Skip to main content

Enquirers data protection notice

This notice sets out how the University deals with personal information of people:

  • who make enquiries for information on studying at the University
  • who make enquiries for information, or book onto, events being run by the University
  • who have a professional relationship with the University (such as teachers, careers advisers, collaborators, professional partners etc.)
  • who sign up to receive marketing information from us.

If you apply to the University or become a student your information will be dealt with in accordance with our Applicant and Student Data Protection notice.

Identity and contact details of the Data Controller

As a Data Controller, Cardiff University is legally responsible for processing your personal data in accordance with Data Protection legislation. This notice may be updated from time to time to ensure continued compliance with current legislation and to reflect best practice.

The University is registered as a Data Controller with the Information Commissioner's Office (ICO) to process personal data. Reg no Z6549747.

What personal information do we collect about you?

At initial enquiry you will be asked for your name and contact details (this could be postal, email or other electronic means).

On some occasions where we might wish to monitor the demographics of enquirers and requirements of attendees at events you may be asked to voluntarily supply further information such as:

  • your gender
  • your age or date of birth
  • your nationality
  • your access requirements
  • your dietary requirements.

What is our legal basis for processing your personal data?

There are a number of legal ways in which we can process you’re the most relevant of which are data set out below:

Legal basisExplanation


By making an enquiry or by booking to attend an event, we will be required to collect, store, use and otherwise process information about you for any purposes deemed necessary for the purpose of entering into or for the performance of your contractual agreement with the University.  See GDPR Article 6(1)(b).


The University will obtain consent from you . See GDPR Article 6(1)(a).


Processing of your personal data may also be necessary for the pursuit of our legitimate interests or by a third party’s legitimate interests - but only where the processing does not fall within our core public function, is not unwarranted and will not cause a prejudicial effect on the rights and freedoms, or legitimate interests, of the individual. See GDPR Article 6(1)(f).


Processing of your personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University (see GDPR Article 6(1)(e)) and for statistical and research purposes. See GDPR Article 89.


Processing is necessary for compliance with a legal obligation to which the Data Controller is subject.


Processing of Special Categories data is necessary for statistical and research purposes in accordance with Article 89(1) based on the duties in the Equality Act 2010. See GDPR Article 9(2)(j).

For what purposes will your information be used?

  • to provide you with any advice and information which you have requested (2)
  • where you have opted in to marketing, to contact you with further information we think you might be interested based on, where possible, your chosen preferences (2)
  • to monitor the effectiveness of marketing material by analysing opened mail returns and click-throughs (3)
  • in some instances where you may have supplied further information, to monitor equality of opportunity (5,6)
  • to update you on activities within the University to which you have shown an interest previously (3)
  • to undertake trend analysis and to seek feedback from you regarding service delivery and improvement (3)
  • to provide you with information on events which you have booked onto and to provide suitable facilities and dietary requirements (1, 3, 5, 6)
  • to occasionally serve you with relevant digital advertising on platforms such as Facebook, Instagram, Twitter, Snapchat or TikTok (3)
  • to create lookalike audiences for the purposes of advertising to users with similar characteristics on platforms such as Facebook, Instagram, Twitter, Snapchat or TikTok. You can update your preferences by accessing your privacy settings on these sites. (3)

Where you have made an application to the University please see the Applicant and Student data privacy notice.

Who will have access to your data?

Employees within the University will have access to your data if they need to do so to perform their roles within the University. Only members of staff who need access to relevant personal data will be authorised.

For general enquiries, we will not share your details with any other organisation outside of the University unless this is necessary in order to fulfil your enquiry.

For information supplied for attendance at an event, we may share with partners who have organised or funded the organisation of an event.

Any disclosures that the University makes will be in accordance with Data Protection legislation and your interests will always be considered

How long your information will be held?

Cardiff University will retain your personal information in line with the University Records Management Policy and Records Retention Schedules.

Security of your information

Data Protection legislation requires us to keep your information secure. This means that your confidentiality will be respected, and all appropriate measures will be taken to prevent unauthorised access and disclosure. Information about you in electronic form will be subject to password and other security restrictions, while paper files will be stored in secure areas with controlled access. You can find out more by referring to the University Information Security Policies.

Some processing may be undertaken on the University’s behalf by an organisation contracted for that purpose. Organisations processing personal data on the University’s behalf will be bound by an obligation to process personal data in accordance with data protection legislation.

Your rights

Further information on your rights can be found on the University website.

Under Data Protection legislation you have a qualified right to a copy of your personal data held by the University. Any request for such a copy should be made to the Data Protection Officer under a Subject Access Request.

If we are relying on your consent to receive marketing information you have the right to withdraw this consent at any time. If you wish to withdraw your consent you should be able to so by unsubscribing to emails via the link included in the last email you received or by contacting the department of the University who contacted you directly.

How to raise a concern or complaint

If you still have queries, concerns or wish to raise a complaint details of how you can contact the University data protection officer and Information Commissioner’s Office are available on our Data protection page.

Updated: June 2018