Business Enquirer and Prospect Privacy Notice
A privacy notice that details how Newcastle University collects and processes personal information relating to a business enquirer or prospect.
1. Data Controller
University of Newcastle upon Tyne (“we”, “our”, “us”, “The University”) processes personal data in accordance with our obligations under the General Data Protection Regulations (‘GDPR’) and is a registered Data Controller (Registration Number Z5470161) with the Information Commissioner’s Office (‘ICO’), which is the supervisory authority responsible for the oversight and enforcement of Data Protection Legislation within the United Kingdom.
2. How is your personal data collected?
We use different methods to collect data from and about you including through:
- Digital forms, and surveys for the purpose of providing information about the University service, your enquiry, or event that you have registered for.
- Correspondence with us by face to face, phone, email, live chat, social media or otherwise.
- As you interact with our websites, we may automatically collect data about your device, IP address, and browsing patterns we collect this by using opt-in cookies.
- The University’s CRM automation systems also use email tracking pixels.
4. Where we get your personal data and for what purpose?
We will only use collect and use your personal data when the law allows us to. Most commonly we will use your personal data in the following circumstances:
- Where you consented to the processing.
- Where it necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
We have set out below, in a table format, a description of all the ways weuse your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Purpose/Activity | Type of Data | Lawful basis for processing including basis of legitimate interest. |
---|---|---|
We would also like to use your detailsyou have consented to provide us to contact you, to respond to your enquiry in the future about events, activities, and other general information about engaging with the University. | Communications, Contact | Consent |
To provide personalised content on our website or other communications platforms. | Communications | Consent |
We process data for internal reporting, monitoring, and research as part of our public tasks. This may also include Public interest archiving, scientific and historical research or statistical analysis including equality and diversity monitoring | Identity | Public Task |
Anonymising and sharing with social media platforms to see if the adverts have been successful (you cannot be identified) and to serve you or similar audiences with more relevant messages. | Communications, Profile | Legitimate Interests |
Enhancing our service; tomeet our interests of understanding who our prospective students and contacts are and to enhance the journey towards making an application. | Profile | Legitimate Interests |
Providing statistics for management and business intelligence reports on the effectiveness of an event and or communications activity. | Profile | Legitimate Interests |
We may monitor or record phone calls to our admissions or clearing line in case we need to resolve queries or issues. Calls may be monitored for staff training purposes, where applicable we will take appropriate measure to ensure that sensitive data is not recorded. | Profile | Legitimate Interests |
Photographs, video, and audio may be taken at events for use in marketing materials, including on our website and on social media. Where you are not the subject of the image, i.e. if it is a “group” or “crowd” photograph, we may use such images without requiring your consent, however, where you are the subject, you will be asked to provide explicit consent to use the image. | Profile | Legitimate Interests |
Anonymising and sharing with social media platforms to see if the adverts have been successful (you cannot be identified) and to serve you or similar audiences with more relevant messages. | Profile, Communication | Legitimate interests |
We track email open and click through rates, user’s browser and device, IP address and location to review communications for reporting purposes and to ensure the University does not spam disengaged contacts. | Profile | Legitimate interests |
We process some data because there is a legal obligation to (e.g. UKVI) or because we are required toprovide equality monitoring statistics. | Identity, profile | Legal Obligation |
5. Where do we securely process and store your personal data?
5.1 Within the UK and EEA
All personal data is processed by Newcastle University staff based in the UK however for the purposes of IT hosting and maintenance this information is located on servers within the EEA.
5.2 Outside the UK and EEA
The following systems and purposes are exceptions where data is located on servers not based within the EEA to facilitate specific operational purposes e.g. event registration and specific CRM systems for managing, processing your personal data:
HubSpot - We use forms created by HubSpot. HubSpot’s product infrastructure is hosted on Amazon Web Services (AWS) in the United States East region. HubSpot leverages the Google Cloud Platform (GCP) in the EU (Frankfurt, Germany region) to support the processing of local customer data that is critical to its customers' businesses.
These solutions providehigh levels of physical and network security and well as hosting provider vendor diversity. HubSpot’s AWS cloud server instances reside in US locations; GCP cloud instances reside in Germany. Both providers maintain an audited security program.
Where processing takes place with an external third party, processing takes place under an appropriate agreement outlining their responsibilities to ensure that processing is compliant with the Data Protection legislation and verified to be secure.
5.3 Payment processing
Where applicable, any credit/debit card details provided will be stored in full compliance with PCI-DSS requirements.
6. Sharing your personal data with third parties
Your personal information will only be disclosed to third parties where we have an appropriate lawful basis to do so, which may include the following:
- With third parties who securely process data on our behalf in order tofacilitate our relationship with you, such as software service providers providing externally hosted software solutionse.g.VFairs.
- With Social Media Providers so that we can communicate with you, promote tailored advertising to you, to assess your social media interactions to promote our services to you and with others you interact with on social media to inform our advertising campaigns to create look-a-like audiences with the data you provide.
- With internet search engine providers such as Google to inform our advertising campaigns to create look-a-like audiences with the data you provide.
- IT Service providers (e.g. the provision of University email services; recruitment and customer relationship management services);
Any other disclosures that may be required, but not listed above will only ever be in accordance with your rights and the requirements of the GDPR.
When it is necessary to share your data with organisations outside of the EEA, we will ensure that appropriate safeguards are in place to protect your personal data.
7. How long we hold personal data?
Personal data is retained for as long as it is required to fulfil the purpose for which is it held and then to fulfil any legal requirements.
Any information we use for marketing purposes will be kept by us until you notify us that you no longer wish to receive this information. To withdraw or amend your contact methods at any time either click the link at the bottom of an email from us or contact us on email; consent.options@ncl.ac.uk and we will endeavour to action this within 2 working days.
8. How we store your information?
We have appropriate security measures in place to protect personal data, taking account of the nature of the data and the harm that might be caused if it were lost. These security measures will be tested regularly, assessed, and evaluated to ensure they maintainan appropriate level of security for personal data.
Personal data will be accessible only to those people who need to use it as part of their work. Unauthorised or unlawful access to, use or disclosure of personal data may lead to disciplinary action, and in some cases could be considered as gross misconduct. In serious cases it could also be a criminal offence.
We will provide prompt and effective notification to the relevant supervisory authority and to data subjects, where necessary, in the event of a personal data breach. We will cooperate fully with any regulatory investigations that result from a breach.
9. Your rights under GDPR
Under the GDPR, you have a number of rights in relation to the processing of your personal information, each of which may apply to differing degrees’ dependent upon the nature of the processing and the legal basis for it. You have the right to:
- Be informed as to how we use your data (via this privacy notice)
- Request access (a copy) of the personal information that we hold about you.
- Correct inaccurate or incomplete data
- Request that we stop sending you direct marketing communications.
- In certain circumstances, you may have the right to:
- Ask to have your data ‘erased.
- Request is to restrict the processing of your personal data.
- Request that data you provided electronically to us be returned in as a data file
- Object to certain processing of your personal data by us
In some cases, there may be specific exemptions as to why we aren’t able to comply with some of the above. Where this is the case, we will explain the reasons why.
In order to exercise any of the above rights, please visit https://www.ncl.ac.uk/data-protection/access-personal-data/
10. Further information
If you would like to discuss this further, please contact us on rec-man@ncl.ac.uk. If you would like more information about how we manage personal data more generally, including your rights under law, and the contact details of the University’s Data Protection Officer, visit our Data Protection website.
11. Lodging a complaint with the Information Commissioners Officer (ICO)
If you are unhappy with our use or storage of your data, you have the right to complain to the Information Commissioner's Office (ICO) about this. Please see the ICO website for more details of how to complain.