York College

The College is committed to meeting its data protection obligations and handling visitor information securely.  This privacy notice sets out everything you need to know about how we use your information.

What information about you do we collect?

For the processing to which this notice relates to be carried out we use the following information:

  • personal information – such as: your name, company, time of arrival and departure, car registration, CCTV images.


How do we collect information about you?

We collect your information from you directly by asking you to provide us with the information we record in our visitors’ log. We also operate CCTV on site (including outside areas) and your image will be recorded by our cameras.

The College does not operate the parking enforcement and is therefore not the ‘data controller’ for this service.


How will your information be used?

Your information will be used for the below purposes:

  • Issuing parking permits (if necessary)
  • Security and safeguarding
  • Fire safety


The Legal Basis for using your information

The table below sets out the legal basis for each of the activities that this Privacy Notice covers:

Personal Data Activity Legal basis - GDPR Article 6 S8 DPA (delete as appropriate) UK Legislation
  (1)(c) to do so is necessary because of a legal obligation that applies to the College    
Safeguarding Purposes (1)(e) to do so is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority (a) the administration of justice,  
(b) the exercise of a function of either House of Parliament,
(c) the exercise of a function conferred on a person by an enactment or rule of law,
(d) the  exercise  of  a  function  of  the  Crown,  a  Minister  of  the  Crown  or  a
government department, or
(e) an activity that supports or promotes democratic engagement.
CCTV (1)(f) it is in the legitimate interests of the College to process this information     
Special Category Data Activity Legal basis - GDPR Article 9 DPA 2018 condition Other considerations
Sharing with emergency services and medical staff in the event of an emergency (2)(c) processing is necessary to protect the vital interests of the data subject or of another natural person    


Who will your information be shared with?

For visitors we will need to share your information (except normally your vehicle registration) with the person(s) at the College that you are visiting.  However, we sometimes need to share your information within the College or with other organisations. We will only share your information when necessary and when the law allows us to, and we will only share the minimum information we need to. We may also share your information with:

  • The fire service, in the event of a fire

In certain cases, we may also share your information with other individuals and organisations. For example, if the sharing would help with a safeguarding issue, or help prevent or detect a crime. Sometimes, we might share your information without your knowledge.

The College will never sell your information to anyone else.


How long will we keep your information?

We routinely keep visitors’ information for 12 months.


Your rights

The law gives you specific rights over your information.  These rights are:

  • to be informed of our use of information about you;
  • of access to information about you;
  • rectify information about you that is inaccurate;
  • to have your information erased (the ‘right to be forgotten’);
  • to restrict how we use information about you;
  • to move your information to a new service provider;
  • to object to how we use information about you;
  • not to have decisions made about you on the basis of automated decision making;
  • to object to direct marketing; and,
  • to complain about anything the College does with your information (please see the ‘Complaints’ section below).

Some of the rights listed above apply only in certain situations, and some have a limited effect. 


Changes to this privacy notice

This notice is kept under regular review to make sure it is up to date and accurate.


Data Protection Officer (DPO)

The College is required by law to have a DPO.  The DPO has a number of duties, including:

  • monitoring the College’s compliance with data protection law;
  • providing expert advice and guidance on data protection;
  • acting as the point of contact for data subjects; and,
  • co-operating and consulting with the Information Commissioner’s Office (see ‘Complaints’ below).

 The College’s Data Protection Officer can be contacted by email at: This email address is being protected from spambots. You need JavaScript enabled to view it. 



If you are unhappy with the way in which your information has been handled, you should contact the College’s Data Protection Officer so that we can try and put things right.

Alternatively, and if we have been unable to resolve your complaint, you can also refer the matter to the Information Commissioner’s Office (ICO).  The ICO is the UK's independent body set up to uphold information rights, and they can investigate and adjudicate on any data protection related concerns you raise with them.  They can be contacted via the methods below:

Website: www.ico.org.uk

Telephone: 0303 123 1113

Information Commissioner’s Office
Water Lane

Need Help?