On 25 May 2018 the General Data Protection Regulation (GDPR) comes into force in the UK. This page continues to host the University’s existing policies and procedures under the Data Protection Act 1998 (DPA) whilst highlighting new and planned information concerning GDPR.

Information concerning the DPA will be removed from this page on 25 May 2018. Links concerning GDPR will be made live as policies and procedures are approved.

Please contact dataprotection@dundee.ac.uk with any questions.

GDPR - Policy

  • Data protection policy
  • University activities – basis for lawful processing of personal data

GDPR - Information for individuals

The notices below provide general information concerning the University’s use of personal data from different stakeholder groups.

A set of notices is in preparation for Schools and Professional Services is in preparation and will be published here.

Additional privacy notices may also be provided further to specific projects, services or activities. They will normally be found on the webpages of the relevant section of the University or be provided to you further to your engagement with the University.

Individual rights

  • Notes on how to exercise your rights under GDPR and how the University will engage with your request.

GDPR Toolkit

Tools and templates for use by University staff.

Standard Operating Procedures

  • Data incident management
  • Interception of communications
  • Use of images and other media
  • Disposal of data devices lost on campus


The templates linked below include notes on their use.

  • Privacy notice
  • Data Protection Impact Assessment
  • Consent


Training may be requested by any School, Professional Service or team at any time by emailing dataprotection@dundee.ac.uk.

GDPR champions

A network of champions is being established and more information will be published here in due course.



Data Protection Act 1998
Data Protection Act 1998
Standard Operating Procedures
  • Data subject access requests - The procedure followed by the University when responding to requests for any person's own information.
  • Data loss - The procedure followed when data loss is suspected.
  • Lost data devices - What to do if you lose or find a lost device and the procedure the University follows so that an owner can reclaim their device or to ensure that unclaimed devices are disposed of securely.
  • Interception of communications - The procedure used in the rare instances the University may wish to intercept communications.
  • Transfer within EEA - The procedure for agreements or other collaborations involving the transfer of personal data within the European Economic Area.
  • Transfer outwith EEA - The procedure for agreements or other collaborations involving the transfer of personal data outwith the European Economic Area.
  • Withdrawal of consent to contact - The procedure used when someone wishes to withdraw their consent for the University to contact them.
Data Protection Act 1998
Useful information
  • How the University uses your information - students - 2017_18 - Information provided to students each year at matriculation.
  • Guidance on searching for information - to help when looking for information to respond to data subject access requests.
  • Guidance by the Director of Legal and the Records Manager on what to include in references.
  • The University's entry on the Public Register of Data Controllers is available here.
  • The case file for each request for personal information received by the University is normally retained for the calendar year in which the request was received + five years