Skip to main content

Data protection notice for enquirers and professional partners

This notice sets out how the university deals with personal information of people:

  • who make enquiries for information on studying at the university
  • who make enquiries for information, or book onto, events being run by the university
  • who have a professional relationship with the university (such as lay members of boards, teachers, careers advisers, collaborators, external assessors, professional partners/learners etc.)
  • who sign up to receive marketing information from us

If you apply to the university or become a student your information will be dealt with in accordance with our Applicant and Student Data Protection notice.

Identity and contact details of the Data Controller

As a Data Controller, Cardiff University is legally responsible for processing your personal data in accordance with Data Protection legislation. This notice may be updated from time to time to ensure continued compliance with current legislation and to reflect best practice.

The university is registered as a Data Controller with the Information Commissioner's Office (ICO) to process personal data. Reg no Z6549747.

What personal information do we collect about you?

At initial enquiry you will be asked for your name and contact details (this could be postal, email or other electronic means).

On some occasions where we might wish to monitor the demographics of enquirers and requirements of attendees at events you may be asked to voluntarily supply further information such as:

  • your gender
  • your age or date of birth
  • your nationality
  • your access requirements
  • your dietary requirements

We may also collect:

  • equality of opportunity monitoring data which will include sensitive categories of data (e.g. ethnicity, religion, sexual orientation)
  • how  your studies are funded, including fee information and any sponsorship details
  • details of your qualifications achieved and details of any professional body registration
  • details of any academic support provided

What is our legal basis for processing your personal data?

There are a number of legal ways in which we can process you’re the most relevant of which are data set out below:

Legal basisExplanation


By making an enquiry or by booking to attend an event, we will be required to collect, store, use and otherwise process information about you for any purposes deemed necessary for the purpose of entering into or for the performance of your contractual agreement with the university. See GDPR Article 6(1)(b).


The university will obtain consent from you. See GDPR Article 6(1)(a).


Processing of your personal data may also be necessary for the pursuit of our legitimate interests or by a third party’s legitimate interests - but only where the processing does not fall within our core public function, is not unwarranted and will not cause a prejudicial effect on the rights and freedoms, or legitimate interests, of the individual. See GDPR Article 6(1)(f).


Processing of your personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the university (see GDPR Article 6(1)(e)) and for statistical and research purposes. See GDPR Article 89.


Processing is necessary for compliance with a legal obligation to which the Data Controller is subject.


Processing of Special Categories data is necessary for statistical and research purposes in accordance with Article 89(1) based on the duties in the Equality Act 2010. See GDPR Article 9(2)(j).

For what purposes will your information be used?

  • to provide you with any advice and information which you have requested (2)
  • to consider and provide support for disability or health related adjustments (5)
  • where you have opted in to marketing, to contact you with further information we think you might be interested based on, where possible, your chosen preferences (2)
  • to support the constitutional framework and facilitate roles as members on boards (4,3)
  • to monitor the effectiveness of marketing material by analysing opened mail returns and click-throughs (3)
  • in some instances where you may have supplied further information, to monitor equality of opportunity (5,6)
  • to update you on activities within the university to which you have shown an interest previously (3)
  • to undertake trend analysis and to seek feedback from you regarding service delivery and improvement (3)
  • to provide you with information on events which you have booked onto and to provide suitable facilities and dietary requirements (1, 3, 5, 6)
  • to occasionally serve you with relevant digital advertising on platforms such as Facebook, Instagram, Twitter, Snapchat or TikTok (3)
  • to create lookalike audiences for the purposes of advertising to users with similar characteristics on platforms such as Facebook, Instagram, Twitter, Snapchat or TikTok. You can update your preferences by accessing your privacy settings on these sites (3)

Where you have made an application to the university please see the Applicant and Student data privacy notice.

Who will have access to your data?

Employees within the university will have access to your data if they need to do so to perform their roles within the university. Only members of staff who need access to relevant personal data will be authorised.

Sharing information with others

Where necessary the university will disclose, outside the university, relevant items of your personal data.

Disclosure toDetails
NHS Test, Trace, Protect ServiceWhen you attend an event in person, we may provide your name and contact number in order to comply with COVID-19 regulations.
Professional bodies (e.g. Solicitors Regulation Authority)In order to confirm your qualifications, accredit your course and, where required, in order to maintain the standards of the profession. We may also share deidentified demographic information where required to fulfil equality of opportunity monitoring obligations.
FundersTo monitor and report your attendance and further professional development needs in order to maintain the standards of the profession. We may also share deidentified demographic, reach and course performance information where required to fulfil funders' monitoring obligations.

For general enquiries, we will not share your details with any other organisation outside of the university unless this is necessary in order to fulfil your enquiry.

For information supplied for attendance at an event, we may share with partners who have organised or funded the organisation of an event.

Any disclosures that the university makes will be in accordance with Data Protection legislation and your interests will always be considered.

How long your information will be held?

Cardiff University will retain your personal information in line with the university Records Management Policy and Records Retention Schedules.

Security of your information

Data Protection legislation requires us to keep your information secure. This means that your confidentiality will be respected, and all appropriate measures will be taken to prevent unauthorised access and disclosure. Information about you in electronic form will be subject to password and other security restrictions, while paper files will be stored in secure areas with controlled access. You can find out more by referring to the university Information Security Policies.

Some processing may be undertaken on the university’s behalf by an organisation contracted for that purpose. Organisations processing personal data on the university’s behalf will be bound by a contractual obligation to process personal data in accordance with data protection legislation and the university's instructions.

Where you provide us with equality of opportunity monitoring data this will be collected in a way which restricts the possibility of identification. It will be held securely and deidentified as soon as possible after collection with access restricted to members of staff who perform this task.

Your rights

Further information on your rights can be found on the university website.

Under Data Protection legislation you have a qualified right to a copy of your personal data held by the university. Any request for such a copy should be made to the Data Protection Officer under a Subject Access Request.

If we are relying on your consent to receive marketing information you have the right to withdraw this consent at any time. If you wish to withdraw your consent you should be able to so by unsubscribing to emails via the link included in the last email you received or by contacting the department of the university who contacted you directly.

Do we transfer information to other countries outside the UK?

Generally, information you provide to us is stored on our secure servers, or on our cloud-based systems. These are located within the UK or in countries/areas which are considered to have adequate privacy and information security provisions, such as the EEA. However, there are times when we will need to store information outside these locations and where we do we will carry out transfer risk assessments where required to ensure that appropriate security measures are taken to protect your privacy rights. This may mean imposing contractual obligations on the recipient of your personal information where no other relevant safeguards exist. Technical measures such as encryption will also be considered.

How to raise a concern or complaint

If you still have queries, concerns or wish to raise a complaint details of how you can contact the university data protection officer and Information Commissioner’s Office are available on our Data protection page.

Updated: February 2023