Privacy Policy

1. Purpose of our Data Protection Privacy Notice

Swansea University Students’ Union is committed to upholding the principles of data protection and ensuring we handle all personal data in accordance with UK law.

We understand that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of all our members, staff, customers, contractors and stakeholders and will only collect and use personal data in ways that are described within this Data Protection Privacy Notice, and in a way that is consistent with our obligations and your rights under the law.

2. About us

Organisation Name Swansea University Students' Union
Registered Charity Number 1203072
Registered Company Number 14857512
Registered Address

Faraday Building, Singleton Park, Swansea, SA2 8PP
Data Protection Officer Chief Executive Officer

This Notice also applies to SUSU Trading which is a subsidiary of Swansea University Students’ Union

3. What is covered under this Notice?

This Data Protection Privacy Notice explains:

  • What is Personal Data
  • What are your rights
  • How we use your Personal Data
  • How we will comply with UK law on Data Protection
  • How and where do we store or transfer your Personal Data
  • Requests to access Personal Data
  • What we will do if there has been a Data Breach
  • How to Contact Us

Changes to this Data Protection Privacy Notice

4. What is Personal Data?

Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers information such as your name and contact details, but it also covers information such as identification numbers, electronic location data, and other online identifiers.

In cases where personal data is of a sensitive nature, it is classed as ‘Special Category Data’. This data is information that reveals or concerns an individual’s:

  • Race or ethnic origin
  • Political opinion
  • Religious or philosophical beliefs
  • Trade union membership
  • Generic data
  • Biometric data, if used for identification purposes
  • Health
  • Sex life
  • Sexual orientation

5. What are your Rights?

Under the GDPR, you have the following rights, which we will always work to uphold:

  1. The right to be informed about our collection and use of your personal data. This Data Protection Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions
  2. The right to access the personal data we hold about you
  3. The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete
  4. The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have
  5. The right to restrict (i.e. prevent) the processing of your personal data
  6. The right to object to us using your personal data for a particular purpose or purposes
  7. The right to data portability. This means that, if you have provided personal data to us directly, or we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases
  8. Rights relating to automated decision-making and profiling.

For more information about our use of your personal data or exercising your rights as outlined above, please contact us. Alternatively, further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.

If you have any cause for complaint about our use of your personal data, please contact us. You also have the right to lodge a complaint with the Information Commissioner’s Office.

6. How we use your Personal Data

Under the GDPR, we must always have a lawful basis for using personal data. This may be because the data is necessary for our performance of a contract with you, because you have consented to our use of your personal data, or because it is in our legitimate business interests to use it.

We will apply data protection principles to any personal data that we process. These data protection principles require that we:

  • process personal data in a way that is lawful, fair and transparent
  • only collect personal data for specific, explicit and legitimate purposes
  • only collect personal data that is adequate and relevant to our business
  • take reasonable steps to make sure that data remains accurate
  • not keep data for longer than is needed
  • make sure that data is processed securely and protected against unlawful processing
  • take responsibility for what we do with personal data
  • where required, provide evidence that we act according to these principles

Your personal data may be used for one, or more than one, of the following purposes:

  1. Providing and managing your Students’ Union account
  2. Supplying our products and/or services to you or you supplying your products and/or services to us. Your personal details are required in order for us to enter into a contract with you
  3. Personalising and tailoring our products and/or services for you
  4. Communicating with you. This may include responding to emails or calls from you
  5. Supplying you with information by email that you have opted-in to
  6. To process your advertising enquiry with our media partner Native. This is necessary for our legitimate interests (to respond to your enquiry about advertising opportunities) 

With your permission and/or where permitted by law, we may also use your personal data for marketing purposes, which may include contacting you by email and/or text message with information, news, and offers on our products and/or services.

You will not be sent any unlawful marketing or spam. We will always work to fully protect your rights and comply with our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and you will always have the opportunity to opt-out.

We may share your personal data with other subsidiaries in our group for marketing and other purposes.

We may sometimes contract with third parties to supply products and/or services to you on our behalf. These may include payment processing, delivery, and marketing. In some cases, those third parties may require access to some or all of your personal data that we hold.

If any of your personal data is required by a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law. In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.

We use the following automated system[s] for carrying out certain kinds of profiling.

6.1. Membership Services Limited (MSL)

Our membership’s management system uses automation in order to assign your student profile to specific groups. For example, if you purchase a Sport Swansea membership, you profile will automatically be added to the Sport Swansea members group. This means that we are easily able to reach out to all members of that particular group when necessary. It also allows us to keep track of how many members we have for any given group. Sometimes we have to reach out to groups of students based on their ethnicity or nationality. This is also done through this automated grouping system. If at any point you wish to query any action that we take on the basis of this or wish to request ‘human intervention’ (i.e. have someone review the action themselves, rather than relying only on the automated method), the GDPR gives you the right to do so. Please contact us to find out more.

7. How we will comply with UK Law on Data Protection?

In addition, we will not process your personal data unless at least one of the following conditions has been met:

  • we have clear consent from you to do this, and it is for a specific purpose
  • we need to do this because of a contract we have with you, or because you have asked us to do so before you enter into a contract
  • we need to do this to comply with the law
  • we need to do this to protect someone’s life
  • we need to do this to perform a task that is in the public interest, or because we are acting under official authority
  • it is in our legitimate interest to do this, and, on balance, it does not disproportionately interfere with the rights and freedoms of the individual concerned

Where the information is special category data, we will only process it if we can identify any additional conditions as set out in data protection legislation. 

8. How long we keep your Personal Data?

We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected.

Your personal data will be kept in accordance with the Union’s Data Retention Policy , industry standards and our legal obligations.

9. How and where we store or transfer your Personal Data

We will only store or transfer your personal data in the UK. This means that it will be fully protected under the GDPR. 

Our employees and volunteers may need to use information about you in order to provide goods and services to you and for the purposes of administration, these include third party organisations that provide applications/functionality, data processing, IT services to us, or who manage our media and advertising. 

All documents containing personal data are destroyed securely and in accordance with data protection principles. 

10. Requests to access Personal Data

We will ensure any requests to access personal data are handled lawfully.

Data subjects may make subject access requests (“SARs”) at any time to find out more about the personal data which the Union holds about them, what it is doing with that personal data, and why.

Anyone wishing to make a SAR should do using a Subject Access Request Form (available upon request), sending the form to the Union’s Data Protection Officer.

If the request comes from the person the data relates to (or their authorised representative), we will treat this as a ‘subject access request’

When we receive a subject access request, we will:

  • ensure the person who submitted it is authorised to act on behalf of that person if the person requesting it is not the subject of the data
  • if the request is not sent electronically, we will clarify how the requester wishes to receive the information

We will then consider the arrangements for providing the information. As part of this, we will:

  • ensure the data is not subject to a legal exemption or restriction
  • ensure that sharing the information will not involve disclosing third-party data
  • if need be, ask the requester to clarify their request

We will provide the requested data within 1 calendar month of the receipt of the request, unless:

  • it is subject to a legal exemption or restriction
  • we cannot do so without also disclosing third-party data
  • we need to extend the response period by up to a further 2 months. We will only extend the response period in cases where (both conditions apply): we need to do so due to the complexity of the request and we can provide a formal justification for this decision

If we decide not to comply with the requests or the requester is not satisfied with the outcome, they may ask the Information Commissioner’s Office (ICO) to check whether our decisions are correct.  The requester will be informed of this when we respond to a request for their personal data.

All SARs received shall be handled by the Union’s Data Protection Officer or member of the Data Protection Team.

The Union does not charge a fee for the handling of normal SARs. The Union reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

11. What we will do if there has been a Data Breach?

As part of their responsibilities for helping us implement this policy, all our employees, contractors and associated third parties must report potential breaches immediately.

This includes any incidents that involve:

  • the sharing of personal data, whether accidental or deliberate, with parties who are not authorised to view it
  • the loss or theft of a device that contains, or grants access to, personal data
  • attempts by anyone to access personal data by hacking or bypassing IT security measures
  • the unauthorised alteration of personal data

In cases where we believe a breach may pose a risk to someone’s rights or freedoms, we will add details on to the Union Data Breach Register and follow guidance from the Information Commissioners Office (ICO) with regard to how it should be reported and when to inform the individual(s) concerned. We will do this without undue delay and certainly within 72 hours of the issue being raised with us.

12. How to contact us?

To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details

Data Protection Officer

Swansea University Students’ Union

Faraday Building

Singleton Park

Swansea

SA2 8PP

dataprotection@swansea-union.co.uk

13. Changes to this Data Protection Privacy Notice

We may change this Data Protection Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.

Any changes will be made available via our website