Privacy notices explain what personal information or “data” an organisation holds about you, and how that data is stored, used and kept safe. Personal data is any information, held in any form, that relates to you as an identifiable individual. It does not include data where the identity has been removed (anonymous data). There are "special categories" of more sensitive personal data which require a higher level of protection.
We have divided our privacy notice into sections to make it easier to read only the sections relevant to you, please be aware that multiple sections may apply depending on your relationship with the University. The content of this page and all the paragraphs included in it apply equally to, and should be read in conjunction with, all the other sections.
If you would like a privacy notice in another format (for example: audio or large print), please contact us.
The University of Essex is an exempt charity, and our registered address is Wivenhoe Park, Colchester, CO4 3SQ. The University of Essex is registered as a Data Controller with the UK’s Information Commissioner’s Office (ICO). Registration Number: Z699129X.
University of Essex Campus Services is a wholly-owned subsidiary company of the University. It is a private limited company and its company number is 02534817. University of Essex Campus Services is registered as a Data Controller with the UK’s Information Commissioner’s Office (ICO). Registration Number: ZA559904.
Wivenhoe House Hotel is also a wholly-owned subsidiary of the University and its registered company number is 07075571. Wivenhoe House Hotel Limited is registered as a Data Controller with the UK’s Information Commissioner’s Office (ICO). Registration Number: ZA057051.
In these notices “we” means the University of Essex and our wholly owned subsidiaries University of Essex Campus Services (UECS) and WHH Ltd, and “you” can mean you as a member of staff, student, visitor or other individual depending on your relationship with the University.
We will comply with UK General Data Protection Regulations and Data Protection Act 2018 which we refer to as “data protection law”. We will follow other jurisdiction’s data protection requirements where required. Data Protection law says that the personal information we hold about you must be:
In addition to this, the ‘Accountability Principle’ requires that we take responsibility for how we comply with the principles and demonstrate that compliance.
We, and those that process personal data on our behalf, must have a lawful basis or ground for processing before we can process personal data. In each of our separate privacy notices we have set out the specific lawful basis for processing your personal data.
The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever we process your personal data:
If we are processing special category data (sensitive data that require additional protection), we use additional legal bases. These additional lawful bases for processing are set out in Article 9 of the UK GDPR. At least one of these conditions must apply whenever we process your special category personal data:
If we are relying on conditions (b), (h), (i) or (j), we also need to meet the associated condition in UK law, set out in Part 1 of Schedule 1 of the Data Protection Act 2018. We may also process criminal offence data and are required to meet the legal basis in Article 6 as well as a specific condition for processing in Schedule 1 of the DPA 2018.
We have an Appropriate Policy Document (.docx) which sets out how we comply with the additional requirements on special category and criminal offence data.
Under data protection law, you have rights including:
You will generally not have to pay a fee to access your personal information (or to exercise any of the other rights). If you make a request, we have one month to respond to you. We may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Please see our policy on Data Rights for further information. If you wish to exercise any of your rights, or have any questions about your rights, please contact the Data Protection Officer at email@example.com.
We may have to share your data with third parties, including third-party service providers and suppliers.
We require third parties to respect the security of your data and to treat it in accordance with the law.
If we have to transfer any of your personal data outside the UK we ensure the receiving country or organisation is deemed to have adequate data protection provision. Where a country or organisation does not have adequate protections we will put safeguards in place. Details of these safeguards can be provided to you upon request.
Our privacy notices will set out more details about whom we will share data with.
We have put in place measures to protect the security of your information.
Where third parties have access to your data, we will provide instructions for them to process your personal information only on in accordance with our instructions, and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a relevant business need. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. The University’s overarching approach to data protection is set out in our Data Protection Policy.
We have appointed a Data Protection Officer (DPO) to oversee compliance with this Privacy Notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO at firstname.lastname@example.org
If we have to transfer any of your personal data outside the European Economic Area (EEA) we ensure the receiving country or organisation is deemed to have adequate data protection provision. Where a country or organisation does not have adequate protections, we will put safeguards in place. Details of these safeguards can be provided to you upon request.
We may contact corporate contacts with unsolicited marketing. Our legal basis for this is legitimate interests and we comply with the Privacy and Electronic Marketing Regulations (PECR) by only contacting corporate subscribers and always offering an opt out.
If you are dissatisfied with the way the University of Essex has processed your personal data, or if have any questions or concerns about your data please contact email@example.com. If we are not able to resolve the issue to your satisfaction, you have the right to complain to the Information Commissioner’s Office (ICO). They can be contacted at https://ico.org.uk/make-a-complaint/
The ICO’s address:
Information Commissioner’s Office
Helpline: 0303 123 1113
This privacy notice was published on Monday, 31 January 2022. We may change this privacy notice from time to time. Last revised 20 December 2023.