Accommodation Privacy Notice
This Privacy Notice tells you about how CCCU, as the service provider, collects and processes your personal data. We do this for the purposes of managing your use of our student accommodation.
- 1. What personal information do we collect about you?
- 2. How do we collect your information?
- 3. How do we use your personal data?
- 4. The lawful basis we use to process your data
- 5. Who do we share your personal data with?
- 6. How long do we keep your personal data?
- 7. How do we protect and store your personal information?
- 8. The data controller and further information
This Accommodation Privacy Notice outlines how Canterbury Christ Church University (the Data Controller) collects, uses, and protects personal data in relation to individuals applying for and staying in University managed accommodation or accommodation run by one of the University’s third party suppliers. It applies to students and staff who have expressed an interest in or entered into a contract with the University for accommodation. It also applies to guarantors.
We are committed to handling your personal data responsibly and transparently, in accordance with the Data Protection Act 2018 and UK General Data Protection Regulations (GDPR) and any other relevant legislation. This notice is intended to ensure you are fully informed about how your personal information is used and the rights you have in relation to it.
You can access our Data Protection Policy here.
1. What personal information do we collect about you?
When you engage with the University in relation to University managed accommodations or accommodation run by one of our third party suppliers, we collect and retain relevant personal data. This information is used for the purposes set out in Section 3 of this Privacy Notice.
We may process the following categories of personal data about you:
- Name
- Address
- Telephone numbers
- Email address
- Gender
- Date of birth
- Sexual orientation
- Religion
- Criminal convictions
- Disability/Health data
- Course data
- Details of misuse of student accommodation, including for disciplinary purposes
- Financial information relating to the accommodation fees, including means of payment
- Information related to references when required.
2. How do we collect your information?
The University may collect your personal data through a range of methods and sources, depending on your relationship with us and the nature of our interaction. We may collect your personal information:
- Directly from you – when you fill in forms or submit applications or contact us.
- Through automated technologies – such as our student record system SITS.
- From third parties – for example through reference requests where a guarantor is necessary.
3. How do we use your personal data?
The University may process your personal data for the following purposes:
- To take any required steps prior to entering into a contract with you.
- To enable us to fulfil our obligations in the performance of a contract with you.
- To correspond with you and provide you with information or resources when requested.
- To prevent and detect fraud, bribery, corruption, or other unlawful activities in accordance with the University's internal policies and legal obligations;
- To comply with statutory and regulatory requirements, including those under the Data Protection Act 2018 and UK GDPR.
4. The lawful basis we use to process your data
Data protection law sets out reasons for collecting and processing your personal data. In this section, we outline the legal bases the University uses.
We will be processing your data under:
- Article 6(1)(a) Consent "the data subject has given consent to the processing of his or her personal data for one or more specific purposes"
We may ask for your consent to process personal data relating to any health conditions or disabilities in order to provide you with adequate accommodation. We may also request details of your cultural beliefs or lifestyle preferences for this reason.
We may also process your personal data under this legal basis to send you marketing material. You may withdraw your consent at any time. You need not give a reason. To withdraw your consent, contact: accommodation@canterbury.ac.uk.
- Article 6(1)(b) Contract "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract"
- Article 6(1) (f) Legitimate Interests "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child"
We may be required to share data with other organisations when our legitimate interest overrides your rights to privacy. This includes sharing your data with one of our agents if you have a debt to the University that needs recovering. We may also share your data with local authorities, court officials and solicitors acting on behalf of the University to recover debt and/or property.
We may need to process your data in order to ensure we are complying with our statutory obligations and legal requirements.
- Article 6(1)(c) Legal obligation "processing is necessary for compliance with a legal obligation to which the controller is subject"
We may process your personal data because the University has a legal obligation to do so. For example, we may process your personal data for Health and Safety, insurance or taxation or voter registration purposes.
Where we process Special Category Data, we will do so under the following legal basis:
- Article 9(2)(g) Reasons of substantial public interest (with a basis in law)
Where we process Criminal Offence Data, we will rely on:
- Article 10 Authorised by domestic law providing for appropriate safeguards for the rights and freedoms of data subjects
We have an Appropriate Policy Document in place which records our processing in relation to Special Category Data and Criminal Offence Data.
Use of special category data of applicants and students privacy notice
5. Who do we share your personal data with?
We may disclose your personal data to your guarantor in relation to your accommodation, which may include, but is not limited to, information concerning financial arrears, behavior within the accommodation, and the condition of or any damage to the property.
We may share your personal data with trusted third-party service providers who act as data processors on our behalf. These partners may be agents, contractors and other third parties who support with the delivery and operation of running University accommodation, such as carrying out maintenance work or assisting us in the collection of debt. All third parties are required to handle your data securely and in accordance with data protection legislation.
We may also disclose your personal data where necessary to meet our legal or statutory obligations under the Data Protection Act 2018 and UK GDPR. This may include sharing information with government departments, regulatory bodies, funding agencies, or law enforcement authorities where disclosure is legally required, particularly in circumstances where there are concerns regarding the health, welfare, or safety of yourself, other students, staff, or visitors.
Whoever we share your information with, we will only share what is relevant and necessary to perform the specific task or to meet our legal obligations.
6. How long do we keep your personal data?
We retain personal data only for as long as is necessary to fulfil the purposes set out in this Privacy Notice, including to satisfy legal, regulatory, and contractual obligations. This includes our obligations under the Data Protection Act 2018 and UK GDPR.
In relation to accommodation contracts with the University, we retain personal data for 6 years from the end of the contract, in line with our legal and statutory requirements for Simple Contract as stated by the Limitation Act 1980.
When identifiable records are no longer required for the purposes set out in this Privacy Notice, they are either anonymised or securely disposed of according to our Confidential Waste Policy.
7. How do we protect and store your personal information?
We are committed to safeguarding the personal data we process and have robust internal policies and controls to prevent unauthorised access, accidental loss, destruction, misuse, or disclosure of personal data. Access to personal information is strictly limited to authorised University personnel who require it for the performance of their duties in connection with the management and maintenance of University accommodation.
We are Cyber Essentials accredited, demonstrating our commitment to implementing industry-recognised cybersecurity practices to protect against common online threats and ensure a secure IT environment.
Where personal data is shared with third-party processors, such parties are contractually required to act solely on our instructions, implement appropriate technical and organisational safeguards, and comply fully with the requirements of the Data Protection Act 2018 and UK GDPR.
8. The data controller and further information
Canterbury Christ Church University is the data controller for this personal data.
Please click the link below to access further information regarding:
Version control
- Title: Accommodation Privacy Notice
- Process Owner: Head of Accommodation
- Department responsible: Estates & Facilities
- Date approved: 04 August 2025
- Date of review: 04 August 2027
- Date last amended: 04 August 2025