Privacy Notice

The Independent Monitoring Authority (“IMA”, “we”, “us”, “our”) of 3rd Floor Civic Centre, Oystermouth Road, Swansea, SA1 3SN are committed to protecting and respecting your privacy. We are committed to the protection of the personal data we process in line with the data protection principles set out in the UK General Data Protection Regulation, EU General Data Protection Regulation and Gibraltar General Data Protection Regulation (collectively the “GDPR”) and the Data Protection Act 2018.

This privacy notice (“this Notice”) explains what personal data we collect from individuals who visit our website, contact us by email, phone or through one of our social channels; other marketing communications; or visit us in person (“you”, “your”). It also explains what information we collect automatically when you visit our website, the information we collect when you communicate with us in the discharge of our functions and the information we collect from third parties. It explains how and why we process personal data in discharging our functions and gives you information about your rights in relation to that processing.

The Independent Monitoring Authority is a controller for the purposes of the GDPR, registered in the UK with the Information Commissioner’s Office, registration number ZA804857.

As an information-led organisation, we place great importance on ensuring the quality, confidentiality, integrity and accuracy of the data we hold and in meeting our data protection obligations when processing personal data. We are committed to protecting the security of your personal data. We use a variety of technical and organisational measures to help protect your personal data from unauthorised access, loss, use or disclosure.

We update this Notice from time to time in response to changes in applicable law and guidance, to our processing practices and to the functions we discharge.

Who we are?

The IMA is an independent body that makes sure the rights of EU and EEA EFTA citizens living in the UK and Gibraltar are upheld following the departure of the UK from the EU. Our statutory functions are set out in the European Union (Withdrawal Agreement) Act 2020 and include powers to receive complaints, conduct inquiries and to take legal action.

What information do we process?

We process all information you give us, either through our website https://ima-citizensrights.org.uk/ (“our site”) or by corresponding with us by telephone, email or otherwise. This includes information you provide when you use our site, or other social media functions linked to our site, communicate with us in the discharge of our functions, when signing up to receive our newsletter, or when you report a problem with our site. We also process personal data that is provided to us by external parties, to the extent that is necessary for the discharge of our functions.

What information we collect depends on the nature of your contact with us.

Information processed following an enquiry

The information processed may include, but is not limited to:

  • Name
  • Address
  • Email address
  • Telephone number(s)
  • The details of your enquiry
  • Any information you share through our social media channels
  • If your enquiry or request relates to a complaint that you have made to us, we locate information from your complaint record

Information processed when you subscribe to our newsletter or other publications

The information processed may include, but is not limited to:

  • Name
  • Address
  • Email address
  • Location data

Information processed when you make a complaint

The information processed may include, but is not limited to:

  • Name
  • Address
  • Email address
  • Telephone number(s)
  • Date of Birth
  • Immigration status
  • Portal log-in data
  • Portal usage data
  • Location data

The details of your complaint may also include information relating to your family members and/or any other person named. We need this information so we can decide if we can consider your complaint.

Information processed as part of an inquiry

The information processed may include, but is not limited to:

  • Name
  • Address
  • Email address
  • Telephone number(s)
  • Date of Birth
  • Immigration status/relevant reference numbers
  • The content of any materials you provide (such as written evidence/correspondence), which may include special category or criminal offence data
  • Any information provided by you relating to your family members and/or any other person named in correspondence
  • Your equality data (where provided) so that we can comply with our legal obligations under the Equality Act 2010

 

Information processed in connection with legal proceedings

The information processed may include, but is not limited to:

  • Name
  • Address
  • Email address
  • Telephone number(s)
  • Date of Birth
  • Immigration status/relevant reference numbers
  • Details of any ongoing or anticipated legal proceedings, which may include special category or criminal offence data

Information processed when you take part in a consultation or engagement event

The information we collect will depend on whether you are responding to a consultation, survey, are attending one of our engagement events or are attending for another reason. It may include, but is not limited to:

  • Name
  • Address
  • Email address
  • Telephone number(s)
  • Any documentation needed to verify your identity
  • Information about whether you are participating in a personal or professional capacity
  • The content of any materials you provide (such as written evidence in correspondence), which may include special category or criminal offence data
  • Your views or feedback on your experience relevant to our work
  • Any photographs and videos or audio recorded at our events
  • Your equality data (where provided) so that we can comply with our legal obligations under the Equality Act 2010.

Information processed when you make a request under the Freedom of Information Act 2000, GDPR or Data Protection Act 2018

The information processed may include, but is not limited to:

  • Name
  • Address
  • Email address
  • Telephone number(s)
  • The details of your request
  • The details of any third party making a request on your behalf (if applicable)

Cookies and Web Beacons

website uses a cookie control system which allows the user, on their first visit to the website, to allow or disallow the use of cookies on their computer / device (click the cookie icon at the bottom right-hand corner of the screen).

Cookies are small text files saved to the user’s computer which track, save and store information about the users interactions and usage of our website. This allows our website to provide users with a tailored experience. Users are advised that if they wish to deny the use and saving of cookies from our website on to their computer or device, they should take necessary steps within their web browsers security settings to block all cookies from our website.

We use cookies to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you have provided to them or that they have collected from your use of their services.

Our website uses tracking software to monitor our visitors, to better understand how they use it. This software is provided by Google Analytics which uses cookies to track visitor usage. The software will save a cookie to your computer or device in order to track and monitor your engagement and usage of our website, but will not store, save or collect personal information. You can read the Google privacy policy here for further information.

The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. To install all other types of cookies, we need your consent.

Purpose and bases for processing your data

We may process your data for the following purposes and on the following lawful bases:

  • Corresponding with you

We will process the personal details that are necessary in order to provide a response.

This is necessary for us to perform our public tasks

Lawful Basis for Processing

It is necessary for the performance of our statutory functions (i.e. the powers and duties that Parliament has conferred on us).

  • Complaints and investigations

We have a statutory function to receive and investigate complaints.

We will use the data you provide and other personal, special category or criminal offence data to investigate and act in line with our statutory functions.

Where we process special category or criminal offence personal data, we do so for reasons of substantial public interest.

Where it is necessary for the purposes of our statutory functions, we may also get in touch with you about the information you have provided.

It may be necessary to use the data you provide for the purposes of an inquiry.

Lawful Basis for Processing

It is necessary for the performance of our statutory functions (i.e. the powers and duties that Parliament has conferred on us).

  • Inquiries

We conduct inquiries under our statutory powers. In addition to any data you provide as part of any call for evidence, we may also collect information about individuals from other organisations, e.g. government departments.

We will only collect personal data, including special category data and/or criminal offence data, that is relevant and necessary for the inquiry.

Any data collected about you will only be used for the purposes of the inquiry in line with its published terms of reference and in any other investigations conducted as a result of the inquiry.

We may also get in touch with you about the information we have obtained from you or a third party.

Any findings, reports or recommendations shared publicly will not identify you unless you have expressly consented to this.

Lawful Bases for Processing

It is necessary for the performance of our statutory functions (i.e. the powers and duties that Parliament has conferred on us).

Where we process special category or criminal offence  data, we do so for reasons of substantial public interest.

  • Subscribe to our newsletter or request our publications

We will collect your contact details so that we can send the information to you.

Lawful Basis for Processing

Consent

  • Taking part in a consultation or survey

We have a statutory power to monitor UK public bodies to ensure that they are respecting the rights of EU and EEA EFTA citizens and their family members.

Under our monitoring powers we may gather data you provide to us and analyse it as evidence for the purpose stated in the activity, for example to understand the experience of EU and EEA EFTA citizens and their family members.

This may include special category or criminal offence data. We may use the information provided to publish anonymised data such as statistics, but these will not identify you in any way.

Lawful Bases for Processing

It is necessary for the performance of our statutory functions (i.e. the powers and duties that Parliament has conferred on us).

Where we process special categories personal data, we do so for reasons of substantial public interest.

  • Attending an event or visiting in person

If you attend an event or visit our offices in person for another reason, we will collect your name and contact details to register your attendance and ensure adequate health and safety.

We do this under our legitimate interest to facilitate an event, provide you with an acceptable service, and ensure appropriate security, health and safety at such events.

We will also maintain a record of your attendance and may follow up with you in relation to the event, your visit and any potential further relationship.

We do this under our statutory promotion power.

Lawful Bases for Processing

Our legitimate interest in ensuring events are properly run and our legal obligation to ensure adequate security, health and safety.

It is necessary for the performance of our statutory functions (i.e. the powers and duties that Parliament has conferred on us).

  • Legal proceedings that we undertake, assist, intervene, consider or are otherwise involved in

We have a statutory power to take legal action and to intervene in legal proceedings.

We may collect and use the necessary information about you for the case under our statutory powers. This may include data that has been provided to use by you or third parties in connection with legal proceedings.

[when you make a claim to which Practice Direction – Claims relating to EU and EEA EFTA citizens’ rights under Part 2 of the Withdrawal Agreement and Part 2 of the EEA EFTA Separation Agreement applies, you must notify us and send us a copy of your statement of case.

We will use the data you provide and other personal or special category data to monitor the nature and volume of cases concerning the rights of EU and EEA EFTA citizens.

We may decide to intervene in a case brought to our attention, if we feel we can assist the Court by providing expert testimony.]

We process this data as part of our statutory function in the public interest.

We may also use your personal data in relation to any existing or potential legal proceedings you may bring against us.

Lawful Bases for Processing

It is necessary for the performance of our statutory functions (i.e. the powers and duties that Parliament has conferred on us).

Also, where the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

We process your special category data as it is necessary for the establishment, exercise or defence of legal claims.

Making an Information Request to us

We will process your personal details and any other information that is necessary for us to comply with our legal obligations to respond to information rights requests.

Lawful Bases for Processing

We need to comply with our legal obligation as a public body under the Freedom of Information Act 2000, Environmental Information Regulations 2004, the GDPR and the Data Protection Act 2018.

  • Prevention and detection of crime including money laundering, fraud or other crimes.

Lawful Bases for Processing

We have a legal obligation to report any such activity to the relevant authorities and regulators and that reporting may involve the processing of personal data. Any such processing is undertaken pursuant to the lawful basis that applies to processing that is necessary for compliance with a legal obligation to which we are subject.

Sharing your information

We will rarely share your personal data outside the United Kingdom (“UK”) or the European Economic Area (“EEA”). If this becomes necessary for the purposes of discharging our functions, we will only share it where appropriate transfer mechanisms and safeguards are in place, such as the UK International Data Transfer Agreement (“IDTA”) or EU-approved Standard Contractual Clauses (“SCCs”) with supplementary measures, to ensure your personal data is protected to the same standard that applies within the UK and EEA.

We often use Qualtrics to gather information on our behalf. Any data collected by Qualtrics for the IMA is held in the UK. The Qualtrics privacy statement can be found here.

If documents are required to be signed by you electronically, we will use Adobe Sign to provide this function. The Adobe Sign privacy notice can be found here.

When we investigate a complaint/carry out an inquiry, we may be required to share your data with Government departments and other public authorities. We will only do so where this is necessary, keeping the processing of any such data to the minimum necessary to achieve the purpose of the sharing.

Our website includes links to other third-party websites and social media platforms (Facebook, Instagram, Twitter). The sites may collect your IP address and may set a cookie on your device. When you use one of these links, you are sharing information to another website or service and this Notice will no longer apply. Please read the privacy notices provided by the particular service website you are directed to before posting any personal information using these links.

Your rights

The GDPR provide you with certain rights in relation to the processing of your personal data, including to:

  • Request access to personal data about you (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you that is not exempt from disclosure to you, and to check that we are processing it lawfully
  • Request rectification, correction, or updating to any of the personal data that we hold about you. This enables you to ask that any information we hold about you corrected if you consider that it is incomplete or inaccurate.
  • Request personal data provided by you to be transferred in machine-readable format (“data portability”).
  • Request erasure of personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove personal data where you have exercised your right to object to processing (see below).
  • Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you (e.g., if you want us to establish its accuracy or the reason for processing it).
  • Object to the processing of your personal data in certain circumstances.

Some of these rights are not absolute and are subject to various conditions under applicable data protection and privacy legislation, laws and regulations to which we are subject.

If at any time you decide you no longer wish to be contacted for marketing purposes, or if you would like to exercise any of your rights as set out above, you can contact us at dpo@ima-citizensrights.org.uk. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

In addition to the above, please note that you have the right to make a complaint at any time to the Information Commissioner’s Office, or another relevant supervisory authority if you are concerned about the way in which we are handling your personal data.

Data retention period

We will retain your personal data for as long as is necessary for the discharge of our functions and for a reasonable period thereafter, to enable us to meet our legal obligations and to deal with complaints and claims.

At the end of the retention period, which should be no longer than 7 years, your personal data will be securely deleted in accordance with the IMA Personal Data Retention Policy.

Contact

You can contact the IMA in relation to data protection and this privacy notice by emailing dpo@ima-citizensrights.org.uk.