The personal information charter is the CMA’s Privacy Notice.
Sometimes we need to collect, use and share personal information about individuals, so that we can do our work. This information is called personal data.
Personal data is information about living individuals who can be identified from it. It is not information about organisations or companies. It includes sound recordings, photographs and CCTV images.
Collecting, using and sharing personal data is called ‘processing’. Anything at all that we do to, or with, personal data, including deleting it or just viewing it, is processing.
What we do
Our work at the CMA involves promoting competition for the benefit of consumers and making markets work well for consumers, businesses and the economy.
37 Southampton Row
020 3738 6000
Personal data and the law
When we collect, use and share personal data, we follow the law. The law on personal data is set out in the European General Data Protection Regulation 2016 and in the Data Protection Act 2018.
Data Protection Officer
To ensure that we follow the law, we have a Data Protection Officer, who has special responsibility for how we collect, use and share personal data.
You can contact the Data Protection Officer, at:
37 Southampton Row
020 3738 6000
Why we collect, use and share personal data
We collect, use and share personal data for our investigations and our enforcement and regulatory work. We also collect, use and share personal data as an employer:
We only collect, use and share personal data where the law says we can.
where we have your express consent
where the law allows us to collect, use and share the personal data, because it is in the public interest and because we need to do this so that we can carry out our official work
where we need your personal data because we have a contract with you, for example a contract of employment
where the law says that we can compel someone to provide us with your personal data, so that we can carry out our work
when the law compels us to collect, use or share personal data
If you fail to provide personal data
If we have compelled you to provide us with personal data and you have failed to provide it, you may have to pay a fine.
Your right to withdraw your consent
If you have given us your consent to collect, use or share your personal data, you may withdraw your consent at any time by contacting us. Withdrawing your consent will not affect the validity of how we have collected, used or shared your personal data up to that point.
Sharing personal data
Sometimes we need to share your personal data with other organisations so that we can do our work. We do not share your personal data with anyone unless it is necessary to share it.
The types of organisations we share your personal data with include:
national and international consumer and competition organisations and regulators
enforcement partners like the Advertising Standards Authority
the European Commission
the Consumers, Health, Agriculture and Food Executive Agency
the Global Competition Review
the National Audit Office
payroll and pensions providers
external health advisers
Sharing personal data overseas
Sometimes we may need to share your personal data with countries and organisations outside the European Economic Area.
The CMA is not currently sharing personal data with any countries or organisations outside the European Economic Area, except for staff contact details for the purposes of fire or other major incident planning. These details will be processed by a USA-based company, which is certified under the EU-US Privacy Shield Framework, and so has sufficient and appropriate safeguards in place to protect the integrity of the personal data and related rights.
Collecting personal data from third parties
Sometimes we collect your personal data directly from you, but sometimes we collect it from third parties. Where we collect personal data from third parties, it is from organisations like survey companies, or those traders operating in sectors of the market that we are investigating or taking regulatory or enforcement action against. The categories of personal data will reflect the market concerned.
Third parties the CMA obtains personal data from include:
NHS Digital (more information on how the CMA collects, uses and protects Hospital Episode Statistics (HES) data is available in the HES data process document)
other government departments
other competition authorities
credit reference agencies
How long we keep your personal data
The law says that we may only keep your personal data for as long as we need it to do our work. For example, where we collect and use personal data to carry out a market investigation into a particular sector, it is likely that we will no longer need your personal data once that market investigation is complete.
When we no longer need your personal data, we securely delete it.
In deciding how long we need to keep your personal data for, we also have regard to the time periods recommended to government departments for keeping certain categories of information by The National Archive and our own retention policy. For more information see the CMA’s Data Retention Policy:
Your right to ask us whether we are collecting, using or sharing your personal data
You may ask us at any time whether we are collecting, using or sharing your personal data, what personal data of yours we have, why we have it and what we are going to do with it. Where we are collecting, using or sharing your personal data, you can ask us for a copy of it. We must usually respond to you within a month.
Your other rights
You may also ask us at any time to delete your personal data (sometimes called the ‘right to be forgotten’), or to correct it where you believe it may be wrong or incomplete, or to stop collecting, using or sharing your personal data, or to collect, use or share it in a more restricted way.
Where organisations like the CMA are collecting and using personal data for automated decision-making or profiling purposes, you may object to this.
The CMA is not collecting or using personal data for automated decision-making.
If you have provided us with your personal data electronically and would like it back, or to be sent to another organisation which is similar to the CMA, you can ask us to send it to you or to that organisation direct and in what is called a ‘commonly used, machine-readable format’. This is called the ‘right to data portability’.
For all of these rights, we will consider whether we can do what you have asked us to do, in line with the law. We must usually respond to you within a month of receiving your request.
Your right to complain
If you are unhappy with the way we are collecting, using, sharing or in any way handling your personal data, or with how we have dealt with any of your requests or rights relating to your personal data, you may complain to the Information Commissioner’s Office at:
0303 123 1113
You also have the right to ask a Court to consider whether we are dealing properly with your personal data and your rights relating to it.