Personal information charter

This information charter sets out the standards that you can expect from the CMA when we request or hold personal information about you, how you can get access to your personal data, and what you can do if you think standards are not being met.

Personal information

Personal ‘data’ is information that relates to living individuals. It does not include information relating to dead people, groups or communities of people, organisations or businesses.

How we manage personal information

The Data Protection Act 1998 regulates the management of personal information. We need to handle personal information about you so that we can provide services for you. This is how we look after that information.

When we ask you for personal information we promise:

  • to make sure you know why we need it,
  • to ask only for what we need, and not collect too much or irrelevant information
  • to protect it and make sure no unauthorised person has access to it
  • to let you know if we share it with other organisations to give you better public services and whether you can say no
  • to make sure we don’t keep it for longer than is necessary
  • not to make your personal information available for commercial use without your consent, and
  • consider your request to stop processing data about you.

In return we ask you to:

  • give us accurate information, and
  • tell us as soon as possible if there are any changes to your personal circumstances such as your address. This helps us to keep your information reliable and up-to-date.
  • Let us know at the time of writing, if you would like your enclosed correspondence or enclosed documents returned to you.

This helps us to keep your information reliable and up to date, and ensures your correspondence is returned if requested

CMA Data Protection Policy

When we ask you for information we will keep to the law, including the Data Protection Act 1998. Through appropriate management and strict controls, we will follow the 8 principles of data protection described in the act. Also see the Information Commissioners general guidance on the implementation of data protection.

We will also ensure that:

  • there is someone with specific responsibility for data protection in the organisation (the nominated person is called the Data Protection Coordinator)
  • everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice, is appropriately trained to do so and is appropriately supervised
  • we deal with enquiries about how we handle personal information promptly and courteously
  • we describe how we handle personal information clearly, regularly review and audit how we manage personal information, and regularly assess and evaluate methods of handling personal information

Find out what personal information we hold about you

You can find out what information we hold about you by making a Subject Access Request in accordance with the Data Protection Act 1998. If we do hold information about you we will, subject to certain exemptions contained in the Act and other relevant legislation:

  • give you a description of it
  • tell you why we are holding it
  • tell you who it could be disclosed to
  • let you have a copy of the information, and
  • correct any errors or mistakes you may find.

If you want to make a Subject Access Request, please note the following:

  1. You will need to supply proof of your identity. This should include a photocopy of the identification pages of your current passport or of a current photo driving licence, and the original of a current utilities (for example, electricity) bill, or credit card or bank statement, which includes your name and current address. This can be returned to you if required.
  2. It would also help us to narrow our search if you could tell us which part of the CMA or in what regard you believe we might hold personal data on you. If you are not sure which offices might hold the information, please tell us the context in which you have had dealings with us.
  3. We will withhold information where there are good reasons for doing so and where the Data Protection Act permits.
  4. Under the Data Protection Act we are allowed to charge a fee for responding to a subject access request. However, it is not currently the policy of CMA to charge for subject access requests.

If you wish to make a subject access request please write to:

Data Protection Coordinator
Information Access Team
6th Floor
Competition and Markets Authority
Victoria House
Southampton Row

Alternatively, you can email

Please include in the subject line ‘subject access request’.

We are required to supply you with your personal data within 40 days of receiving a valid request. If we can’t meet that deadline, we will keep you informed of progress to fulfilling your request

Find out more about how we deal with personal information

Details of how we use personal data are set out in the Information Commissioner’s Register of Data Controllers.

How to make a complaint

When we ask you for personal information we will handle it in accordance with the law. If you consider that your information has been handled incorrectly you can contact the Information Commissioner for independent advice about data protection, privacy and data sharing issues. You can contact the Information Commissioner at:

Wycliffe House
Water Lane

Telephone: 01625 545 745

Fax: 01625 524 510