Data Protection

​The UK General Data Protection Regulation (GDPR) is a UK law which came into effect on the 1st January 2021. It sets out the key principles, rights, and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies.

The UK GDPR is based on the EU GDPR which applied in the UK before the 1st January 2021, with some changes to make it work more effectively in a UK context. The aims of the UK GDPR are:

  • Ensure legislation reflects new technologies.
  • Protect and enhance individuals' privacy rights.
  • Require greater accountability from organisations with regards to their processing activities.

The Data Protection Act 2018 (DPA18)

The Data Protection Act 2018 (DPA18) is necessary to fill in the gaps where the UK GDPR is silent; to clarify UK law where it is needed, and to deal with circumstances where the GDPR does not apply. The DPA18 sits alongside and complements the UK GDPR.

We are committed to protecting the rights of individuals in line with the UK GDPR and the DPA18 by protecting them from unwanted or harmful use of their personal data (information about them), by ensuring that we process this information in a responsible and accountable way.

Accountability is a key theme running throughout data protection law. As a Data Controller (the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data) we must show accountability to the law by a) appointing a Data Protection Officer and b) embedding data protection into our operations by implementing internal policies and procedures.

Data Protection Officer

Cardiff Metropolitan University's Data Protection Officer is Mr Sean Weaver. He can be contacted via email at


Cardiff Metropolitan University's Data Protection and Records Management policies are a statement of the University's commitment to comply with data protection law.



Individual Rights

Data protection law also contains several rights for individuals; these rights are fundamental to how data protection works:

The rights available to individuals depend on what personal data is being processed and why:

  • If you are a student of Cardiff Metropolitan University or an alumni member, the Student Privacy Notice  gives full details of the information the University is processing about you. 

  • If you are a member of staff, the Staff Privacy Notice gives full details of the information the University is processing about you.

  • If you engage in research, the Cardiff Met Research Privacy Notice gives you information about how your personal data is managed for research projects at the University.

If after having read this information you would like more information about your rights or want to contact us to assert a right, we would encourage you to get in touch as follows:

You can also download the University's How To Request Information document for further guidance.

The best known and most frequently exercised of all of the individual rights is the right of access, often referred to as the right of 'subject access'. Individuals have the right:

  • To be informed if the University is processing your personal data.

  • (If so) to be given a description of the data, the purposes for which the data is being processed and to whom it may be disclosed.

  • To have a copy of your personal data and any information regarding the source of the data.

  • To be informed of the logic behind some automated decisions.

For more information about the right of access, please see: Right of access

For more information about exercising your Right of Access please read the following document: The Right of Access (Subject Access) – Guidance for the Requester

We will normally ask you for proof of your identity if you contact the University to exercise any of your individual rights.

Register of Fee Payers

As a Data Controller, the University is required to pay a fee to the Information Commissioner's Officer (ICO) because it is responsible for the processing of personal data. The University is thus included on the ICO's register of fee payers.

The University's details include:

Organisation Name: Cardiff Metropolitan University

Reference Number: Z471616X

The Information Commissioner

The Information Commissioner is the UK's statutory regulator for data protection legislation responsible for:

  • Monitoring and enforcing GDPR.
  • Promoting public awareness of data protection issues and rights.
  • Promoting awareness among Controllers and Processors of their data protection obligations.
  • Handle and investigate complaints made by complainants.
  • Conduct investigations on application of the GDPR.

If the Information Commissioner's Office (ICO) is satisfied that a person has failed or is failing to comply with data protection legislation it can impose a higher tier fine of up to 20 million Euros or 4% of total worldwide turnover, or a lower tier fine of up to 10 million Euros or 2% of total worldwide turnover.

If you believe that Cardiff Metropolitan University is failing to comply with data protection legislation, that a request you made wasn't properly handled, or you are unhappy about the outcome of the consideration given to a request, please contact Mr Sean Weaver, Data Protection Officer at: