Due to the ongoing COVID-19 outbreak, our offices are closed until further notice. We are not therefore able to accept delivery of any correspondence by post. Please therefore contact us by email or telephone.
This is the CMA’s ‘Privacy Notice’. It explains how we collect, use and share your personal information (personal data) at the CMA.
Sometimes we need to collect, use and share personal information about individuals, so that we can do our work. This information is called ’personal data’. When we are collecting, using and sharing personal data, we are a ‘controller’.
Personal data is information about living individuals who can be identified from it. It is not information about organisations or companies. It includes sound recordings, photographs, CCTV images and online identifiers.
Collecting, using and sharing personal data is called ‘processing’. Anything at all that we do to, or with, personal data, including deleting it, or just viewing it, is processing.
What we do
Our work at the CMA involves promoting competition for the benefit of consumers and making markets work well for consumers, businesses and the economy.
020 3738 6000
Personal data and the law
When we collect, use and share personal data, we follow the law. The law on personal data is set out in the European General Data Protection Regulation ((EU) 2016/679) and in the Data Protection Act 2018.
Data Protection Officer
To ensure that we follow the law, we have a Data Protection Officer, who has special responsibility for how we collect, use and share personal data.
You can contact the Data Protection Officer, at:
Why we collect, use and share personal data
We collect, use and share personal data for our investigations and our enforcement and regulatory work. We also collect, use and share personal data as an employer. For example, we use CCTV in our building for security reasons and to prevent and detect crime.
We only collect, use and share personal data where the law says we can.
where we have your express consent
where the law allows us to collect, use and share the personal data, because it is in the public interest and because we need to do this so that we can carry out our official work
where we need your personal data because we have a contract with you, for example a contract of employment
where the law says that we can compel someone to provide us with your personal data, so that we can carry out our work
where the law compels us to collect, use or share personal data
If you fail to provide personal data
If we have compelled you to provide us with personal data and you have failed to provide it, you may have to pay a fine.
Your right to withdraw your consent
If you have given us your consent to collect, use or share your personal data, you may withdraw your consent at any time by contacting us. Withdrawing your consent will not affect the validity of how we have collected, used or shared your personal data up to that point.
Sharing personal data
Sometimes we need to share your personal data with other organisations so that we can do our work. We do not share your personal data with anyone unless it is necessary to share it.
The types of organisations we share your personal data with include:
national and international consumer and competition organisations and regulators
enforcement partners like the Advertising Standards Authority
the European Commission
the Consumers, Health, Agriculture and Food Executive Agency
the Global Competition Review
the National Audit Office
payroll and pensions providers
external health advisers
Sharing personal data overseas
Sometimes we may need to share your personal data with countries and organisations outside the European Economic Area.
The CMA is currently sharing personal data (staff contact details) with countries or organisations outside the European Economic Area for the purposes of fire or other major incident planning.
The CMA may also use the services of international economic experts, relying on standard contractual clauses approved by the European Commission as an appropriate safeguard for personal data.
We are actively reviewing our current arrangements where we use processors who store personal data in the US, in view of the very recent Judgment of the Court of Justice of the European Union in the case of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems. We will be monitoring and following ICO guidance on this.
Collecting personal data from third parties
Sometimes we collect your personal data directly from you, but sometimes we collect it from third parties. Where we collect personal data from third parties, it is from organisations like survey companies, or those traders operating in sectors of the market that we are investigating or taking regulatory or enforcement action against. The categories of personal data will reflect the market concerned.
Third parties the CMA obtains personal data from include:
NHS Digital (more information on how the CMA collects, uses and protects Hospital Episode Statistics (HES) data is available in the HES data process document)
other government departments
other competition authorities and regulators
credit reference agencies
The CMA also uses publicly available data.
How long we keep your personal data
The law says that we may only keep your personal data for as long as we have a legal basis to do so. This will usually mean that it is necessary for us to keep the personal data so that we can carry out our work as a public authority, a government department and a regulator. For example, where we collect and use personal data to carry out a market investigation into a particular sector, it is likely that we will no longer need your personal data once that market investigation is complete.
We may also keep your personal data for reasons of accountability and to meet legal requirements.
When we no longer need your personal data, we securely delete it.
In deciding how long we need to keep your personal data for, we also have regard to the time periods recommended to government departments for keeping certain categories of information by The National Archive and our own retention policy.
Your right to ask us whether we are collecting, using or sharing your personal data
You may ask us at any time whether we are collecting, using or sharing your personal data, what personal data of yours we have, why we have it and what we are going to do with it. Where we are collecting, using or sharing your personal data, you can ask us for a copy of it. We must usually respond to you within a month.
Your other rights
You may also ask us at any time to delete your personal data (sometimes called the ‘right to be forgotten’), or to correct it where you believe it may be wrong or incomplete, or to stop collecting, using or sharing your personal data, or to collect, use or share it in a more restricted way.
Where organisations like the CMA are collecting and using personal data for automated decision-making or profiling purposes, you may object to this.
The CMA is not collecting or using personal data for automated decision-making.
If you have provided us with your personal data electronically and would like it back, or to be sent to another organisation which is similar to the CMA, you can ask us to send it to you or to that organisation direct and in what is called a ‘commonly used, machine-readable format’ and we may have to do so. This is called the ‘right to data portability’.
For all of these rights, we will consider whether we can do what you have asked us to do, in line with the law. We must usually respond to you within a month of receiving your request.
Your right to complain
If you are unhappy with the way we are collecting, using, sharing or in any way handling your personal data, or with how we have dealt with any of your requests or rights relating to your personal data, you may complain to the Information Commissioner’s Office at:
0303 123 1113
You also have the right to ask a Court to consider whether we are dealing properly with your personal data and your rights relating to it.