A privacy notice is a statement that describes how the Council collects, uses, retains and discloses personal information. Different organisations sometimes use different terms and it can be referred to as a privacy statement, a fair processing notice or a privacy policy.

The Ceredigion County Council is a Data Controller and we are responsible for collecting and processing your personal information.

Register of Data Controllers

For specific enquiries regarding personal data which we process you can contact the Data Protection Officer on email: data.protection@ceredigion.gov.uk or at

Ceredigion County Council
Canolfan Rheidol
SY23 3UE


Personal data is any information that relates to a person who can be directly or indirectly identified from the information. The terms ‘personal information’ and ‘personal data’ are used throughout this privacy notice and have the same meaning.

To ensure that the Council treats personal information correctly, we seek to adhere in full to the requirements of Data Protection legislation.
This privacy notice has therefore been produced to explain as clearly as possible what we do with your personal data

The proper handling of personal information by Ceredigion County Council is very important to the delivery of our services and maintaining public confidence. We comply with our obligations under the General Data Protection Regulation (GDPR) and the principles of the Data Protection Act 2018 (DPA)

The Council makes sure that your Personal Data is

  • Processed lawfully, fairly and In a transparent way
  • Collected for specified, explicit and legitimate reasons
  • Adequate, relevant and limited to what is necessary
  • Accurate and where necessary kept up to date,
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which those data are processed, and
  • Processed in a manner that ensures appropriate security of personal data

What is the lawful basis for processing your personal data?

The first principle requires that you process all personal data lawfully, fairly and in a transparent manner. Processing is only lawful if you have a lawful basis

Depending on how we are processing your personal data will determine the lawful basis for processing. Generally, the legal basis for processing by the Council as a public authority will be:

  • To perform a function or provide a service required by statute (Article 6(1)(e) GDPR)
  • To comply with a legal obligation (Article 6(1)(C) GDPR)
  • Where the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract (Article 1(b) GDPR)
  • Where disclosure is in the vital interests of yourself or another person (Article 6(1)(d) GDPR)
  • With your explicit consent (Articles 6 (1)(a) and 9(2)(a) GDPR)

Where the purpose for processing your personal data has changed, we will inform you about the change and might have to seek your consent.

Who your information may be shared with (internally and externally)?

The personal data you provide us with may be shared with other services within Ceredigion County Council, with one of our partners, or third party outside the Council. If this is the case you will be informed about it by council employees when requesting service from us.

There are also other specific situations where we may be required to disclose information about you, including:

  • Where the Council is required to provide the information by law
  • Where the information is disclosed to an internal compliance service (such as Internal Audit) or to an external regulatory body
  • Where disclosing the information is required to prevent or detect a crime
  • Where disclosure is in the vital interests of the person concerned

Service and subject specific Privacy Notices can be found on the sidebar, which hold the detail about how we handle and process your personal information.


Under the Data Protection Legislation, you have rights as an individual which you can exercise in relation to the information we hold about you, not all rights will apply, and it will depend on the legal basis for processing your data.

The right to be informed

  • You have the right to be informed about the collection and use of your personal data such as the purposes for processing your personal data, retention periods for that personal data, and who it will be shared with. This is provided when you provide us with your personal information and also within the privacy notices on this webpage
  • If we obtain your personal data from other sources, we will provide you with privacy information within a reasonable period of obtaining the data and no later than one month. This will only happen where you have not already been informed that your data will be passed to us
  • There are a few circumstances when we are not required to provide you with privacy information, such as if you have already had the information or if it would involve a disproportionate effort to provide it to you

The right of access

  • you are entitled to request access to and a copy of, information we hold about you
  • You can make a request to the Council for any personal information we may hold about you, and the information will be provided to you free of charge.
  • You can do this by:
    • Emailing the Information and Records Management Team – data.protection@ceredigion.gov.uk , or 
    • Writing to us:
      Ceredigion County Council
      Canolfan Rheidol
      SY23 3UE

 The right to Rectification

  • you have the right to ask to have your information corrected

The right to Erasure

  • You have the right to have personal data erased.
  • The right to erasure is also known as ‘the right to be forgotten’
  • The right to erasure exists where:
    • the personal data is no longer necessary for the purpose which it was originally collected or processed for, or
    • If it was collected under consent rather than a lawful basis

The right to Data Portability

  • This generally applies to instances where you wish to 'move' to another service provider - e.g. moving banks or phone providers. The right to data portability allows individuals to obtain and re-use their personal data for their own purposes across different services.This only applies to data processing that is carried out by automated means

 The right to restrict processing

  • Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction
    This may be because you have issues with the content of the information we hold or how we have processed your data.
  • The right to restrict processing can apply when:
    • An individual contests the accuracy of their personal data and you are verifying the accuracy of the data;
    • The data has been unlawfully processed and the individual opposes erasure and requests restriction instead;

The right to Object

  • Individuals must have an objection on “grounds relating to his or her particular situation”
  • Where personal data might lawfully be processed because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, a data subject should be entitled to object to the processing of any personal data relating to his or her particular situation. It should be for the Council to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject

The Council takes the security of your data seriously. The organisation has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. We will use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.

We will only keep your information for the minimum period necessary. After this time, information is deleted/destroyed in accordance with the Council's Corporate Retention Guidelines. Please contact the Information and Records Management Team for further details; recordsmanagement@ceredigion.gov.uk

Ceredigion County Council endeavours to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this seriously. We encourage people to bring to our attention if they believe that our collection or use of information is unfair, misleading or inappropriate.

This privacy notice does not provide exhaustive detail of all aspects of our collection and use of personal information.  However we are happy to provide any additional information or explanation needed.  Any requests for this should be sent to the address below:

Data Protection Officer
Ceredigion County Council
Canolfan Rheidol
SY23 3UE

Email: data.protection@ceredigion.gov.uk

If you want to make a complaint about the way we have processed your personal information, you can contact the Information Commissioner’s Office as the statutory body which oversees data protection law:

Information Commissioner’s Office
Wycliffe House
Water Lane

Telephone No: 0303 123 1113

Changes to this privacy notice.

We keep our privacy notice under regular review.