Personal information charter

How we collect, use and share your personal information (personal data) at the CMA.

The personal information charter is the CMA’s Privacy Notice.

Sometimes we need to collect, use and share personal information about individuals, so that we can do our work. This information is called personal data.

Personal data is information about living individuals who can be identified from it. It is not information about organisations or companies. It includes sound recordings, photographs and CCTV images.

Collecting, using and sharing personal data is called ‘processing’. Anything at all that we do to, or with, personal data, including deleting it or just viewing it, is processing.

What we do

Our work at the CMA involves promoting competition for the benefit of consumers and making markets work well for consumers, businesses and the economy.

Contact us

Victoria House
37 Southampton Row
London
WC1B 4AD

general.enquiries@cma.gsi.gov.uk

020 3738 6000

Personal data and the law

When we collect, use and share personal data, we follow the law. The law on personal data is set out in the European General Data Protection Regulation 2016 and in the Data Protection Act 2018.

Data Protection Officer

To ensure that we follow the law, we have a Data Protection Officer, who has special responsibility for how we collect, use and share personal data.

You can contact the Data Protection Officer, Gus Cottell, at:

Second Floor
Victoria House
37 Southampton Row
London
WC1B 4AD

gus.cottell@cma.gsi.gov.uk

020 3738 6996

Why we collect, use and share personal data

We collect, use and share personal data for our investigations and our enforcement and regulatory work. We also collect, use and share personal data as an employer:

We only collect, use and share personal data where the law says we can.

This is:

  • where we have your express consent

  • where the law allows us to collect, use and share the personal data, because it is in the public interest and because we need to do this so that we can carry out our official work

  • where we need your personal data because we have a contract with you, for example a contract of employment

  • where the law says that we can compel someone to provide us with your personal data, so that we can carry out our work

  • when the law compels us to collect, use or share personal data

If you fail to provide personal data

If we have compelled you to provide us with personal data and you have failed to provide it, you may have to pay a fine.

If you have given us your consent to collect, use or share your personal data, you may withdraw your consent at any time by contacting us. Withdrawing your consent will not affect the validity of how we have collected, used or shared your personal data up to that point.

Sharing personal data

Sometimes we need to share your personal data with other organisations so that we can do our work. We do not share your personal data with anyone unless it is necessary to share it.

The types of organisations we share your personal data with include:

  • national and international consumer and competition organisations and regulators

  • enforcement partners like the Advertising Standards Authority

  • the European Commission

  • the Consumers, Health, Agriculture and Food Executive Agency

  • the Global Competition Review

  • legal counsel

  • HMRC

  • the National Audit Office

  • auditors

  • payroll and pensions providers

  • recruitments agencies

  • external health advisers

Sharing personal data overseas

Sometimes we may need to share your personal data with countries and organisations outside the European Economic Area.

The CMA is not currently sharing personal data with any countries or organisations outside the European Economic Area, except for staff contact details for the purposes of fire or other major incident planning. These details will be processed by a USA-based company, which is certified under the EU-US Privacy Shield Framework, and so has sufficient and appropriate safeguards in place to protect the integrity of the personal data and related rights.

Collecting personal data from third parties

Sometimes we collect your personal data directly from you, but sometimes we collect it from third parties. Where we collect personal data from third parties, it is from organisations like survey companies, or those traders operating in sectors of the market that we are investigating or taking regulatory or enforcement action against. The categories of personal data will reflect the market concerned.

Third parties the CMA obtains personal data from include:

  • NHS Digital

  • other government departments

  • other competition authorities

  • stakeholders

  • traders

  • consumer organisations

  • research agencies

  • credit reference agencies

How long we keep your personal data

The law says that we may only keep your personal data for as long as we need it to do our work. For example, where we collect and use personal data to carry out a market investigation into a particular sector, it is likely that we will no longer need your personal data once that market investigation is complete.

When we no longer need your personal data, we securely delete it.

In deciding how long we need to keep your personal data for, we also have regard to the time periods recommended to government departments for keeping certain categories of information by The National Archive and our own retention policy. For more information see the CMA’s Data Retention Policy:

CMA Data Retention Policy

This file may not be suitable for users of assistive technology. Request an accessible format.

If you use assistive technology (such as a screen reader) and need a version of this document in a more accessible format, please email general.enquiries@cma.gsi.gov.uk. Please tell us what format you need. It will help us if you say what assistive technology you use.

Your right to ask us whether we are collecting, using or sharing your personal data

You may ask us at any time whether we are collecting, using or sharing your personal data, what personal data of yours we have, why we have it and what we are going to do with it. Where we are collecting, using or sharing your personal data, you can ask us for a copy of it. We must usually respond to you within a month.

Your right to ask us if we are collecting, storing, using or disclosing your personal data and to obtain a copy of it

This file may not be suitable for users of assistive technology. Request an accessible format.

If you use assistive technology (such as a screen reader) and need a version of this document in a more accessible format, please email general.enquiries@cma.gsi.gov.uk. Please tell us what format you need. It will help us if you say what assistive technology you use.

Your other rights

You may also ask us at any time to delete your personal data (sometimes called the ‘right to be forgotten’), or to correct it where you believe it may be wrong or incomplete, or to stop collecting, using or sharing your personal data, or to collect, use or share it in a more restricted way.

Your right to ask us to delete your personal data (your right to be forgotten)

This file may not be suitable for users of assistive technology. Request an accessible format.

If you use assistive technology (such as a screen reader) and need a version of this document in a more accessible format, please email general.enquiries@cma.gsi.gov.uk. Please tell us what format you need. It will help us if you say what assistive technology you use.

Your right to ask us to correct your personal data where you believe it is inaccurate (your right to rectification)

This file may not be suitable for users of assistive technology. Request an accessible format.

If you use assistive technology (such as a screen reader) and need a version of this document in a more accessible format, please email general.enquiries@cma.gsi.gov.uk. Please tell us what format you need. It will help us if you say what assistive technology you use.

Your right to object to the collection, use, storage or disclosure of your personal data (your right to object to processing)

This file may not be suitable for users of assistive technology. Request an accessible format.

If you use assistive technology (such as a screen reader) and need a version of this document in a more accessible format, please email general.enquiries@cma.gsi.gov.uk. Please tell us what format you need. It will help us if you say what assistive technology you use.

Your right to ask us to restrict how we are collecting, using, storing or disclosing your personal data (your right to restrict processing)

This file may not be suitable for users of assistive technology. Request an accessible format.

If you use assistive technology (such as a screen reader) and need a version of this document in a more accessible format, please email general.enquiries@cma.gsi.gov.uk. Please tell us what format you need. It will help us if you say what assistive technology you use.

Where organisations like the CMA are collecting and using personal data for automated decision-making or profiling purposes, you may object to this.

The CMA is not collecting or using personal data for automated decision-making or profiling.

If you have provided us with your personal data electronically and would like it back, or to be sent to another organisation which is similar to the CMA, you can ask us to send it to you or to that organisation direct and in what is called a ‘commonly used, machine-readable format’. This is called the ‘right to data portability’.

Your right to data portability

This file may not be suitable for users of assistive technology. Request an accessible format.

If you use assistive technology (such as a screen reader) and need a version of this document in a more accessible format, please email general.enquiries@cma.gsi.gov.uk. Please tell us what format you need. It will help us if you say what assistive technology you use.

For all of these rights, we will consider whether we can do what you have asked us to do, in line with the law. We must usually respond to you within a month of receiving your request.

Your right to complain

If you are unhappy with the way we are collecting, using, sharing or in any way handling your personal data, or with how we have dealt with any of your requests or rights relating to your personal data, you may complain to the Information Commissioner’s Office at:

Wycliffe House
Water Lane
Wilmslow
SK9 5AF

casework@ico.org.uk

0303 123 1113

You also have the right to ask a Court to consider whether we are dealing properly with your personal data and your rights relating to it.