Skip to main content
Directorate of Governance and Legal Services

Privacy notice guidance

What is a privacy notice and why do I need one? 

A privacy notice or a fair processing notice (often called a privacy policy) is a statement made to an individual, informing them how their personal data will be used and for what purpose. This fulfils the GDPR’s ‘right to be informed’. 

Queen Mary has a central Privacy Notice to cover overarching processing of personal data by the University. However, to remain transparent and fair to individuals, a local privacy notice is often required. 


What information do I need to include in a local privacy notice? 

There are specific items that all privacy notices must include in order to fully inform the individual on how their data is being processed in a particular case. These are set out at Articles 13 and 14 of the UK-GDPR. The notice must be easy to read and understand and wherever possible should be placed at the point of collection for individuals to make an informed decision. 

The following list contains information that must be included in a privacy notice. Not all the items are relevant to every privacy notice but do double check all essential information required is covered. 

Information that MUST be included (if relevant) 

Example text

Identity and contact details of organisation (the controller will always be QMUL) and a member of the team collecting the data 

Who is collecting the data and how can they be contacted? 

This privacy notice explains how Queen Mary University of London (QMUL) uses the personal data we collect from you. 

If you have any questions or concerns about this notice, please contact the department/organiser at

Types of Personal Data collected 

Is there any data being collected that is not obvious to the individual, or might be collected at a later date? 

We collect the following types of data: full name, email address and bank account details. 

Purpose of processing data 

What is your purpose for processing the data? What are you intending to do with it?

The information provided will be used to contact you and to improve our customer service. 

Lawful Basis for processing 

You need a lawful basis from Article 6 of GDPR (and Article 9 for special category personal data).

Is the lawful basis: consent, performance of a contract, legal obligation, vital interests, public task, or legitimate interests. The ICO has an interactive tool to help you decideJISC also has some useful guidance.

The lawful basis for processing your personal data is that it is necessary to fulfil the contract between us. 

By filling out the form you confirm that you understand how and why we will process your data in line with this privacy notice as well as our central privacy notice, which can found at

Opt in for marketing 

Is this relevant to your form? Is your purpose to provide marketing? Make sure there is the option to opt in, if necessary and keep a record of the consent collected.

Please let us know if you would like us to contact you with details of our upcoming events by providing your email address. 

Right to withdraw consent 

This right is relevant for marketing and any processing where the only lawful basis is consent. 

You have the right to withdraw your consent at any time. If you wish to, please contact us at  

You can also opt-out of any direct marketing using the unsubscribe link at the bottom of our communications. 

Third Party recipients of data 

Are you planning to share the personal data with somebody outside of Queen Mary 

Contact the Data Protection Officer at to ensure the data is fully protected and there is an Information Sharing Agreement in place.

We will only share your personal data with the organisation that helps us to provide this service. 

Transfers of data to a third country 

Are you planning to transfer personal data outside of the U.K. or European Economic Area? 

Contact the Data Protection Officer at to ensure this complies with UK-GDPR. 


In order to process your data, we work with our partner organisation Haryale University in the USA. We take all precautions to make sure your data is handled securely in line with UK-GDPR requirements including an Information Sharing Agreement. 


Data retention period 

All personal data should be kept in line with Queen Mary’s Record Retention Schedule. The example is sufficient detail for a local privacy notice.

All personal data is kept in line with Queen Mary’s Records Retention Policy. 


Link to central privacy notice 

This link reduces the amount of information needed in a local privacy notice by providing generic details.

You can refer to our central privacy notice for more information, including on your rights, which can found at 


If you need assistance to draft a privacy notice, please contact the Records & Information Compliance Manager. 

Back to top