The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Purpose and lawful basis for processing

Our purpose for processing this information is to have a contact point at your organisation and to tell you the outcome of the visit.

The lawful basis we rely on to process your personal data is article 6(1)(e) of the UK GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

What we need

When we conduct an audit or an advisory visit, we’ll take the name and contact details of your organisation’s main point of contact. We may also take details of other staff members during the visit process.

Why we need it

We use the data collected to complete the audit/advisory visit and evidence the information provided.

What we do with it

We may publish a summary of the audit we have completed with you, but this will not contain any personal data. We’ll publish the fact that we have conducted an advisory visit, but this will not contain any personal data.

How long we keep it

For information about how long we hold personal data, see our retention schedule.

What are your rights?

We process personal data in the visit information in our capacity as regulator, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

For more information on your rights, please see ‘Your rights as an individual’.

Do we use any data processors?