A woman with her back to the camera delivers a speech to three other females

Data Protection for Visitors, Correspondents and Customers

Data Protection for Visitors, Correspondents and Customers

Buckinghamshire New University is a registered data controller and will collect and use information in accordance with the data protection principles set out in the Data Protection Act 2018 and the European General Data Protection Regulation (GDPR).

This privacy notice outlines what you can expect if you are a visitor, correspondent or customer that interacts and communicates with Buckinghamshire New University.  The notice also explains how we collect and process your information. This notice does not apply to members of staff or current students.

Visitors can be members of the general public visiting the University for a specific event or can be contractors providing services to the University.

Correspondents cover prospective applicants who make enquiries to the University requesting a prospectus or information at an event. It also includes individuals with whom we correspond, such as schools, businesses or partners.

This notice also covers customers of the University’s commercial operations and public events, such as members of the public who visit the campus for open days, externally hosted events or use certain facilities, such as the gym or other services.

The University will collect and hold a range of personal data about you, some of which you provide to us directly and some of which we receive from third parties, such as partners or third-party companies.

Examples of categories of personal data that we hold include:

  • Personal details (e.g. name and title);
  • Contact details (e.g. address, telephone number and personal email address);
  • Country of nationality and domicile;
  • Business trading name and address;
  • Business accounts contact name, email and phone number;
  • Company registration number;
  • VAT number;
  • Vehicle registration; and
  • CCTV footage.

If Wi-Fi is requested, a name, email address and phone number will be taken for each person to allow us to generate an individual login.  If parking is required, a name, vehicle make and registration number will be taken for each person.

The University holds and processes personal data and sensitive personal data about its current, past or prospective visitors, correspondents or customers and others who are defined as data subjects under the Data Protection Act.

Personal data is data relating to a living individual who can be identified from that data (e.g. name, address, telephone number). It can also include expressions of opinions about an individual.

Sensitive Personal Data (or ‘special categories of data’ as described under the GDPR) relates to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, criminal convictions. Personal data concerning disability is also sensitive data.

We will collect and process personal data about you for the purposes described below. The University recognises the significance of sensitive personal data and will only process such data if certain conditions are met.

For example, with your consent, we may collect, store and use information about your health or religion to make reasonable adjustments for you during your time on the University’s premises should you require us to do so.  We may also process information about your ethnicity and racial background if required for monitoring purposes to meet our legal obligations.

Your personal data will be used to provide you with access to services while on site if you are a visitor. It could also be used to send you information if you are a correspondent.

The University processes personal data in order to provide commercial hire services to existing customers and potential customers. This includes equipment and venue hire services.

Information about you will be stored in paper based filing systems or IT systems like customer relationship management systems, document management systems or email. Data may also be stored within the department with which you are engaging.

The University will also process personal information for the use of CCTV systems to monitor and collect visual images for the purposes of security and the prevention and detection of crime.

The University may monitor usage of its IT systems and access user information on its systems and networks that is normally private. Any institutional monitoring or access will comply with UK legislation and be justifiable, fair and proportionate. Such activity will be conducted in line with the University’s policy on monitoring computer and network use.

For visitors, information may be collected from you engaging in an event or from the organisation arranging a visit to the University.  This could be a school, another institution, your employer or third-party marketing companies and recruitment agents. Information about visitors may also be taken from publicly available third-party sources, such as media contacts, employers’ websites, public profiles maintained for professional purposes.

For correspondents, information may be collected from your initial enquiry, an application, open day booking form and/or any enquiry forms you submit to us as well as face-to-face, email or telephone contact you make with the University and its representatives.

For customers, data may be collected through contact with the initial event enquirer and through subsequent interaction about their event onsite. Data may also be collected through our New Customer Form, which will allow us to set up accounts and raise contracts and invoices.

Data is also collected from websites of companies we believe may be interested in our services. These are held and contacted within the 30-day period to introduce the University and deleted if there is no response or the company requests no further contact. The company name, webpage and email address are added to the Global Stop List.

Access to personal data is carefully controlled and will be seen only by authorised members of University staff.

The University may disclose certain personal data to external bodies as categorised below where we have a legitimate reason to use that data or where the University is under a legal requirement to do so. Information will be disclosed in accordance with the provisions and obligations of the Data Protection Act. Please note this is not an exhaustive list.

Disclosure to Details
University administrative and support staff Personal and contact details and, where necessary for the implementation of reasonable adjustments and/or the provision of other support and, subject to your consent, religious and health information.
Contracted data processors (third parties who process personal data on the University’s behalf) Personal and contact details.
Third parties who arrange services such as catering and accommodation Personal details and dietary requirements.
Third parties with whom the University collaborates to host events you attend Personal and contact details, as well as any details required for the specific event.
Third parties who run programmes you may move onto after visiting the University Personal and contact details.

The University may need to disclose your personal information without your consent but any such disclosures will be made with due consideration of your rights, in accordance with the obligations imposed on the University by the Data Protection Act and other relevant legislation.

We will keep your personal data for only as long as is necessary for the purposes for which it was collected. Except where we have a legal or contractual obligation to keep data for a certain period of time, your data will be kept according to the University's retention schedules. Contact information for media contacts will be kept for a period of five years after collection.

Some business information will be archived for long-term historical preservation of events. Personal data will be securely destroyed when no longer required.

Personal data about visitors, correspondents and customers is collected and processed by the University to help us provide you with a service that meets your needs.

Purpose Lawful basis
To meet our legal and statutory duties and responsibilities. Statutory obligation.
To maintain our own internal records so that we can provide you with a high quality service. Legitimate interests so that we can ensure that we continually improve our service provision.
To contact you in response to a specific enquiry. Explicit consent

Legitimate interests – so we can send additional and relevant information relating to your initial enquiry.

To provide commercial services. Performance of a contract.
To contact you about services, products, offers and other things provided by us that we think may be relevant to you. Explicit consent.
To disclose your information to other parties, if required by law. Legal.

Public Interest.

At no time will we assume your permission to use information that you provide for anything other than the reasons stated here.

Under the new data privacy legislation, you have the right to:

  • Withdraw consent where that is the legal basis of our processing;
  • Access your personal data that we process;
  • Rectify inaccuracies in personal data that we hold about you;
  • Be forgotten so that your details are removed from systems that we use to process your personal data;
  • Restrict the processing in certain ways;
  • Obtain a copy of your data in a commonly used electronic form; and
  • Object certain processing of your personal data by us.

If you wish to request a copy of the personal data held by the University about you or to correct any information we hold about you, contact the relevant department in the first instance.  If you have any further concerns about the accuracy of your personal data as held by the University or you want to submit a data subject request, contact the University’s Data Protection Officer.

Please see the Information Commissioner’s Office website for further information about your data privacy rights. You may also contact the Data Protection Officer for further information.

You have a right to complain to the Information Commissioner’s Office about the way in which we process your personal data. Please see https://ico.org.uk.

We use Cookies (that will collect your personal data) on our web pages. The Buckinghamshire New University website privacy statement explains how data may be gathered about users of the University’s website. The University’s privacy notices do not cover links to external content.


If you have any concerns with regards to the way your personal data is being processed or have a query with regard to this Notice, please contact our Data Protection Officer, Nicholas Roussel-Milner at dpofficer@bnu.ac.uk.

Our general postal address is: Buckinghamshire New University Queen Alexandra Road High Wycombe, Buckinghamshire HP11 2JZ
Our telephone number is: +44 (0)1494 522141
Our ICO data controller registration number: Z772474X

You also have a right to complain to the Information Commissioner’s Office about the way in which we process your personal data. Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK95AF. Tel: 0303 123 1113. https://ico.org.uk.