0 Shortlist Search
Enter your keyword, course, subject or interest
EC Default Banner

Commercial Hire and Lets

Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk.

Why are we collecting it, and what are we doing with it (Purpose)?

Edinburgh College is collecting data to:

  • Facilitate commercial hire agreements with individuals and organisations utilising College premises, as well as the ongoing management of those agreements.
  • Manage payments, fees, and charges and collect and recover any money owed in relation to commercial hire agreements.
  • Maintain accurate accounts and records.
  • Communicate with and manage relationships with those parties to the hire agreements.
  • Provide marketing updates relevant to the relationship with those parties to the hire agreements.
  • Ensure the Health and Safety as well as the security of our premises, students, staff, and visitors.

What personal data do we collect?

We collect and hold a range of personal data and other information. This includes:

  • Contact details, such as name, title, email address, and phone number.
  • Specific information about the reason for hire and/or activity, including space hired, date(s), time(s), and resources required.
  • Records of correspondence, either through our website, telephone, e-mail or post.
  • Financial records of charges, payments made and received.
  • Proof of relevant leases and licences (where required).
  • Health and Safety risk assessment details (provided by the hiring organisation/individual).
  • Visitor and parking records, including name, organisation, reason for visit, and car registration number.
  • In the event of an incident or accident, details about it and those involved.
  • CCTV footage/images as CCTV is in operation on campus.

The Special Category personal data we collect is:

  • Accessibility requirements and dietary requirements (if catering is requested) for event attendees or users of the hired space. This is limited to the requirements and number of individuals, and is usually provided by the organisation/individual who is a party to the hire agreement.
  • Details about an accident or incident and its impact on named individuals.

The lawful basis for the processing

UK General Data Protection Regulation (UK GDPR) Article 6(1)(b) “processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract”; and

UK GDPR Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject”.

For the processing of any special category personal data, the lawful basis is UK GDPR Article 9(2)(g) “processing is necessary for reasons of substantial public interest, based on domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject domestic law” and Data Protection Act 2018 Schedule 1, Part 2, 6(2)(a) “Statutory etc and government purposes”, in relation to the College’s responsibilities under Health and Safety legislation.

For marketing communications, we are relying on the lawful basis of UK GDPR Article 6(1)(f), which states that “processing is necessary for purposes of the legitimate interests” of the College. We provide you with the choice to ‘opt-out’ of these communications each time.

Who we share the information with

This data will be available to Edinburgh College Health and Safety leads, Commercial and Events Co-ordinators and Finance staff.

We use Intuit Mailchimp to administer and manage marketing email communications. Your name and email address will be shared with Mailchimp and their service providers to do this. This process involves sending your data outside the UK; appropriate safeguards are in place. Read the Intuit Mailchimp Privacy Notice.

We do not otherwise share the data outside of Edinburgh College unless required to do so by law or in the event of legal proceedings.

In the case of an incident or accident, we may be required to share some personal data with the Health and Safety Executive or other relevant authorities.

How long do we hold the personal data?

Records relating to the Hire Agreement will be retained for 1 year from the end of academic year and the agreement itself for 6 years from the end date of the agreement. Finance records are retained for 6 years from the end of financial year. Health and safety records are retained for a minimum of 5 years; should an accident or incident occur, the College may retain the investigation records for up to 40 years after the closure of the investigation in line with Health and Safety legislation. CCTV footage is retained for 14 days, unless required in relation to an incident.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights; some of these rights only apply if certain conditions are met. Your rights are: right to be informed (e.g. privacy notice), right of access, right of rectification, right of erasure (commonly known as the right to be forgotten), right to restrict processing, right to object, right to data portability and the right to know of any automated decision making (including profiling). It’s worth noting that you can exercise your rights either verbally or in writing, and the College would be required to process your request within one month.

The rights that apply to this particular processing are:

  • Right to be Informed – i.e. a privacy notice.
  • Right of Access – this means you have the right to access your personal information.
  • Right to Rectification – this means you have the right to correct inaccurate or incomplete personal information.
  • Right to Erasure – commonly known as the Right to be Forgotten (RTBF) – this means you can request that your personal data be deleted.
  • Right to Data Portability – this means you have the right to request your information in a machine-readable format (e.g. a .csv file) to be provided to you or transferred in that format to another organisation.
  • Right to Restriction – this means you can restrict the processing of your information and links with some of the other rights.
  • Right to Object – this means you can object to how your data is used.
  • Right to be informed of automated individual decision-making (including profiling) – we do not use this for OH purposes, and therefore this does not apply.

Some of the rights above have caveats and only apply in certain circumstances. You can exercise your rights at any time, and the College would be required to answer within a month upon receipt of your request. If you wish to exercise your rights or have any queries in relation to this, please contact the Data Protection Team at DataProtection@edinburghcollege.ac.uk.

Complaints to the UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance, please contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk. If you are not satisfied with the outcome, then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO guides on the ICO website.

You can email them at casework@ico.org.uk, call them on 0303-123-113, or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF