Privacy Policy

Business Enquirer and Prospect Privacy Policy

A privacy notice that details how Arrow and Newcastle University collects and processes personal information relating to a business enquirer or prospect.

  • Arrow at Newcastle University
  • Data Protection
  • Information for Businesses

1. Data Controller

University of Newcastle upon Tyne (“we”, “our”, “us”, “The University”) on behalf of Arrow processes personal data in accordance with our obligations under the General Data Protection Regulations (‘GDPR’) and is a registered Data Controller (Registration Number Z5470161) with the Information Commissioner’s Office (‘ICO’), which is the supervisory authority responsible for the oversight and enforcement of Data Protection Legislation within the United Kingdom.

2. How is your personal data collected?

We use different methods to collect data from and about you including through:

  • Digital forms, and surveys for the purpose of providing information about the University service, your enquiry, or event that you have registered for.
  • Correspondence with us by face to face, phone, email, live chat, social media or otherwise.
  • As you interact with our websites, we may automatically collect data about your device, IP address, and browsing patterns we collect this by using opt-in cookies.
  • The University’s CRM automation systems also use email tracking pixels.

3. What personal data is collected?

  • Identification and contact details: Your name, title, company name, correspondence address, email address, and phone number.
  • Where applicable contextual information, such as industry, sector, and profession..

4. Where we get your personal data and for what purpose?

We will only collect and use your personal data when the law allows us to. Most commonly we will use your personal data in the following circumstances:

  • Where you consented to the processing.
  • Where it necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We have set out below, in a table format, a description of all the ways we use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Purpose/Activity Type of Data  Lawful basis for processing including basis of legitimate interest. 
We would also like to use your details you have consented to provide us to contact you, to respond to your enquiry Communications, Contact / Legitimate Interests
We process data for internal reporting, monitoring, and research as part of our public tasks. This may also include Public interest archiving, scientific and historical research or statistical analysis including equality and diversity monitoring Identity Public Task
Anonymising and sharing with social media platforms to see if the adverts have been successful (you cannot be identified) and to serve you or similar audiences with more relevant messages. Communications, Profile Legitimate Interests
Enhancing our service; to meet our interests of understanding who our prospective contacts are and to enhance the journey towards making an application. Profile Legitimate Interests
Providing statistics for management and business intelligence reports on the effectiveness of an event and or communications activity. Profile Legitimate Interests
Photographs, video, and audio may be taken at events for use in marketing materials, including on our website and on social media. Where you are not the subject of the image, i.e. if it is a “group” or “crowd” photograph, we may use such images without requiring your consent, however, where you are the subject, you will be asked to provide explicit consent to use the image. Profile Legitimate Interests
Anonymising and sharing with social media platforms to see if the adverts have been successful (you cannot be identified) and to serve you or similar audiences with more relevant messages. Profile, Communication Legitimate interests
We track email open and click through rates, user’s browser and device, IP address and location to review communications for reporting purposes and to ensure the University does not spam disengaged contacts. Profile Legitimate interests
We process some data because there is a legal obligation to (e.g. UKVI) or because we are required to provide equality monitoring statistics. Identity, profile Legal Obligation

5. Where do we securely process and store your personal data?

5.1 Within the UK and EEA

All personal data is processed by Newcastle University staff based in the UK however for the purposes of IT hosting and maintenance this information is located on servers within the EEA.

5.2 Outside the UK and EEA

The following systems and purposes are exceptions where data is located on servers not based within the EEA to facilitate specific operational purposes e.g. event registration and specific CRM systems for managing, processing your personal data:

HubSpot – We use forms created by HubSpot. HubSpot’s product infrastructure is hosted on Amazon Web Services (AWS) in the United States East region. HubSpot leverages the Google Cloud Platform (GCP) in the EU (Frankfurt, Germany region) to support the processing of local customer data that is critical to its customers’ businesses.

These solutions provide high levels of physical and network security and well as hosting provider vendor diversity. HubSpot’s AWS cloud server instances reside in US locations; GCP cloud instances reside in Germany. Both providers maintain an audited security program.

Where processing takes place with an external third party, processing takes place under an appropriate agreement outlining their responsibilities to ensure that processing is compliant with the Data Protection legislation and verified to be secure.

6. Sharing your personal data with third parties

Your personal information will only be disclosed to third parties where we have an appropriate lawful basis to do so, which may include the following:

  • Your enquiry data will be shared with Arrow colleagues at Durham University, Northumbria University and the University of Sunderland in order to process your enquiry
  • With third parties who securely process data on our behalf in order to facilitate our relationship with you, such as software service providers providing externally hosted software solutions e.g.VFairs.
  • With Social Media Providers so that we can communicate with you, promote tailored advertising to you, to assess your social media interactions to promote our services to you and with others you interact with on social media to inform our advertising campaigns to create look-a-like audiences with the data you provide.
  • With internet search engine providers such as Google to inform our advertising campaigns to create look-a-like audiences with the data you provide.
  • IT Service providers (e.g. the provision of University email services; recruitment and customer relationship management services);

Any other disclosures that may be required, but not listed above will only ever be in accordance with your rights and the requirements of the GDPR.

When it is necessary to share your data with organisations outside of the EEA, we will ensure that appropriate safeguards are in place to protect your personal data.

7.  How long do we hold personal data?

Personal data is retained for as long as it is required to fulfil the purpose for which is it held and then to fulfil any legal requirements.

Any information we use for marketing purposes will be kept by us until you notify us that you no longer wish to receive this information. To withdraw or amend your contact methods at any time either click the link at the bottom of an email from us or contact us on email; and we will endeavour to action this within 2 working days.

8. How we store your information?

We have appropriate security measures in place to protect personal data, taking account of the nature of the data and the harm that might be caused if it were lost. These security measures will be tested regularly, assessed, and evaluated to ensure they maintain an appropriate level of security for personal data.

Personal data will be accessible only to those people who need to use it as part of their work. Unauthorised or unlawful access to, use or disclosure of personal data may lead to disciplinary action, and in some cases could be considered as gross misconduct. In serious cases it could also be a criminal offence.

We will provide prompt and effective notification to the relevant supervisory authority and to data subjects, where necessary, in the event of a personal data breach. We will cooperate fully with any regulatory investigations that result from a breach.

9. Your rights under GDPR

Under the GDPR, you have a number of rights in relation to the processing of your personal information, each of which may apply to differing degrees dependent upon the nature of the processing and the legal basis for it. You have the right to:

  • Be informed as to how we use your data (via this privacy notice)
  • Request access (a copy) of the personal information that we hold about you.
  • Correct inaccurate or incomplete data
  • Request that we stop sending you direct marketing communications.
  • In certain circumstances, you may have the right to:
    • Ask to have your data ‘erased.
    • Request us to restrict the processing of your personal data.
    • Request that data you provided electronically to us be returned as a data file.
    • Object to certain processing of your personal data by us.

In some cases, there may be specific exemptions as to why we aren’t able to comply with some of the above. Where this is the case, we will explain the reasons why.

In order to exercise any of the above rights, please visit

10. Further information

If you would like to discuss this further, please contact us on If you would like more information about how we manage personal data more generally, including your rights under law, and the contact details of the University’s Data Protection Officer, visit our Data Protection website.

11. Lodging a complaint with the Information Commissioners Officer (ICO)

If you are unhappy with our use or storage of your data, you have the right to complain to the Information Commissioner’s Office (ICO) about this. Please see the ICO website for more details of how to complain.