Data Protection Information

Estates, Facilities and Residences Department - Privacy Notice

Name: Maria Ferreira, Operations Manager

Address: Estates, Facilities and Residences Department, Aberystwyth University, Cwrt Mawr Amenity Block, Penglais Campus, Aberystwyth, Ceredigion, SY23 3AN

Telephone number: 01970 621660/621947



We respect your right to privacy and manage your personal data in line with our responsibilities under the United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018). This privacy notice provides the information required by the UK GDPR about the personal data that we collect from you and how we may use your information.

For further information, view Aberystwyth University’s Data Protection Policy.

As a department, in order to provide our products and services, we collect and process personal data from our staff, students, service providers and visitors.  We may collect data such as (but not limited to): full name, email address, mailing address, phone number, date of birth, gender, payment information, employment information, medical / health information, Aberystwyth University IT account information and UCAS Personal ID number.

You are not required to provide us with all the personal data listed above however, if you do not do so, we may not be able to provide you with our products and services. 

Estates, Facilities & Residences is committed to the protection and safeguarding of our user’s privacy through compliance of the General Data Protection Regulation (GDPR) and Data Protection Act 2018.

Students in our Accommodation can find additional information in Appendix A.


When you contact us, visit us, or use our services either in person, online, by post or by other means we may collect, share and use your personal data.  

Your personal data may be used for the following circumstances:

  • To provide our products and services to you
  • To improve our products and services (eg by performing internal research). We may seek your participation in optional surveys, focus groups and/or other initiatives which may help us gather information to do this
  • To process payments; both to you and from you
  • For internal purposes such as website, system administration or internal audits and reviews
  • To communicate with you regarding products/ services that may be of interest including relevant advertisements when you visit our sites or third-party sites (including social media)
  • To respond to any requests/enquiries you may have
  • For the administration of your work with the University for remuneration in relation to that role


Throughout this statement and for each area of data processing; Estates, Facilities and Residences are required to consider the lawful basis, which includes:

  • Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  • Contract: the processing of personal data is necessary for a contract you have with the individual or an individual has asked you to take specific steps before entering a contract.
  • Legal obligation: the processing of personal data is necessary for you to comply with the law (excluding contractual requirements).
  • Vital interests: the processing of personal data is necessary in order to protect someone’s life.
  • Public task: the processing of personal data is necessary in order to perform a task in the public’s interest or for official functions; both of which must have a clear basis is law.
  • Legitimate interests: the processing of personal data is necessary for legitimate interests of us or a third party company unless there is good reason to protect an individual’s personal data. This cannot apply to public authorities processing data to perform official tasks.

The processing of personal data will be covered by a contractual obligation or will be taken as it is in the legitimate interests of the University to do so.  When we are relying on your consent to use your personal data, you can withdraw that consent at any time by emailing


Your personal data may be disclosed to third parties due to the following circumstances:

  • You request or authorise us to disclose specific personal data to third parties
  • The data is needed to comply with applicable law(s) (e.g. search warrant, subpoena or court order)
  • We need to provide data to our agents, vendors or service providers who perform functions on our behalf. We require that our third-party service providers only use personal data to provide the requested services. Each service provider is subject to a set of terms consistent with this Privacy Notice
  • Hosting providers for the secure storage/transmission of data
  • Identity management providers for authentication purposes
  • Database software providers for the management/tracking of data
  • Legal and compliance consultants such as: external counsel, external auditors or tax consultants
  • Marketing providers who send communications on our behalf regarding our products and services
  • Payment solution providers for the secure processing of payments you provide to us
  • Fulfilment / postal vendors for the fulfilment of our products and services
  • Third party student accommodation providers


From time to time, Dyfed Powys Police (or other Police forces) may contact us to formally request data. For more information on the University’s procedure for dealing with these requests, please see the Police Enquiries webpage.

The identity and categories of such third parties may change during the period of your engagement with us.  

Currently, none of this data is subject to automated decision-making processes and no data is transferred outside the EU for processing or any other purposes.


We will retain your personal data for as long as it is necessary for the purpose it was collected.  In most cases, a retention period will apply which can be provided by emailing  Retention periods are subject to review and alteration.

Electronic data will be deleted according to the retention period and physical data will be confidentially destroyed according to the retention period.

All personal data you provide to us (whether electronically or in paper form) will be stored securely in accordance with our policies.  We have technical and organisational security measures in place to oversee the effective and secure processing of your personal data and to minimise the loss or unauthorised access of your personal data.


We will ensure you can exercise your rights in relation to the personal data you provide to us in accordance with the UK GDPR and DPA 2018.  Under data protection law, you have the right to:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

How to Complain

In the first instance if you have any queries or complaints, please address these to Maria Ferreira, Operations Manager at

Additionally, if you have any queries in relation to the above, please contact the Information Governance Manager, at


You can also contact the Information Commissioner's Office (ICO). The ICO is the UK regulator who oversees compliance with data protection legislation.

The ICO’s address:           

Information Commissioner’s Office

Wycliffe House

Water Lane




Helpline number: 0303 123 1113

Issue date March 2022