Personal information charter

How we collect, use and share your personal information (personal data) at the CMA.

This is the CMA’s ‘Privacy Notice’. It explains how we collect, use and share your personal information (personal data) at the CMA.

Sometimes we need to collect, use and share personal information about individuals, so that we can do our work. This information is called ’personal data’. When we are collecting, using and sharing personal data, we are a ‘controller’.

Personal data is information about living individuals who can be identified from it. It is not information about organisations or companies. It includes sound recordings, photographs, CCTV images and online identifiers.

Collecting, using and sharing personal data is called ‘processing’. Anything at all that we do to, or with, personal data, including deleting it, or just viewing it, is processing.

What we do

Our work at the CMA involves promoting competition for the benefit of consumers and making markets work well for consumers, businesses and the economy.

Contact us

Competition and Markets Authority

The Cabot
25 Cabot Square
London
E14 4QZ

020 3738 6000

Personal data and the law

When we collect, use and share personal data, we follow the law. The law is set out in the UK GDPR and in the Data Protection Act 2018.

(The EU GDPR ((EU) 2016/679) has been adopted into UK law by the EU Withdrawal Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 as amended).

Data Protection Officer

To ensure that we follow the law, we have a Data Protection Officer, who has special responsibility for how we collect, use and share personal data.

You can contact the Data Protection Officer, at:

Data Protection Officer

Competition and Markets Authority
The Cabot
25 Cabot Square
London
E14 4QZ

Email dpo@cma.gov.uk

Tel: 020 3738 6000

Why we collect, use and share personal data

We collect, use and share personal data for our investigations and our enforcement and regulatory work. We also collect, use and share personal data as an employer. For example, we use CCTV in our building for security reasons and to prevent and detect crime.

We only collect, use and share personal data where the law says we can.

This is:

  • where we have your express consent
  • where the law allows us to collect, use and share the personal data, because it is in the public interest and because we need to do this so that we can carry out our official work
  • where we need your personal data because we have a contract with you, for example a contract of employment
  • where the law says that we can compel someone to provide us with your personal data, so that we can carry out our work
  • where the law compels us to collect, use or share personal data

If you fail to provide personal data

If we have compelled you to provide us with personal data and you have failed to provide it, you may have to pay a fine.

If you have given us your consent to collect, use or share your personal data, you may withdraw your consent at any time by contacting us. Withdrawing your consent will not affect the validity of how we have collected, used or shared your personal data up to that point.

Sharing personal data

Sometimes we need to share your personal data with other organisations so that we can do our work. We do not share your personal data with anyone unless it is necessary to share it.

The types of organisations we share your personal data with include:

  • national and international consumer and competition organisations and regulators
  • enforcement partners like the Advertising Standards Authority
  • the European Commission
  • the Consumers, Health, Agriculture and Food Executive Agency
  • the Global Competition Review
  • legal counsel
  • HMRC
  • the National Audit Office
  • auditors
  • payroll and pensions providers
  • recruitments agencies
  • external health advisers
  • Cabinet Office freedom of information Clearing House

Sharing personal data overseas

Sometimes we may need to share your personal data with countries and organisations outside the UK.

The CMA is currently sharing personal data (staff contact details) with countries or organisations outside the UK for the purposes of fire, or other major incident, planning.

The CMA may also use the services of international economic experts outside the UK.

The CMA will ensure that there is an adequate level of protection for any personal data shared outside the UK.

For transfers of personal data to the US, or any storage of personal data on US - based servers, the CMA is actively monitoring and following Information Commissioner Office, and other relevant, guidance, following the Judgment in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems.

Collecting personal data from third parties

Sometimes we collect your personal data directly from you, but sometimes we collect it from third parties. Where we collect personal data from third parties, it is from organisations like survey companies, or those traders operating in sectors of the market that we are investigating or taking regulatory or enforcement action against. The categories of personal data will reflect the market concerned.

Third parties the CMA obtains personal data from include:

  • NHS Digital (more information on how the CMA collects, uses and protects Hospital Episode Statistics (HES) data is available in the HES data process document)
  • other government departments
  • other competition authorities and regulators
  • stakeholders
  • traders
  • consumer organisations
  • research agencies
  • credit reference agencies

The CMA also uses publicly available data.

How long we keep your personal data

The law says that we may only keep your personal data for as long as we have a legal basis to do so. This will usually mean that it is necessary for us to keep the personal data so that we can carry out our work as a public authority, a government department and a regulator. For example, where we collect and use personal data to carry out a market investigation into a particular sector, it is likely that we will no longer need your personal data once that market investigation is complete.

We may also keep your personal data for reasons of accountability and to meet legal requirements.

When we no longer need your personal data, we securely delete it.

In deciding how long we need to keep your personal data for, we also have regard to the time periods recommended to government departments for keeping certain categories of information by The National Archive and our own retention policy.

Your right to ask us whether we are collecting, using or sharing your personal data

You may ask us at any time whether we are collecting, using or sharing your personal data, what personal data of yours we have, why we have it and what we are going to do with it. Where we are collecting, using or sharing your personal data, you can ask us for a copy of it.

We must usually respond to you within a month.

Getting access to your personal data

PDF, 87.7 KB, 3 pages

Your other rights

You may also ask us at any time to delete your personal data (sometimes called the ‘right to be forgotten’), or to correct it where you believe it may be wrong or incomplete, or to stop collecting, using or sharing your personal data, or to collect, use or share it in a more restricted way.

Your right to ask us to delete your personal data (the right to be forgotten)

PDF, 112 KB, 3 pages

Your right to ask us to correct your personal data where you believe it is inaccurate (the right to rectification)

PDF, 129 KB, 3 pages

Your right to object to the collection, use, storage or disclosure of your personal data (the right to object to processing)

PDF, 96.3 KB, 3 pages

Your right to ask us to restrict how we are collecting, using, storing or disclosing your personal data (the right to restrict processing)

PDF, 110 KB, 3 pages

Where organisations like the CMA are collecting and using personal data for automated decision-making or profiling purposes, you may object to this.

The CMA is not collecting or using personal data for automated decision-making.

If you have provided us with your personal data electronically and would like it back, or to be sent to another organisation which is similar to the CMA, you can ask us to send it to you or to that organisation direct and in what is called a ‘commonly used, machine-readable format’ and we may have to do so. This is called the ‘right to data portability’.

Your right to data portability

PDF, 108 KB, 2 pages

For all of these rights, we will consider whether we can do what you have asked us to do, in line with the law. We must usually respond to you within a month of receiving your request.

Your right to complain

If you are unhappy with the way we are collecting, using, sharing or in any way handling your personal data, or with how we have dealt with any of your requests or rights relating to your personal data, you may complain to the Information Commissioner’s Office at:

Wycliffe House
Water Lane
Wilmslow
SK9 5AF

Contact the Information Commissioner’s Office

0303 123 1113

You also have the right to ask a Court to consider whether we are dealing properly with your personal data and your rights relating to it.

Contents