Collection / Processing Data

Legal Basis for Processing Your Information

To ensure compliance under the General Data Protection Regulation, our department is required to notify users of the Lawful Basis upon the processing of personal data. For more information on the lawful basis as well as the General Data Protection Act, please see the Information Commissioner’s Office webpage.

Throughout this statement and for each area of data processing; Estates, Facilities and Residences are required to consider the lawful basis, which includes:

Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

Contract: the processing of personal data is necessary for a contract you have with the individual or an individual has asked you to take specific steps before entering a contract.

Legal obligation: the processing of personal data is necessary for you to comply with the law (excluding contractual requirements).

Vital interests: the processing of personal data is necessary in order to protect someone’s life.

Public task: the processing of personal data is necessary in order to perform a task in the public’s interest or for official functions; both of which must have a clear basis is law.

Legitimate interests: the processing of personal data is necessary for legitimate interests of us or a third party company unless there is good reason to protect an individual’s personal data. This cannot apply to public authorities processing data to perform official tasks.

Collection of Personal Data

As a department, in order to provide our products and services, we collect and process personal data from our customers. We may collect data such as (but not limited to): full name, email address, mailing address, phone number, date of birth, gender, payment information, employment information, medical / health information, Aberystwyth University IT account information and UCAS Personal ID number.

You are not required to provide us with all the personal data listed above however, if you do not do so, we may not be able to provide you with our products and services. 

Use of Information

Your personal data may be used for the following circumstances:

• To provide our products and services to you.

• To improve our products and services (eg by performing internal research). We may seek your participation in optional surveys, focus groups and / or other initiatives which may help us gather information to do this.

• To carry out reactive or scheduled maintenance / inspections.

• To process payments; both to you and from you.

• For internal purposes such as website, system administration or internal audits and reviews.

• To communicate with you regarding products / services that may be of interest including relevant advertisements when you visit our sites or third party sites (including social media).

• To respond to any requests / enquiries you may have.

• To respond to any situations where the Terms and Conditions of the Accommodation Licence Agreements have been breached.

Currently, none of this data is subject to automated decision-making processes and no data is transferred outside the EU for processing or any other purposes.

How Long We Keep Data for

We retain information for as long as you have a Licence with us, and a minimum of 12 months after but not longer than the current academic year plus 5 years following the termination of the Licence. However, this period of retention is dependent on the data’s purpose and core function and is subject to our review and alteration. 

Sharing and Disclosure to Third Parties

Your personal data may be disclosed to third parties due to the following circumstances:

• You request or authorize us to disclose specific personal data to third parties.

• The data is needed to comply with applicable law(s) (eg search warrant, subpoena or court order).

• We need to provide data to our agents, vendors or service providers who perform functions on our behalf. We require that our third-party service providers only use personal data to provide the requested services. Each service provider is subject to a set of terms consistent with this Privacy Policy:

  1. Hosting providers for the secure storage / transmission of data.
  2. Identity management providers for authentication purposes.
  3. Database software providers for the management / tracking of data.
  4. Legal and compliance consultants such as: external counsel, external auditors or tax consultants.
  5. Marketing providers who send communications on our behalf regarding our products and services.
  6. Payment solution providers for the secure processing of payments you provide to us.
  7. Fulfilment / postal vendors for the fulfilment of our products and services.

From time to time, Dyfed Powys Police (or other Police forces) may contact Estates, Facilities & Services to formally request data on students. For more information on the University’s procedure for dealing with these requests, please see the Police Enquiries webpage.

The identity and categories of such third parties may change during the period of your engagement with us.  

Communication Preferences

We strive to provide you with relevant and useful information related to our products and services. You can contact us using the contact information listed on this page to make any changes to your communication preferences. We will only communicate with you electronically if; it directly relates to products and services which we are supplying or intent to supply to you or if you have positively consented to us sending you marketing information.

Subject Access / User Rights

As a user of our products and services and under the General Data Protection Regulation, you are provided with the following rights:

• The right to be informed of the use of your personal data.

• The right to access your personal data.

• The right to have personal data corrected / rectified.

• The right to have personal data erased.

• The right to restrict the processing of our personal data.

• The right to data portability.

• The right to object to processing your personal data.

• Any rights in relation to automated decision making and profiling.

For further information, please see the Data Subjects’ Rights webpage.