processor. The Data Protection Officer for the Welsh Government can be contacted at

For other personal data collected by the Data Innovation Accelerator (Section B below), Cardiff University is the data controller and has a dedicated Data Protection Officer with the following contact details:

A. Data which we are required to collect on behalf of the Welsh Government and WEFO

As the Data Innovation Accelerator is part-funded by the European Regional Development Fund (part of the EU Structural Funds 2014-2020 programme), we are obliged to report on our activities to the Welsh European Funding Office (WEFO). These reports will include data relating to a) the monitoring data laid out in the Structural Funds definitions and b) information requirements under the Eligibility rules and conditions for EU funds support.

Monitoring data

This includes Enterprise (company) level data which contains contact details for a named individual in the enterprise. If we give your company a data innovation health check and/or carry out a collaborative research project with you, we will ask you for this monitoring data using our ‘Enterprise data collection form’. For further information visit the Welsh Government webpages on monitoring and evaluation.

Eligibility information

If we give your company a data innovation health check and/or carry out a collaborative research project with you, we will need to ask you for a range of information so as to demonstrate to WEFO that we have used ERDF funding to support businesses in Wales.

See more information on the required data collected under the Eligibility rules and conditions.

For Cardiff University to satisfy the above requirements and process your data on behalf of WEFO, we collect the following personal information from enterprises who wish to receive support or are supported by the Data Innovation Accelerator:

  • Name of enterprise lead contact/ technical officers/ employees involved in the project;
  • Work contact details and job/role title of personnel involved in the project;
  • Total monthly employment costs attributed to a collaborative research project of relevant personnel, including payslips if required to be used as evidence of match funding;
  • Preferred language of communication of enterprise lead contact; and
  • Collective anonymous equal opportunities data relating to enterprise owners/directors/senior managers including gender, ethnic origin, age group, number who consider themselves disabled and competency levels of the Welsh language.

In the event of employment creation as a direct result of the support provided to your enterprise by the Data Innovation Accelerator, the following additional personal information is requested:

  • Job/role title of those employed by the enterprise as a direct result of the support received;
  • Gender of first post holder for those employed by the enterprise as a direct result of the support received; and
  • Salary scales of the first post holder for those employed by the enterprise as a direct result of the support received.

B. Data which is collected and processed by the Data Innovation Accelerator

Direct Marketing

Cardiff University collects, stores and uses information for the purposes of marketing and communications.  We do this in order to give companies in the East Wales region the opportunity to engage with us by: hearing about our data science activities and our events; learning about Cardiff University’s wider offering for businesses; staying in touch after our collaboration has ended.

The information about you and your company will be:

  • Name and contact details of individuals who make enquiries to the Data Innovation Accelerator via meetings, telephone or email and/or who self-register for events and/or join our mailing list; and
  • Name and contact details of named individuals within organisations with whom we make contact by telephone, email or post where appropriate.

We will keep your name and contact details in our secure database and will contact you, primarily by email, with news from the project or invitations to project events.

Cardiff University may use third party processors such as Eventbrite and Mailchimp for event organisation and material distribution, which may involve international data transfer. Both Eventbrite and Mailchimp participate in and comply with the EU-US. Privacy Shield Framework and have privacy policies which address data protection requirements.

See Eventbrite's Security and Safety Guide

See Mailchimp's privacy policy

Individuals who have subscribed to the mailing list purely for marketing or communications purposes can unsubscribe from the mailing list at any time by contacting

Administration and management of the Data Innovation Accelerator

If you engage with the Data Innovation Accelerator (via dialogues with our staff, and/or a ‘data innovation health check’ and/or a collaborative project) or if you sign up to the mailing list via the Data Innovation Accelerator website, when necessary, personal information will be shared internally within the faculties and departments across the University. Such sharing will be subject to confidentiality protocols and access restrictions.

Please note that, due to the nature of the Data Innovation Accelerator’s funding from the Welsh Government, your details will be shared with the Welsh Government and with external evaluators contracted by the University to carry out independent external evaluation of the Data Innovation Accelerator. Welsh Government may share your data with contractors acting on its behalf for the purposes of research, evaluation and verification regarding financial support for the EU Structural Funds.

Welsh Government or such a contractor acting on its behalf will follow appropriate ethical guidance in any research or evaluation study undertaken. All information about you provided to the Welsh Government or a contractor acting on its behalf by Cardiff University will be treated in the strictest confidence. The findings of research and evaluation studies will not identify individual participants/enterprises.

Cardiff University is obliged to retain records of all aid awarded under the De Minimis Regulation for 10 years from the date on which the last individual aid is granted by the Data Innovation Accelerator.

Why we collect personal information

We collect personal information for the following reasons:

  • To help us evaluate eligibility for Data Innovation Accelerator support according to WEFO and ERDF funding compliance requirements and the Data Innovation Accelerator’s project approval process. This helps us to ensure value for money through selection of enterprises with potential to obtain optimum benefit from working with us and to achieve maximum impact on the Welsh economy. The Welsh Government may share data with audit teams to help determine whether applicable regulations are being complied with.
  • To monitor and evaluate projects at Data Innovation Accelerator management and governance boards and as part of our external evaluation. This helps us to assess the effectiveness of working practices, delivery of projects and project outputs and impacts in line with funding requirements.
  • To keep in touch and provide you with broad support, informing you of the Data Innovation Accelerator’s news, events and highlights that could benefit your company.
  • To maintain an up-to-date record of Cardiff University’s interactions with businesses.
  • To report to the Welsh Government and the European Commission for regulatory operation monitoring, claim and audit purposes.

The Welsh Government uses this data to monitor and evaluate EU funds in Wales as laid out in its Monitoring and Evaluation Strategy. WEFO may share monitoring data (including individual participant records) with commissioned research organisations interviewing participants so that they can talk to them about their experiences. Not everyone who engages with the Data Innovation Accelerator will be contacted. If you are contacted by researchers, the purpose of the research will be explained to you and you will be given the option of not taking part in the research. The research organisations will delete your contact details once the research is complete.

The Welsh Government uses eligibility information to verify eligibility of enterprises, activity and expenditure.

The legal basis for processing personal data

Data which we are required to collect on behalf of WEFO (Section A above)

The relevant section of the GDPR for collecting personal data in relation to the Structural Funds is Article 6(1)(e) where:

“processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller”.

The European Regulations governing Structural Funds give the Welsh Government official authority to process the personal data referred to above. Article 54(2) of Regulation (EU) No 1303/2013 common provisions on the European Structural and Investment Funds (CPR Regulation) states that “Member States shall provide the resources necessary for carrying out evaluations, and shall ensure that procedures are in place to produce and collect the data necessary for evaluations, including data related to common and where appropriate programme-specific indicators.”

Data which is collected and processed by the Data Innovation Accelerator (Section B above)

As above the relevant section of the GDPR for collecting personal data is Article 6(1)(e) where:

“processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller”. Cardiff University is a public research institution established by Royal Charter and this activity falls within its remit to advance knowledge by research and to contribute to the social, cultural and economic development of Wales and the UK.

Processing falls in line with the University’s data protection policy.

Storage and security of data

Data Protection legislation requires us to keep your information secure. This means that your confidentiality will be respected, and all appropriate measures will be taken to prevent unauthorised access and disclosure. Only members of staff who need access to relevant parts or all of your information will be authorised to do so.

Information about you in electronic form will be accessible to a restricted pool of project and other University staff, while paper files will be stored in secure areas with controlled access.

Some processing may be undertaken on the University’s behalf by an organisation contracted for that purpose. Organisations processing personal data on the University’s behalf will be bound by an obligation to process personal data in accordance with Data Protection legislation.

The data will be held for the duration of the Data Innovation Accelerator operation and for a reasonable period of time upon its conclusion (to at least 31 December 2023) to comply with regulatory audit and document retention requirements and European funding obligations.

The University has an Information Security Policy and associated policies.

Your rights

Where Cardiff University is relying on consent to process personal data, individuals have the right to withdraw their consent and can do so by contacting:

You have a right to access your personal information, to object to the processing of your personal information, to rectify, to erase, to restrict and to port your personal information.

Please see Cardiff University’s data protection information at  for further information in relation to your rights.

Any requests or objections should be made in writing to:

Assurance Service - Data and Information
Cardiff University
Friary House
Greyfriars Road
CF10 3AE

If you are unhappy with the way in which your personal data has been processed you may in the first instance contact the Cardiff University Data and Information Assurance Service using the contact details above.

If you remain dissatisfied then you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at:

Information Commissioner’s Office,
Wycliffe House,
Water Lane,

Your responsibilities

Please advise of any changes to your name, address, contact details as soon as practically possible so that we can amend our records accordingly.

Freedom of information

Cardiff University is designated as a public authority for the purposes of the Freedom of Information Act 2000 and Environmental Information Regulations 2004 and is therefore subject to receiving requests for recorded information.  Freedom of Information or Environmental Information requests will be responded to in line with the provisions of the relevant legislation.