Edinburgh University Students’ Association’s personal data privacy notice  


Published on 24 May 2018


Edinburgh University Students’ Association (“we”, “our” or “us”) is committed to protecting the rights and freedoms of individuals with respect to the processing of their personal data. This notice tells you what personal data we’re collecting, from whom and how you can expect us to use and look after it.


‘Personal data’ means any information relating to an identifiable person who can be directly or indirectly identified.


Our data protection practices are accordance with the General Data Protection Act (GDPR); an EU directive effective from 25 May 2018.




This notice applies to the personal information we collect about:
  • Our members, officers and volunteers
  • Users of our websites
  • People who use our services
  • People who give us feedback, make suggestions, complete questionnaires, polls or make complaints
  • Suppliers and agents
  • Sponsors and supporters
  • Job applicants and our current and former employees
These people are classified as ‘data subjects’ under the GDPR. As a data subject you have rights as an individual which you can exercise in relation to the information we hold about you. These include:
  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

You can read more about these rights here and access our Subject Access Request Form here.
When you become a Students’ Association member

If you are a student at the University of Edinburgh, your details, including your email address, will be automatically held by us in our membership database, unless you have opted out of Students’ Association membership. We need your personal information to enable us to deliver services to you like fair representative elections, advice, funding, peer learning and support and society activities. You can choose not to receive specific communications from us and will have the option to do this every time we get in touch. See ‘Data Sharing with the University of Edinburgh’.

When you give it to us directly

You may give us your personal information in order to, for example, sign up to a student group, for one of our events, give feedback, use our Advice Place, purchase our products, sell us products or services or apply for employment with us. You may also give us information when using our website or app (see ‘Website privacy’).

When you give other organisations permission to share your data with us

The information we get from other organisations may depend on your privacy settings or the responses you give, so you should regularly check them. For example, this information could come from the following sources:

Third party organisations

You may have provided permission for a company or other organisation to share your data with third parties such as the Edinburgh University Students’ Association. This could be when you buy a product or service, register for an online competition or sign up with a service or website.

Social Media Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you might give us permission to access information from those accounts or services.

We have a data sharing agreement with the University of Edinburgh.


This agreement permits the transfer of part of your personal information from the University to the Students’ Association for the purposes of allowing us to provide you with support services, participate in democratic processes (in accordance with the Education Act 1994), join societies, and communicate with you about your Students’ Association’s finances and organisational governance, as well as student-led campaigns and gathering feedback.


If you are a student at the University of Edinburgh, your details, including your email address, will be automatically held by us in our membership database, unless you have opted out of Students’ Association membership.


The details held are the ones you gave the University of Edinburgh on registration. If you wish to alter your registration details you can do so by contacting the University Registry.


Occasionally we will share pertinent (anonymised) data with the University. This would be for improving your educational experience, the experience of future students or for academic research purposes.


You can view the University’s privacy notice here.

Higher Education Achievement Report (HEAR)  

The agreement also allows the Students’ Association to disclose information relating to extra-curricular activity to the University of Edinburgh in order to generate your Higher Education Achievement Report.


If you do not wish the University to include information on your extra-curricular activity on your HEAR you will have the opportunity to tell the University. The University will only include your extra-curricular information on your HEAR with your consent.

We realise that your personal information is subject to change. To help us maintain its accuracy, we’d encourage you to let us know about any required updates to your personal information.

You can do this via your Students’ Association staff contact or for all University of Edinburgh students and for others registered with our website, we provide a means to create an account or a profile of information. For example, to change your personal information on our website, log in as usual and select the profile icon at the top right hand corner of the webpage.

Please note that University of Edinburgh students key matriculation information that is held by Student Registrar should be updated directly with them to enable an update in our system. See ‘Data Sharing with the University of Edinburgh’.  
We process personal data in accordance with a minimum of one valid lawful basis, as defined by the GDPR, for the following reasons:
  • Administration of Membership Records (including processing for not for profit organisations)
  • Fundraising
  • Accounts and records of your relationship with us
  • Consultancy and Advisory Services
  • Employment Administration
  • Marketing and Public Relations
  • Crime Prevention and Prosecution of Offenders
  • Research and analysis

Use of personal data is compliant with the GDPR and specifically with the 6 principles that are set out within it, requiring that data be:
  1. Processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
We may use your personal information to contact you about your Students’ Association services. At each of these points of contact you will have the option to select preferences or opt-out of communications (unless they are required in order for us to comply with any relevant legal or contractual obligations).
Your personal information will not be sold, traded, or rented to individuals or other entities. However, we may need to share your personal information with third parties to charge your credit card or deliver specific services to you such as support services. These third parties will be bound by a data sharing agreement and are required not to use your personal information other than to provide the services requested by the Students’ Association.

We may disclose your personal information if we believe in good faith that such disclosure is necessary to:
  1. comply with any relevant legal obligations or
  2. protect and defend the rights or property of the Students’ Association
Our website and app complies with the GDPR. All data processed is stored securely within the EEA.

Website Cookies

The Students’ Association website uses cookies to distinguish you from other users. Cookies are very small text files that are stored on your computer when you visit some websites.


Some of these cookies are essential to make this site work properly, to allow you to make your event bookings or other purchases, and to enable us to fulfil your purchase requests. Other types of cookie help us to provide you with a good experience when you browse our site, allow us to improve our site or the way we provide our service to customers.


You can disable any cookies already stored on your computer, but these may stop our website from functioning properly.


Adverts and sponsored or information links

The Students’ Association website contains links to other web sites. We are not responsible for the content, accuracy or opinions express in such web sites, and such web sites are not investigated, monitored or checked for accuracy or completeness by us.


Inclusion of any linked web site on or through the website or the service does not imply approval or endorsement of the linked web site by us. If you decide to leave the website and access these third-party sites, you do so at your own risk.

Social media policy and usage

We adopt a Social Media Policy to ensure our organisation and our staff conduct themselves accordingly online. While we may have official profiles on social media platforms (many are linked to from this website) users are advised to verify authenticity of such profiles before engaging with, or sharing information with such profiles. We will never ask for user passwords or personal details on social media platforms.

When individuals apply to work at Edinburgh University Students’ Association we will only use the information they supply to us to process their application and to monitor recruitment statistics.

Where we want to disclose an individual's information to a third party, for example where we want to take up a reference, we will not do so without informing them beforehand unless the disclosure is required by law.

Personal information about unsuccessful candidates will be held for 6 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We may retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.

Once a person has taken up employment with the Students' Association, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to managing the employment relationship. Once their employment with The Students’ Association has ended, we will retain the file for 7 years and then destroy it.

Full details of how the Students’ Association collects and processes data related to job applicants and employees are set out in our Recruitment Privacy Notice and Employee Privacy Notice.

This privacy notice is in accordance with the General Data Protection Act (GDPR); an EU directive effective from 25 May 2018.

We are happy to provide any additional information or explanation needed on this notice. Any requests for this should be sent to the address below.

FAO: Director of Marketing & Communications
Edinburgh University Students’ Association
5/2 Bristo Square

Email: data@eusa.ed.ac.uk

Updating our privacy notice
Changes to this notice may be required from time to time. If we make substantial changes to this notice we will make this clear on our website and/or contact you directly. The ‘published on’ date at the top of this notice will reflect the version of the notice you are viewing.
Edinburgh University Students’ Association is registered with the ICO under the Data Protection Act and appears on its public register here (registration number ZA047742).

For further guidance on matters relating to the GDPR and privacy, please refer to the UK Information Commissioner’s Office.