Privacy Notice

Privacy Notice

The Independent Monitoring Authority (“IMA”, “we”, “us”, “our”) of 3rd Floor Civic Centre, Oystermouth Road, Swansea, SA1 3SN are committed to protecting and respecting your privacy. We are committed to the protection of the personal data we process in line with the data protection principles set out in the UK General Data Protection Regulation, EU General Data Protection Regulation and Gibraltar General Data Protection Regulation (collectively the “GDPR”) and the Data Protection Act 2018.

This privacy notice (“this Notice”) explains what personal data we collect from individuals who visit our website, contact us by email, phone or through one of our social channels; other marketing communications; or visit us in person (“you”, “your”). It also explains what information we collect automatically when you visit our website, the information we collect when you communicate with us in the discharge of our functions and the information we collect from third parties. It explains how and why we process personal data in discharging our functions and gives you information about your rights in relation to that processing.

The Independent Monitoring Authority is a controller for the purposes of the GDPR, registered in the UK with the Information Commissioner’s Office, registration number ZA804857.

As an information-led organisation, we place great importance on ensuring the quality, confidentiality, integrity and accuracy of the data we hold and in meeting our data protection obligations when processing personal data. We are committed to protecting the security of your personal data. We use a variety of technical and organisational measures to help protect your personal data from unauthorised access, loss, use or disclosure.

We update this Notice from time to time in response to changes in applicable law and guidance, to our processing practices and to the functions we discharge. This notice was last updated in November 2024.

Who we are?

The IMA is an independent, non-departmental public body set up to monitor and protect the rights of EU and EEA EFTA citizens and their family members in the UK, as set out in Part 2 of the Withdrawal Agreement and the EEA EFTA Agreement. Our statutory functions are set out in the European Union (Withdrawal Agreement) Act 2020 and include powers to receive complaints, conduct inquiries and to take legal action.

What information do we process?

We process all information you give us, either through our website https://ima-citizensrights.org.uk/ (“our site”) or by corresponding with us by telephone, email or otherwise. This includes information you provide when you use our site, or other social media functions linked to our site, communicate with us in the discharge of our functions, when signing up to receive our newsletter, or when you report a problem with our site. We also process personal data that is provided to us by external parties, to the extent that is necessary for the discharge of our functions.

What information we collect depends on the nature of your contact with us.

Information processed following an enquiry

The information processed may include, but is not limited to:

  • Name
  • Address
  • Email address
  • Telephone number(s)
  • The details of your enquiry
  • Any information you share through our social media channels
  • If your enquiry or request relates to a complaint that you have made to us, we locate information from your complaint record

Information processed when you subscribe to our newsletter or other publications

The information processed may include, but is not limited to:

  • Name
  • Address
  • Email address
  • Location data

Information processed when you make a complaint

The information processed may include, but is not limited to:

  • Name
  • Address
  • Email address
  • Telephone number(s)
  • Date of Birth
  • Immigration status
  • Portal log-in data
  • Portal usage data
  • Location data

The details of your complaint may also include information relating to your family members and/or any other person named. We need this information so we can decide if we can consider your complaint.

Information processed as part of an inquiry

The information processed may include, but is not limited to:

  • Name
  • Address
  • Email address
  • Telephone number(s)
  • Date of Birth
  • Immigration status/relevant reference numbers
  • The content of any materials you provide (such as written evidence/correspondence), which may include special category or criminal offence data
  • Any information provided by you relating to your family members and/or any other person named in correspondence
  • Your equality data (where provided) so that we can comply with our legal obligations under the Equality Act 2010 

Information processed in connection with legal proceedings

The information processed may include, but is not limited to:

  • Name
  • Address
  • Email address
  • Telephone number(s)
  • Date of Birth
  • Immigration status/relevant reference numbers
  • Details of any ongoing or anticipated legal proceedings, which may include special category or criminal offence data

Information processed when you take part in a consultation or engagement event

The information we collect will depend on whether you are responding to a consultation, survey, are attending one of our engagement events or are attending for another reason. It may include, but is not limited to:

  • Name
  • Address
  • Email address
  • Telephone number(s)
  • Any documentation needed to verify your identity
  • Information about whether you are participating in a personal or professional capacity
  • The content of any materials you provide (such as written evidence in correspondence), which may include special category or criminal offence data
  • Your views or feedback on your experience relevant to our work
  • Any photographs and videos or audio recorded at our events
  • Your equality data (where provided) so that we can comply with our legal obligations under the Equality Act 2010.

Information processed when you make a request under the Freedom of Information Act 2000, GDPR or Data Protection Act 2018

The information processed may include, but is not limited to:

  • Name
  • Address
  • Email address
  • Telephone number(s)
  • The details of your request
  • The details of any third party making a request on your behalf (if applicable)

Cookies and Web Beacons

Our website uses a cookie control system which allows the user, on their first visit to the website, to allow or disallow the use of cookies on their computer / device. For details about the specific cookies we use including how we use them and how to disable them you can see the Cookies page of our website.

Lawful bases for processing your data

When we process your information the following lawful bases will be relied upon unless otherwise stated:

Corresponding with you

We will process the personal details that are necessary in order to provide a response.

This is necessary for us to perform our public tasks

Lawful Basis – Public task 

It is necessary for the performance of our statutory functions (i.e. the powers and duties that Parliament has conferred on us).

Complaints and investigations

We have a statutory function to receive and investigate complaints.

We will use the data you provide and other personal, special category or criminal offence data to investigate and act in line with our statutory functions.

Where we process special category or criminal offence personal data, we do so for reasons of substantial public interest.

Where it is necessary for the purposes of our statutory functions, we may also get in touch with you about the information you have provided.

It may be necessary to use the data you provide for the purposes of an inquiry.

Lawful Basis – Public task

It is necessary for the performance of our statutory functions (i.e. the powers and duties that Parliament has conferred on us).

Inquiries

We conduct inquiries under our statutory powers. In addition to any data you provide as part of any call for evidence, we may also collect information about individuals from other organisations, e.g. government departments.

We will only collect personal data, including special category data and/or criminal offence data, that is relevant and necessary for the inquiry. Where we process special category or criminal offence data, we do so for reasons of substantial public interest.

Any data collected about you will only be used for the purposes of the inquiry in line with its published terms of reference and in any other investigations conducted as a result of the inquiry.

We may also get in touch with you about the information we have obtained from you or a third party.

Any findings, reports or recommendations shared publicly will not identify you unless you have expressly consented to this.

Lawful Bases – Public task 

It is necessary for the performance of our statutory functions (i.e. the powers and duties that Parliament has conferred on us).

Where we process special category or criminal offence  data, we do so for reasons of substantial public interest.

Subscribe to our newsletter or request our publications

We will collect your contact details so that we can send the information to you.

Lawful Basis for Processing

Consent – We ask for your specific consent to receive our publications which you can revoke at any time.

Taking part in a consultation or survey

We have a statutory power to monitor UK public bodies to ensure that they are respecting the rights of EU and EEA EFTA citizens and their family members.

Under our monitoring powers we may gather data you provide to us and analyse it as evidence for the purpose stated in the activity, for example to understand the experience of EU and EEA EFTA citizens and their family members.

This may include special category or criminal offence data. Where we process special category or criminal offence data, we do so for reasons of substantial public interest.

We may use the information provided to publish anonymised data such as statistics, but these will not identify you in any way.

Lawful Bases for Processing

Public task – It is necessary for the performance of our statutory functions (i.e. the powers and duties that Parliament has conferred on us).

Where we process special categories personal data, we do so for reasons of substantial public interest.

Attending an event or visiting in person

If you attend an event or visit our offices in person for another reason, we will collect your name and contact details to register your attendance and ensure adequate health and safety.

We do this under our legitimate interest to facilitate an event, provide you with an acceptable service, and ensure appropriate security, health and safety at such events.

We will also maintain a record of your attendance and may follow up with you in relation to the event, your visit and any potential further relationship.

We do this under our statutory promotion power.

Lawful Bases for Processing

Legitimate interest – Our legitimate interest in ensuring events are properly run and our legal obligation to ensure adequate security, health and safety.

Public task – It is necessary for the performance of our statutory functions (i.e. the powers and duties that Parliament has conferred on us).

Legal proceedings that we undertake, assist, intervene, consider or are otherwise involved in

We have a statutory power to take legal action and to intervene in legal proceedings.

We may collect and use the necessary information about you for the case under our statutory powers. This may include data that has been provided to us by you or third parties in connection with legal proceedings.

We process this data as part of our statutory function in the public interest.

We may also use your personal data in relation to any existing or potential legal proceedings you may bring against us.

Lawful Bases for Processing

Public task – It is necessary for the performance of our statutory functions (i.e. the powers and duties that Parliament has conferred on us).

Also, where the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

We process your special category data as it is necessary for the establishment, exercise or defence of legal claims.

Making an Information Request to us

We will process your personal details and any other information that is necessary for us to comply with our legal obligations to respond to information rights requests.

Lawful Bases for Processing

Legal obligation – We need to comply with our legal obligation as a public body under the Freedom of Information Act 2000, Environmental Information Regulations 2004, the GDPR and the Data Protection Act 2018.Prevention and detection of crime including money laundering, fraud or other crimes.

Lawful Bases for Processing

Legal obligation – We have a legal obligation to report any such activity to the relevant authorities and regulators and that reporting may involve the processing of personal data. Any such processing is undertaken pursuant to the lawful basis that applies to processing that is necessary for compliance with a legal obligation to which we are subject.

Sharing your information

We will rarely share your personal data outside the United Kingdom (“UK”) or the European Economic Area (“EEA”). If this becomes necessary for the purposes of discharging our functions, we will only share it where appropriate transfer mechanisms and safeguards are in place, such as the UK International Data Transfer Agreement (“IDTA”), The EU-US Data Privacy Framework or EU-approved Standard Contractual Clauses (“SCCs”) with supplementary measures, to ensure your personal data is protected to the same standard that applies within the UK and EEA.

We may use Qualtrics to gather information on our behalf. Any data collected by Qualtrics for the IMA is held in the UK. The Qualtrics privacy statement can be found here.

We may use translation and transcription services offered by TheBigWord, their privacy notice can be found here

We use MediaHQ for media and subscription services, MediaHQ privacy notice can be found here.

If documents are required to be signed by you electronically, we will use Adobe Sign to provide this function. The Adobe Sign privacy notice can be found here.

When we investigate a complaint/carry out an inquiry, we may be required to share your data with Government departments and other public authorities. We will only do so where this is necessary, keeping the processing of any such data to the minimum necessary to achieve the purpose of the sharing.

Our website includes links to other third-party websites and social media platforms (Facebook, Instagram, Twitter). The sites may collect your IP address and may set a cookie on your device. When you use one of these links, you are sharing information to another website or service and this Notice will no longer apply. Please read the privacy notices provided by the particular service website you are directed to before posting any personal information using these links.

Your rights

The GDPR provides you with certain rights in relation to the processing of your personal data, including to:

  • Request access to personal data about you (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you that is not exempt from disclosure to you, and to check that we are processing it lawfully
  • Request rectification, correction, or updating to any of the personal data that we hold about you. This enables you to ask that any information we hold about you is corrected if you consider that it is incomplete or inaccurate.
  • Request personal data provided by you to be transferred in machine-readable format (“data portability”).
  • Request erasure of personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove personal data where you have exercised your right to object to processing (see below).
  • Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you (e.g., if you want us to establish its accuracy or the reason for processing it).
  • Object to the processing of your personal data in certain circumstances.

Some of these rights are not absolute and are subject to various conditions under applicable data protection and privacy legislation, laws and regulations to which we are subject.

If at any time you decide you no longer wish to be contacted for marketing purposes, or if you would like to exercise any of your rights as set out above, you can contact us at dpo@ima-citizensrights.org.uk. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow Cheshire SK9 5AF, or https://www.ico.org.uk

Data retention period

We will retain your personal data for as long as is necessary for the discharge of our functions and for a reasonable period thereafter, to enable us to meet our legal obligations and to deal with complaints and claims.

At the end of the retention period, which should be no longer than 7 years, your personal data will be securely deleted in accordance with the IMA Personal Data Retention Policy which can be found here.

Contact

You can contact the IMA in relation to data protection and this privacy notice by emailing dpo@ima-citizensrights.org.uk.