Jump to accessibility statement Skip to content

Privacy notice - services for business

Home / Privacy & Cookies / Privacy notice - services for business

Data Controller


Data Controller Name: University of Sunderland

Data Protection Officer: Sam Seldon

ICO Registration Number: Z6120473

Registered Address:              

4th Floor Edinburgh Building,
City Campus
Chester Road

Department Responsible for processing: Research and Innovation

Contact email: digitalskills@sunderland.ac.uk

Changes to this notice

From time to time the University will make minor modifications to this notice, where a more substantial change is required will we inform you of these changes and provide you with a link to the newest version of the notice.


Throughout this notice, “University”, “we”, “our” and “us” refers to the University of Sunderland and “you” and “your” refers to those expressing an interest in either becoming a student at the University or engaging with the University in a short course or funded project both prior to and at the formal applications stage, together with those who later become a registered student/learner or participant in a course or project at the University.

The University of Sunderland needs to collect and process personal data in order to provide services to students, learners and external clients, manage its operations and to meet certain legal requirements. This notice explains how we collect and use your personal data to do so.

Who are we?

The University of Sunderland’s Research and Innovation Department (R&I) offers a wide range of business support services; funded programmes, apprenticeships, work based learning, training, recruitment, consultancy, commercial space, space hire, events, specialist facilities and business expertise.

How we collect your personal data from you?

We receive information about you when you use our website; complete forms on our website or forms linked to our emails; if you contact us by phone, email, in person or otherwise, in respect to any of our services or during the purchase of any such product. Additionally, we also collect information from you when you sign up, enter a competition, promotion or survey or when you inform us of any other matter. If you provide us with personal data about a third party, you warrant that you have obtained the express consent from the third party for the disclosure and use of their personal data.

The University collects and processes a broad range of personal data about you in order to deliver our services to you, manage our operations effectively and meet certain legal requirements. Examples of this personal data will include name, address for correspondence, national insurance number, financial information, email address, contact telephone number, emergency contact details, date of birth, job title, department, place of work, employer name and contact details.

Personal data may also contain “Special Categories of data” as described under the UK GDPR. Such “Special Category Data” will include information about your racial or ethnic origin, religious beliefs, political opinions, membership of a trade union, physical or mental health. When you register to enrol with us, you have the option not to provide certain types of “special category data”.

Why we collect your personal data and how we use it

Data protection laws state that we are only able to process personal data if we have valid reasons to do so. The basis for processing your personal data include, but is not limited to, your consent, performance of a contract, to enable billing and remittance and to contact you for customer service purposes.

The University will handle personal data in accordance with the University’s Data Protection Policy.

The University shares your information with a number of organisations and third parties, a list of these along with our legal basis for processing your data in this way can be found in Table 1 (below).

How do we use your data?

We use the data about you in the following ways;

How your personal data is stored by the University

Your personal data is stored specifically by the University’s Research and Innovation Department. The information is stored in a secured folder on Research and Innovation Teams File. This is located on the University’s secured servers and access is restricted to approved staff members only.

If you are engaged with us as part of a Funded Project or Programme we are required to store your data in a secured folder on a Research and Innovation Teams site and may be required to share this data with external funding bodies as part of an external audit.

Who has access to your personal data?

Access to personal data is restricted to only members of the University to whom this information is pertinent or to external funding bodies. Access is controlled and all employees of the University of Sunderland that are given access understand that they have an obligation to maintain and uphold confidentiality at all times.  

Retention periods

Any personal data held by us for marketing and service update notifications will be kept by us until such time that you notify us that you no longer wish to receive this information.

The University retains your personal data in accordance with the University retention schedule and in accordance with the retention policy of external funding partners.

Please note that some of the information you provide to us will be retained for a longer period of time to comply with external funding regulations. Steps will be taken to remove data which is no longer needed for specific purposes as soon as we identify the data is no longer required.

If you are a customer of Research and Innovation we will keep your personal data only for as long as necessary in accordance with our legal and accountancy obligations, the University’s retention policy and in accordance with applicable laws. The University of Sunderland retains records for 6 years.

If you are engaged with us via an eternally funded project, programme or scheme, the retention policy will be clearly stated in the privacy statement of the specific external funding body and a link to their privacy statement will be included in the individual project application forms.

Legal basis for processing your data

The UK GDPR regulations state that ‘personal data shall be processed lawfully, fairly and in a transparent matter in relation to the data subject’. In order to meet these requirements, the University must have at least one legal basis to process your data. These are shown below,

(The UK GDPR may be subject to change. If changes are significant then we will communicate them to you). 

Specific Activity

Legal Basis

Marketing to provide with information about products and services that you request from us or which we feel may interest you where you have consented to be contacted for such purpose.

Legitimate interest

To help us identify you and any business interests we have with you.

Legitimate interest

To enable us to review, develop and improve our services by means of survey.


To provide customer care, including to responding to your request if you contact us with a query.

Legitimate interest

To carry out marketing and statistical analysis.

Legitimate interest

To notify you about changes to our website and services.

Legitimate interest

To inform you of service and price changes.

Legitimate interest

In order to provide products and services

Performance of contract

To process orders for services that you have submitted to us.

Performance of contract

To comply with our contractual obligations we have with you.

Performance of contract

To administer accounts, process payments and keep a track of billing and payments.

Performance of contract 


Personal Data released to Third Parties for following purposes  Legal basis 

To an external funder - as the Data Controller providing funding for your funded training/employment opportunity

The University of Sunderland is required to share information with the following funding provider(s):

NTCA North of Tyne Combined Authority

More information about how and why NTCA uses your personal information, including how to ask for a copy of the personal information NTCA holds about you

Performance of contract

To your employer – as a stakeholder in your employment under a funded programme

Performance of contract

General R&I Activity  Public activity


Your rights under GDPR

Under the General Data Protection Regulations, you have 8 fundamental rights as follows: 

In the first instance we would ask that you contact the department within the University that is processing your personal information.  The contact details for this department can be found in the first section of this notice. 


If you are unhappy with how your request has been handled or have not received a response from the individual department, please contact the Data Protection Officer either by email or by post.  The email address for the Data Protection Officer is dataprotection@sunderland.ac.uk.

Should you still feel that you request has been handled inadequately, you have the right to complain to the supervisory authority in the UK, this is the Information Commissioners Office, details of how to complain can be found at https://ico.org.uk/concerns/.