University of Essex

Privacy statement hub

1. What is a Privacy Notice?

Privacy notices explain what personal information or “data” an organisation holds about you, and how that data is stored, used and kept safe. Personal data is any information, held in any form, that relates to you as an identifiable individual. It does not include data where the identity has been removed (anonymous data). There are "special categories" of more sensitive personal data which require a higher level of protection.


We have divided our privacy notice into sections to make it easier to read only the sections relevant to you, please be aware that multiple sections may apply depending on your relationship with the University. The content of this page and all the paragraphs included in it apply equally to, and should be read in conjunction with, all the other sections.

2. Who we are

The University of Essex is an exempt charity, and our registered address is Wivenhoe Park, Colchester, CO4 3SQ. The University of Essex is registered as a Data Controller with the UK’s Information Commissioner’s Office (ICO). Registration Number: Z699129X.

University of Essex Campus Services is a wholly-owned subsidiary company of the University. It is a private limited company and its company number is 02534817. University of Essex Campus Services is registered as a Data Controller with the UK’s Information Commissioner’s Office (ICO). Registration Number: ZA559904.

Wivenhoe House Hotel is also a wholly-owned subsidiary of the University and its registered company number is 07075571. Wivenhoe House Hotel Limited is registered as a Data Controller with the UK’s Information Commissioner’s Office (ICO). Registration Number: ZA057051.

In these notices “we” means the University of Essex and our wholly owned subsidiaries University of Essex Campus Services (UECS) and WHH Ltd, and “you” can mean you as a member of staff, student, visitor or other individual depending on your relationship with the University.

3. Data protection principles

We will comply with UK General Data Protection Regulations and Data Protection Act 2018 which we refer to as “data protection law”. We will follow other jurisdiction’s data protection requirements where required. Data Protection law says that the personal information we hold about you must be:

  1. Used lawfully, fairly and in a transparent way.
  2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  3. Relevant to the purposes we have told you about and limited only to those purposes.
  4. Accurate and kept up to date.
  5. Kept only as long as necessary for the purposes we have told you about.
  6. Kept securely

In addition to this, the ‘Accountability Principle’ requires that we take responsibility for how we comply with the principles and demonstrate that compliance.

4. Lawful basis for processing

We, and those that process personal data on our behalf, must have a lawful basis or ground for processing before we can process personal data. In each of our separate privacy notices we have set out the specific lawful basis for processing your personal data.

The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever we process your personal data:

  1. Consent: you have given clear consent for us to process your personal data.
  2. Contract: the processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for us to comply with the law.
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests.

If we are processing special category data (sensitive data that require additional protection), we use additional legal bases. These additional lawful bases for processing are set out in Article 9 of the UK GDPR. At least one of these conditions must apply whenever we process your special category personal data:

  1. Explicit consent
  2. Employment, social security and social protection (if authorised by law)
  3. Vital interests
  4. (By) Not-for-profit bodies
  5. Made public by the data subject
  6. Legal claims or judicial acts
  7. Reasons of substantial public interest (with a basis in law)
  8. Health or social care (with a basis in law)
  9. Public health (with a basis in law)
  10. Archiving, research and statistics (with a basis in law)

If we are relying on conditions (b), (h), (i) or (j), we also need to meet the associated condition in UK law, set out in Part 1 of Schedule 1 of the Data Protection Act 2018. We may also process criminal offence data and are required to meet the legal basis in Article 6 as well as a specific condition for processing in Schedule 1 of the DPA 2018.

We have an Appropriate Policy Document (.pdf) which sets out how we comply with the additional requirements on special category and criminal offence data.

5. Your personal data and your rights

Under data protection law, you have rights including:

Summary of your rights

Right of access to your personal information

You have the right to receive a copy of your personal information that we hold about you and information about how we use it, subject to certain exemptions.

Right to rectify your personal information

You have the right to receive a copy of your personal information that we hold about you and information about how we use it, subject to certain exemptions.

Right to erasure of your personal information

You have the right to ask that your personal information be deleted in certain circumstances. For example:

  • where your personal information is no longer necessary in relation to the purposes for which it was collected or otherwise used;
  • if you withdraw your consent and there is no other legal ground which we rely on for the continued use of your personal information;
  • if you object to the use of your personal information (as set out below);
  • if we have used your personal information unlawfully; or
  • if your personal information needs to be erased to comply with a legal obligation.

Right to restrict the use of your personal information

You have the right to suspend our use of your personal information in certain circumstances. For example:

  • where you think your personal information is inaccurate but only for so long as is required for us to verify the accuracy of your personal information;
  • the use of your personal information is unlawful and you oppose the erasure of your personal information and request that it is suspended instead;
  • we no longer need your personal information, but your personal information is required by you for the establishment, exercise or defence of legal claims; or
  • you have objected to the use of your personal information and we are verifying whether our grounds for the use of your personal information override your objection.

Right to data portability

You have the right to obtain your personal information in a structured, commonly used and machine-readable format and for it to be transferred to another organisation, where this is technically feasible. The right only applies:

  • to personal information you provided to us;
  • where we rely on the following legal bases:
  • consent; or
  • for the performance of a contract; and
  • when the use of your personal information is carried out by automated (i.e. electronic) means.

Right to object to the use of your personal information (including to object to direct marketing, automated decision making and profiling)

You have the right to object to the use of your personal information in certain circumstances and subject to certain exemptions. For example:

  • where you, at any time, have specific reasons relating to your particular situation and we use your personal information for our legitimate interests (or those of a third party); and
  • if you object to the use of your personal information for direct marketing purposes.

You will generally not have to pay a fee to access your personal information (or to exercise any of the other rights). If you make a request, we have one month to respond to you. We may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Please see our policy on Data Rights for further information. If you wish to exercise any of your rights, or have any questions about your rights, please contact the Data Protection Officer at dataprotectionofficer@essex.ac.uk.

6. Data sharing

We may have to share your data with third parties, including third-party service providers and suppliers.

We require third parties to respect the security of your data and to treat it in accordance with the law.

If we have to transfer any of your personal data outside the UK we ensure the receiving country or organisation is deemed to have adequate data protection provision. Where a country or organisation does not have adequate protections we will put safeguards in place. Details of these safeguards can be provided to you upon request.

Our privacy notices will set out more details about whom we will share data with.

7. Data security

We have put in place measures to protect the security of your information.

Where third parties have access to your data, we will provide instructions for them to process your personal information only on in accordance with our instructions, and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a relevant business need. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. The University’s overarching approach to data protection is set out in our Data Protection Policy.

8. Links to other websites

This Privacy Policy does not apply to other advertisers or websites. Our website may contain links to other websites of interest which we might not own or operate. You should note that we do not have any control over websites outside our ownership. Therefore, we cannot be responsible for the protection and privacy of any information which you may provide whilst visiting such external websites accessed from links and these websites are not governed by this Privacy Policy. You should exercise caution and review the privacy statement applicable to the website in question.

9. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee compliance with this Privacy Notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO at dataprotectionofficer@essex.ac.uk

10. International Transfers

If we have to transfer any of your personal data outside the European Economic Area (EEA) we ensure the receiving country or organisation is deemed to have adequate data protection provision. Where a country or organisation does not have adequate protections, we will put safeguards in place. Details of these safeguards can be provided to you upon request.

11. Unsolicited Marketing

We may contact corporate contacts with unsolicited marketing.  Our legal basis for this is legitimate interests and we comply with the Privacy and Electronic Marketing Regulations (PECR) by only contacting corporate subscribers and always offering an opt out.

12. Complaints

If you are dissatisfied with the way the University of Essex has processed your personal data, or if have any questions or concerns about your data please contact dataprotectionoffice@essex.ac.uk. If we are not able to resolve the issue to your satisfaction, you have the right to complain to the Information Commissioner’s Office (ICO). They can be contacted at https://ico.org.uk/make-a-complaint/

The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline: 0303 123 1113

13. Changes to this Privacy Notice

This privacy notice was published on Monday, 31 January 2022. We may change this privacy notice from time to time. Last revised 20 December 2023.