A woman with her back to the camera delivers a speech to three other females

Privacy notice for Visitors, Correspondents and Customers

This Privacy Notice provides essential information about how Buckinghamshire New University (BNU or the University) handles your personal data and the rights you have in relation to how we use your data.

BNU is a registered data controller and is responsible for looking after the personal data that you provide to us. We are committed to complying with the data protection principles set out in the Data Protection Act 2018 in a clear and transparent way.

If you have any concerns with regards to the way your personal data is being processed or have a query with regard to this Notice, please contact the Data Protection Officer at dpofficer@bnu.ac.uk

Purpose of this notice

This privacy notice explains when and why we collect personal information about you, if you are a visitor (including suppliers and contractors) when you interact and communicate with BNU and how we will use this information including the ways we might share this with others. It also explains how we keep your information secure and the rights you have in relation to the information we hold about you.

Visitors can be members of the general public visiting the University for a specific event or can be contractors providing services to the University.

This notice also covers customers of the University’s commercial operations and public events, such as members of the public who visit the campus for open days, externally hosted events or use certain facilities, such as the gym or other services.

This notice also does not apply to members of staff or current students or to members of the general public accessing areas of the University which are considered to be freely accessible i.e. public footpaths.

Why do we collect and process your personal data?

We collect and use your information for the following purposes:

Purpose 1: To identify you as an individual.

We collect and use your information to be able to identify you as an individual when at or interacting with the University. This includes to:

confirm your identity and that you have a relationship with the University
provide you with the necessary form of identification to do so i.e. Identification card
identify you as an individual when at or interacting with the University.

Purpose 2: To provide you with access to IT services.

We collect and use your information to:

provide you with an account which enables you to access to IT services.

Purpose 3: To allow you to access areas of the University.

We collect and use your information to allow you to access areas of the University that are not open to the public or only available to specific people including to:

provide you with swipe-card access to specific areas of the University which you are required to access.

Purpose 4: For security and management.

We collect and use your information to allow you to support the security and management of the University estate, including:

the recording of CCTV to monitor and collect visual images for the purposes of security and the prevention and detection of crime
enabling you to access the University car park.

Purpose 5: to provide commercial hire services.

We collect and use your information in order to provide commercial hire services to existing customers and potential customers. This includes:

equipment and venue hire services.

What is the legal basis for processing your data?

The legal basis for processing will be determined on whether you have a contract with the University.

The legal bases that we use in order to legally process the information you provide to us as a visitor and that we process is either:

Contract Article 6 (1)(b). The processing is necessary for the performance of a contract with you or to take steps, at your request, before entering into such a contract. This is the contract between the University and its visitors (i.e. prospective students), supplier and contractors in order for them to either attend the University or to provide products and/or to the University.

This legal basis will be used to achieve the following purposes:

Purpose 1: to identify you as an individual.
Purpose 2: to provide you with access to IT services (if applicable).
Purpose 3: to allow you to access areas of the University (if applicable).
Purpose 4: for security and management
Purpose 5: to provide commercial hire services (if applicable).

Legitimate Interest Article 6 (1)(f). BNU will process your personal data as necessary for the purposes of the legitimate interests pursued by the controller. The legitimate interest is to identify you as a visitor, to provide you with services and access as appropriate and to maintain your safety whilst visiting the University.

Purpose 1: to identify you as an individual.
Purpose 2: to provide you with access to IT services (if applicable).
Purpose 3: to allow you to access areas of the University (if applicable).
Purpose 4: for security and management
Purpose 5: to provide commercial hire services (if applicable).

What categories of personal data do we collect and process?

The University will collect and hold a range of personal data about you, some of which you provide to us directly and some of which we receive from third parties, such as partners or third-party companies.

Examples of categories of personal data that we hold include:

Visitors

Personal details (e.g. name and title);
Contact details (e.g. address, telephone number and personal email address);
Country of nationality and domicile (where necessary);
Vehicle registration (where applicable)

Suppliers and Contractors

Personal details (e.g. name and title);
Business trading name and address;
Business email and phone number;
Vehicle registration (where applicable)

All Visitors

CCTV footage.(see CCTV Privacy Notice for further details)

Note: If Wi-Fi is requested, a name, email address and phone number will be taken for each person to allow us to generate an individual login.  

Note: If parking is required, a name, vehicle make and registration number will be taken for each person.

Where do we get your personal data from?

For visitors, information may be collected from you engaging in an event or from the organisation arranging a visit to the University.  This could be a school, another institution, your employer or third-party marketing companies and recruitment agents. Information about visitors may also be taken from publicly available third-party sources, such as media contacts, employers’ websites or public profiles maintained for professional purposes.

For contractors and suppliers, data may be collected through our New Supplier Form, which will allow us to set up accounts and raise contracts and invoices.

Data may also be collected through contact with the initial event enquirer and through subsequent interaction about their event onsite.

Who might we share your data with?

The University may disclose certain personal data to external bodies as categorised below where we have a legitimate reason to use that data or where the University is under a legal requirement to do so. Information will be disclosed in accordance with the provisions and obligations of the Data Protection Act. Please note this is not an exhaustive list.

Disclosure to	Details
University administrative and support staff	Personal and contact details and, where necessary for the implementation of reasonable adjustments and/or the provision of other support and, subject to your consent, religious and health information.
Contracted data processors (third parties who process personal data on the University’s behalf)	Personal and contact details.
Third parties who arrange services such as catering and accommodation	Personal details and dietary requirements.
Third parties with whom the University collaborates to host events you attend	Personal and contact details, as well as any details required for the specific event.
Third parties who run programmes you may move onto after visiting the University	Personal and contact details.
Third Party Software Suppliers	Personal and contact details may be shared to enable the provision of services This includes: Microsoft 365 software including email, Teams and other Microsoft 365 systems. Other systems suppliers who provide software services to and on behalf of the University. In all cases, data will only be shared in accordance with data protection legislation.

The University may need to disclose your personal information without your consent but any such disclosures will be made with due consideration of your rights, in accordance with the obligations imposed on the University by the Data Protection Act and other relevant legislation.

Details of data transfer to any third countries or international organisation

We may transfer you personal data outside the UK in the following circumstances:

Where we use a cloud-based IT system to hold your data, and the data in the cloud is stored on servers located outside the UK in a country which is not subject to an adequacy decision. In these circumstances we safeguard your data through undertaking appropriate checks on the levels of security offered by the cloud provider and entering into a contract with them which applies protections of the same type and level required by data protection laws within the UK.

How long do we keep your personal data for?

Your data will be retained in the university records system in accordance with the Records Lifecycle Management Scheme; a summary of which can be accessed at https://bnu.ac.uk/policies.

Some business information will be archived for long-term historical preservation of events. Personal data will be securely destroyed when no longer required.

What are your rights as a data subject?

The following rights apply to the personal data collected in this notice. Please contact dpofficer@bnu.ac.uk if you wish to exercise your rights:

Right of access to confirmation of processing and copies of your personal data
Right to rectification if personal data we hold about you is incorrect
Right to restrict processing of your personal data
Right to complain to the Information Commissioner’s Office about how we handle your data.

In some circumstances you also have the following rights:

Right to object to our processing of your personal data
Right to request erasure of your personal data (deletion)
Right to data portability

What should you do if you have concerns about the way we process your personal data?

If you have any concerns with regards to the way your personal data is being processed or have a query about this Notice, you can contact the Data Protection Officer directly by e-mail dpofficer@bnu.ac.uk or by post.

Data Protection Officer

Buckinghamshire New University

Queen Alexandra Road

High Wycombe

Buckinghamshire HP11 2JZ

If you remain unhappy then you have the right to complain to the Information Commissioners Office:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire SK9 5AF

https://ico.org.uk 

BNU is registered as a controller with the Information Commissioner’s Office. Our registration number is: Z772474X

Changes to our privacy notices

This privacy notice will be reviewed on an annual basis or revised more frequently if necessary.

This notice was last reviewed on 23 August 2023.