Personal information charter

How we collect, use and share your personal information (personal data) at the CMA.

This personal information charter is the CMA’s ‘privacy notice’. It explains how we collect, use, and share information about you (‘personal data’) when carrying out our statutory functions as a public authority and running our organisation.

This charter does not cover the personal data that we process for staff and recruitment purposes:

  • if you are a job applicant, please refer to the Civil Service Jobs Privacy Notice
  • CMA employees, contractors, non-executive directors etc should refer to the Staff Privacy Notice on the CMA’s intranet

At the CMA, we recognise the importance of protecting your personal data and we are committed to complying with our data protection obligations whilst delivering our work as a public authority. As we continue to develop our processes and take advantage of technologies to enhance the way we work, it may be necessary to modify our Charter. We therefore encourage you to refer to this page on a regular basis. You can see when the Charter was last updated by referring to the date at the top of this page.

What we do and why we process personal data

The CMA is an independent non-ministerial UK government department and is the UK’s principal competition and consumer protection authority. Our ambition is to promote an environment where people can be confident they are getting great choices and fair deals, competitive, fair-dealing businesses can innovate and thrive, and the whole UK economy can grow productively and sustainably.

Our statutory functions are derived from a wide range of legislation, including the following:

  • Enterprise Act 2002
  • Enterprise and Regulatory Reform Act 2013
  • Competition Act 1998
  • Consumer Rights Act 2015
  • Consumer Protection from Unfair Trading Regulations 2008
  • Consumer Contracts Regulations 2013
  • United Kingdom Internal Market Act 2020
  • Subsidy Control Act 2022

Sometimes we need to collect, use, and share information about individuals so that we can and carry out our statutory functions as a public authority and run our organisation. Information about individuals is called ‘personal data’, as defined in the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018). Personal data is information about living individuals who can be identified from it. It is not information about organisations or companies. It includes voice recordings, photographs, CCTV images, and online identifiers.

Collecting, using, and sharing personal data is called ‘processing’. Anything at all that we do to, or with, personal data, including deleting it, or just viewing it, is processing.

The types of personal data that we process

Depending on the activities we are undertaking, we process the following categories of personal data when carrying out our statutory functions as a public authority and running our organisation:

  • identity and contact: name, contact details, identity verification documents
  • images/videos: images of you or third parties, surveillance data (including CCTV footage)
  • employment: details of your work and job role, employer details, employment status
  • communications: investigative interview (compelled and voluntary) and call/meeting recordings and transcripts; voice and/or video call recordings; any personal data included in the content of communications or responses you submit to the CMA including consultation responses and surveys
  • financial: bank details, income and salary details
  • technical: IP address, device information and other information collected through cookies
  • special category data:
    • information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership
    • genetic data or biometric data (where used for identification purposes).
    • data concerning health
    • data concerning sex life or sexual orientation
  • criminal offence data: personal data relating to criminal convictions and offences or related security measures
  • case-specific and evidence data: personal data included in devices, documents (both digital as well as physical copies) and information that we obtain through our statutory powers or which we otherwise collect as part of an investigation or other case work that we undertake (such as calendars or diaries, chats, activity tracking and information about relevant individuals involved in a potential consumer or competition law breach)

Why we use personal data and our lawful basis

This section sets out the purposes for which we collect and use your personal data, what types of information we process, and our lawful basis for doing so.

Purpose 1: Exercising our statutory functions (other than for criminal law enforcement purposes) as the UK’s principal authority for competition and consumer protection

The CMA’s responsibilities as a public authority include the following:

  • investigating businesses to determine whether they have breached UK competition law and, if so, to end and deter such breaches
  • investigating and enforcing a range of consumer protection legislation, to address market-wide consumer problems
  • conducting studies, investigations, reviews, or other pieces of work into particular markets where there are suspected competition and consumer problems. The CMA can take action – and recommend action be taken by others – in markets where competition may not be working well
  • investigating mergers that have the potential to lead to a substantial lessening of competition and/or operate against the public interest. If a merger is likely to reduce competition substantially, the CMA can block it or impose remedies to address such concerns. If a merger is likely to operate against the public interest, the CMA provides a recommendation as to the action the Secretary of State should take to remedy the competition and/or public interest issues
  • giving advice to policymakers and ministers about our functions, including how they can design and implement policy in a way that harnesses the benefits of competition and protects and promotes the interests of consumers
  • providing information and advice to people and businesses about rights and obligations under competition and consumer law
  • promoting stronger competition in the regulated industries (gas, electricity, water, aviation, rail, communications and health), working with the sector regulators
  • conducting regulatory appeals and references in relation to price controls, terms of licences or other regulatory arrangements under sector-specific legislation
  • Office for Internal Market (OIM): Providing technical advice, reporting, and monitoring in relation to the UK internal market, through the OIM
  • Subsidy Advice Unit (SAU): Providing advice, reporting, and monitoring in relation to government subsidies, through the SAU
  • Digital Markets Unit (DMU): Preparing for the introduction of a new regulatory regime for the most powerful digital firms, promoting greater competition and innovation in these markets and protecting consumers and businesses from unfair practices

Categories of personal data we process

  • identity and contact
  • sex
  • age and/or date of birth
  • customer ID, account number, loyalty card number, membership number
  • records and details of purchases
  • images/videos
  • employment
  • communications
  • financial
  • technical
  • special category data
  • case-specific and evidence data

Our lawful basis for processing personal data

Our lawful basis for processing personal data is:

  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the CMA (Article 6(1)(e) UK GDPR); or
  • the processing is necessary for compliance with a legal obligation to which the CMA is subject; or
  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6(1)(a) UK GDPR)

If we need to process your personal data for a new purpose, we may do so as per Article 6(4) UK GDPR in circumstances where we rely on a domestic law which constitutes a necessary and proportionate measure to safeguard one of the objectives referred to in Article 23(1).

We process special category for the purposes of investigating and enforcing UK competition law and consumer law breaches. We also sometimes process special category data where we are conducting evidence-gathering in particular markets where there are suspected competition and consumer problems. Where we process special category data under Article 9 UK GDPR, we do so only where one of the following conditions applies:

  • processing is necessary for reasons of substantial public interest, including:
    • statutory etc. and government purposes – for example, where we collect (or disclose) information, gather intelligence, and carry out enforcement activity during our case work and investigations and determine the priorities for our work
    • preventing or detecting unlawful acts – for example, information collected by the CMA to monitor the UK market for competition and consumer issues
    • protecting the public against dishonesty etc. – for example, publishing information about the individuals involved in misleading and/or fraudulent business activities or those that are in breach of an undertaking or order issued by the CMA
  • disclosure to elected representatives – as a non-ministerial government department, the CMA may share information with elected representatives to escalate matters related to public interest
  • processing is necessary for archiving purposes in the public interest. For example, when we transfer certain personal data to the National Archives
  • processing is necessary for the purposes of legal claims
  • where the individual has provided explicit consent

Purpose 2: Exercising our statutory functions (for criminal law enforcement purposes) as the UK’s principal authority for competition and consumer protection

The CMA has criminal investigation and prosecution powers in relation to the criminal cartel offence, proceeds of crime, and consumer rights enforcement. The CMA is named as a ‘competent authority’ for the purposes of Part 3 of the DPA 2018 (which applies to competent authorities that process personal data for law enforcement purposes). ‘Law enforcement purposes’ means the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

The CMA processes personal data in the exercise of these law enforcement functions. Where necessary, the CMA also shares personal data with other law enforcement agencies in order to assist those agencies to discharge their criminal investigation and prosecution powers.

Categories of personal data we process

  • identity and contact
  • images/videos
  • employment
  • communications
  • financial
  • special category data
  • criminal offence data
  • case-specific and evidence data

We may process the above categories of data for individuals and/or businesses under investigation as well as their clients, suppliers, staff members, next of kin, family and friends subject to relevance to the investigation.

Our lawful basis for processing personal data

We carry out this processing on the basis that:

  • it is necessary for the performance of a task carried out for law enforcement purposes; or
  • the individual has given consent to the processing of his or her personal data

If we need to process your personal data for a new law enforcement purpose, we may do so as per Section 36(3) DPA 2018 provided that we are authorised by law to process the data for the other purpose and the processing is necessary and proportionate to that other purpose.

Where we process special category data for law enforcement purposes (referred to as ‘sensitive processing’), we rely on the individual’s consent, or a condition set out in Schedule 8 of the DPA 2018 (where the processing is strictly necessary for those purposes). The Schedule 8 conditions that we rely on are set out below. The condition we rely on will depend on the circumstances, but you can obtain more information by contacting us using the details below:

  • it is necessary for judicial and statutory purposes – for reasons of substantial public interest (this is the condition that we most often rely on)
  • it is necessary for the administration of justice
  • the personal data is already in the public domain (manifestly made public)
  • it is necessary for legal claims
  • it is necessary for archiving, research, or statistical purposes

Purpose 3: Supporting the delivery of our statutory (and other) functions through quantitative and qualitative research

In reaching informed decisions, the CMA conducts quantitative and qualitative research with consumers as part of its evidence-gathering. For this purpose, the CMA processes personal data to:

  • design, conduct, and analyse the findings from quantitative surveys that we undertake in-house
  • design, conduct, and analyse the findings from qualitative research that we undertake in-house
  • design, conduct, and analyse the findings from quantitative surveys and qualitative research that we commission from specialist market research agencies/suppliers
  • evaluate the robustness of third-party research findings submitted in evidence to us

Categories of personal data we process

Depending on the specific purpose of the case and the related research, we process the following categories of personal data:

  • identity and contact
  • sex
  • age and/or date of birth
  • customer ID, account number, loyalty card number, membership number
  • records and details of purchases
  • images/videos
  • employment
  • communications
  • financial
  • technical
  • special category data

Our lawful basis for processing personal data

Our lawful basis for processing personal data is:

  • the processing is necessary for performance of a task carried out in the public interest or in the exercise of official authority vested in the CMA (Article 6(1)(e) UK GDPR); or
  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6(1)(a) UK GDPR).

If we need to process your personal data for a new purpose, we may do so as per Article 6(4) UK GDPR in circumstances where we rely on a domestic law which constitutes a necessary and proportionate measure to safeguard one of the objectives referred to in Article 23(1).

We process special category data for the purposes of sampling, data processing, and/or analysis in quantitative and qualitative research when necessary for meeting the requirements of a case. Where we process special category data for quantitative or qualitative research under Article 9 UK GDPR, we do so only where one of the following conditions applies:

  • research-related processing is necessary for performance of a task carried out in the public interest or in the exercise of official authority vested in the CMA
  • where the individual has provided explicit consent

Purpose 4: Activities that we carry out to run our organisation

Processing activity 1: Engaging and managing relationships with our service providers (who may be your employers) and other government departments to which we issue an invoice, including carrying out commercial tenders in accordance with applicable frameworks, communication and contract management, procurement, and invoice payment

Categories of personal data we process

  • identity and contact
  • employment
  • communications

Our lawful basis for processing personal data

  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the CMA (Article 6(1)(e) UK GDPR)
  • otherwise, the processing is necessary for the purposes of our legitimate interests in managing our service provider relationships and running our organisation efficiently (Article 6(1)(f) UK GDPR)

Processing activity 2: Maintaining the security of our systems and premises. We monitor access to, and activity in, our buildings to ensure the security of our premises (including through the use of CCTV)

Categories of personal data we process

  • identity and contact
  • images/videos
  • employment
  • communications

Our lawful basis for processing personal data

  • the processing is necessary for compliance with a legal obligation to which the CMA is subject (Article 6(1)(c) UK GDPR) in relation to security and data protection – including the UK GDPR and DPA 2018
  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the CMA (Article 6(1)(e) UK GDPR)
  • otherwise, the processing is necessary for the purposes of our legitimate interests in ensuring the security of our building and systems (Article 6(1)(f) UK GDPR)

Processing activity 3: Responding to enquiries, requests, and communications we receive from you or someone else on your behalf: this includes general enquiries as well as requests under statutory frameworks (such as data subject rights requests and requests under the Freedom of Information Act)

Categories of personal data we process

  • identity and contact
  • employment
  • communications

Our lawful basis for processing personal data

  • where you submit a request for disclosure of information in accordance with a statutory framework (such as UK GDPR or the Freedom of Information Act), the processing is necessary for compliance with a legal obligation to which the CMA is subject under that framework (Article 6(1)(c) UK GDPR)
  • otherwise, the processing is necessary for the purposes of our legitimate interests in responding to and managing the communications and responses that are submitted to us (Article 6(1)(f) UK GDPR)

Processing activity 4: Hosting and facilitating events, workshops, and essay competitions, and promoting the work of the CMA virtually and at in-person events

Categories of personal data we process

  • identity and contact
  • employment
  • images/videos where the event is recorded

Our lawful basis for processing personal data

  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the CMA (Article 6(1)(e) UK GDPR) - in relation to the promotion of our work
  • otherwise, we rely on consent

Processing activity 5: Enabling you to sign up to receive communications from us about the CMA’s activities

Categories of personal data we process

  • identity and contact

Our lawful basis for processing personal data

We will only send you these materials where you have provided your consent.

How long we retain your personal data

We retain your personal data only for as long as we have a legal basis to do so and only for as long as is necessary. When deciding the retention period for your personal data, we have regard to the time periods recommended to government departments for keeping certain categories of information by The National Archives (TNA) as well as our own retention policy and retention schedules.

For more information on the retention periods that we will apply to your data, see the CMA Data retention policy.

Information we obtain from other sources

Sometimes we collect your personal data directly from you, but sometimes we collect it from third parties. The categories of third parties from which the CMA obtains personal data include:

  • businesses and organisations (including but not limited to private sector organisations as well as public sector organisations and Public Authorities) involved in or assisting in the investigations and case work we carry out
  • other competition authorities and regulators that share evidence with us in relation to investigations in which we are involved
  • consumer organisations that forward complaints and enquiries to us
  • other government departments
  • the police
  • NHS Digital, where we carry out our statutory functions in relation to mergers affecting the NHS
  • market research agencies, credit reference agencies and/or other providers, professionals or experts that assist us in the performance of our statutory functions and/or provide ready-to-use datasets relevant to our work
  • members of the public, such as whistleblowers or consumers that make complaints to the CMA
  • publicly available data (such as product reviews on retail websites or false product claims on social media). We may use technology such as web scraping to gather publicly available data in the exercise of our consumer enforcement functions (but the CMA does not make any decisions solely on the basis of any automated processes)
  • our building security operators (in relation to CCTV surveillance at our premises)
  • MPs, when they submit an enquiry to us on behalf of you as their constituent

What happens where your provision of information is a statutory requirement

In connection with our functions as a public authority, we have statutory powers to compel individuals to provide us with documents and information that is relevant to our investigation and enforcement activity. We will let you know where our request for documents and/or information is made on the basis of these powers (and, if so, what information you are obliged to provide).

If you fail to provide the data that you are obliged by law to provide to us, CMA will use its enforcement powers to obtain the required information and/or impose a fine.

Who we share your personal data with

We share your personal data with third parties where:

  • it is necessary to do so in the exercise of our statutory functions;
  • we are legally obliged to do so as a public authority or otherwise by law; and
  • where those organisations provide us with services that help us to operate our organisation

The categories of recipients we share your personal data with are as follows:

  • government, public authorities and regulators
    • Trading Standards departments/other regulatory bodies/government departments
    • other public authorities (e.g. the police)
    • self-regulatory bodies (e.g. the Mortgage Code Compliance Board) and advisory bodies such as Consumer Association
    • enforcement partners such as the Advertising Standards Authority
    • public and trade associations
    • overseas public authorities
    • The National Archives, where we transfer data in accordance with our obligations under the Public Records Act 1958
  • suppliers and contractors
    • legal and other professional advisors and experts
    • auditors, in relation to audits of our case files
    • market research agencies and other professionals or experts that assist us in the performance of our statutory (and other) functions
    • third-party contractors, for example, transcribers
    • our IT and cloud storage providers
    • our security solutions provider that assists us with CCTV and access card production when you visit our premises
  • traders/businesses, their advisors and/or legal representatives
  • members of the public including consumers and complainants
  • press

We will ask for your consent for disclosures where we are obliged to do so subject to our statutory and regulatory obligations.

How we keep your information protected when we transfer it internationally

The CMA’s servers are located in the UK.

When we share your data with the third parties listed above, we make our best efforts to ensure your data is stored in the UK or the EEA (in the latter case, we rely on the UK’s Secretary of State’s ‘adequacy’ regulations in respect of the EEA’s data protection regime to do so).

In some cases, however, the cloud-based solutions or services that we use to help us run our organisation are located outside the UK/EEA, for example in the United States. 

Where we transfer data to US based organisation, we rely on UK US Data Bridge that requires the US based organisation to be certified to UK Extension of EU-US Privacy Framework as defined in the Article 45 of the UK GDPR. Alternatively, where we transfer your personal data to a processor that is not subject to an adequacy regulation or certified to the UK-US Data Bridge, then we usually rely on controller-to-processor ‘standard contractual clauses’, which have been approved by the UK Secretary of State, that we have entered into with that processor.

Data subject rights

You have certain rights in relation to your personal data under applicable data protection laws as set out below. You can contact us using the details below (see “Contact Us”) if you would like to request to exercise any of these rights:

  • right to access
  • right to rectification
  • right to erasure
  • right to object to processing of your data
  • right to restrict processing of your data
  • right to data portability
  • rights related to automated decision-making
  • right to withdraw consent

Withdrawing your consent will not affect the lawfulness of any processing that we carried out before the withdrawal (or any processing we carry out on a lawful basis other than consent).

We respond to all such requests that we receive in accordance with statutory timeframes. Note that you may be asked to provide identify verification documents.

For details of the data subject rights, please see the guidance by the ICO.

Complaints

If you are unhappy with the way we are collecting, using, sharing, or in any way handling your personal data, or with how we have dealt with any of your requests or rights relating to your personal data, you can contact us using the details provided below.

You also have a right to complain to the Information Commissioner’s Office at:

Wycliffe House
Water Lane
Wilmslow
SK9 5AF

casework@ico.org.uk

0303 123 1113

You also have the right to ask a court to consider whether we are dealing properly with your personal data and your rights relating to it.

Contact us

The CMA is the controller of personal data for the purposes described in this Charter. You can contact the CMA at:

General Enquiries
Competition and Markets Authority
The Cabot
25 Cabot Square
London
E14 4QZ
United Kingdom

Email: general.enquiries@cma.gov.uk

Tel: 020 3738 6000

The CMA has appointed a Data Protection Officer supported by the data protection team. You can contact them at:

Data Protection Office
Competition and Markets Authority
The Cabot
25 Cabot Square
London
E14 4QZ

Email: dpo@cma.gov.uk

Tel: 020 3738 6000

Contents