The General Data Protection Regulation (GDPR) is a new legal framework for data protection applying to all member states since 25 May 2018. GDPR replaces the Data Protection Act 1998 and brings some new requirements on organisations that obtain, hold, use or store personal data.

Prospective students, employees and other stakeholders have to trust that their personal details will be safe at the university. We, at Robert Gordon University, are expected to safeguard personal information of both staff and students properly and not to abuse it. For this reason we have developed a robust Information Governance Policy (PDF 218KB) that would meet these needs.

The university's registration number with the Information Commissioner's Office is Z5607918.

Record of Processing (PDF 145KB)

Privacy Notices

The University has a series of privacy notices to ensure transparency and explain to individuals how their personal data will be used.

Accessing your personal data

Under the GDPR, individuals (i.e. data subjects) have a right to know what data is held about them at RGU and a right to access their personal data. Data subjects must submit a request to access this information. Please note the university may request evidence of your identity (a copy of passport and/or driver’s license). The university provides a Subject Access Request Form (PDF 280KB) in order to assist in making a request, however you may also submit a request in a letter, email or verbally. Please see our Accessing Your Personal Data - Guidance Note (PDF 310KB) for further information on how to make a request.

Once the request has been validated and verified the university will respond within one month. Please note that you can only request your own personal data under a subject access request, unless you are proven to be authorised to act on behalf of the data subject.

Data Protection by design

Under GDPR the university in required to demonstrate that data protection has been considered in our activities. The university has a data protection impact assessment (DPIA) in order to ensure that new projects or systems are designed with data protection compliance built in from the start and that any privacy risks are managed.

Data Breaches

A personal data breach may be defined as a breach of security that has affected the confidentiality, integrity or availability of personal data.

CCTV and Data Protection

Organisations, whose premises have CCTV (close circuit television) systems in operation, must inform the UK Information Commissioner that they are gathering personal information about the people they are recording. They must also put up signs to warn the public that this recording is taking place. The Robert Gordon University is registered with the Information Commissioner for the use of CCTV.

Contact Details and Further Information

If you are dissatisfied with the way in which your personal data has been handled please contact the University Data Protection Officer in the first instance. If you are dissatisfied with the response from the University you have the right to lodge a complaint with the Information Commissioner’s Office 

Contact Details

Data Protection Officer
Robert Gordon University
Garthdee
Aberdeen
AB10 7QB

Email: dp@rgu.ac.uk
Tel. +44 (0)1224 262076