1. What is the GDPR?
The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Bill. The European Union’s GDPR legislation aims to "harmonise" data privacy laws across Europe as well as give greater protection and rights to individuals.
The Information Commissioner has a range of guidance which explains the terms used in this guidance and gives more detailed advice on the GDPR.
2. Who is this guidance for?
Beneficiaries i.e. anyone involved in implementing a Structural Funds operation and should be read in conjunction with the award of financial support.
3. Who is the data controller and data processor?
For the data the Welsh Government/WEFO requires beneficiaries to collect (i.e. that set out in Section 4) Welsh Government is the data controller.
If beneficiaries collect any other personal data not required by Welsh Government/WEFO the beneficiary would be the data controller for that data.
As a beneficiary, you would be the data processor for the data Welsh Government requires you to collect. Any third parties you or Welsh Government shares the personal data with would also be data processors.
The Data Protection Officer for the Welsh Government can be contacted on Data.ProtectionOfficer@gov.wales.
4. What data does this cover?
Data covers the European Structural Funds 2014–2020 in respect of (a) the monitoring data laid out in the Structural Fund definitions and (b) information requirements under the Eligibility rules and conditions for EU funds support. Descriptions and details are as follows:
This includes individual ESF participant level data and ESF and ERDF Enterprise level data which contains contact details for a named individual in the enterprise. For the remainder of the document, when referring to ‘participants’ it relates to ESF participants or individuals from ESF and ERDF supported enterprises for whom Welsh Government collect contact details for monitoring and evaluation purposes.
Monitoring and Evaluation guidance can be found here.
Eligibility Information guidance can be found here.
Information collected for any of these purposes can include:
- Personal details such as name, address, telephone number, date of birth, national insurance number, gender, employment status (employed, unemployed or economically inactive), qualifications, caring or childcare responsibilties
- Financial details such as salary information
- Details of when you contact us and when we contact you
- Special category data such as ethnicity, disability, or work limiting health condition.
5. What does Welsh Government use the data for?
The Welsh Government/WEFO uses monitoring data (including the individual participant records) to monitor and evaluate the EU funds in Wales as laid out in the Monitoring and Evaluation Strategy. For example, the Welsh Government/WEFO commissions surveys of participants (ESF Participants Surveys). Welsh Government may also link participant records to other information about them held by the Welsh Government and UK Government departments – for more information, see Section 6 below. Beneficiaries may also use the data for operation level evaluations.
The Welsh Government uses eligibility information to verify the eligibility of participants, activity and expenditure. The data may be shared with audit teams to help determine whether applicable regulations are being complied with.
6. Who will Welsh Government share the data with?
Welsh Government/WEFO may share the monitoring data (including the individual participant records) with commissioned research organisations interviewing participants so they can talk to them about their experiences. Not everyone who takes part in the programmes will be contacted. If a participant is contacted by researchers, the purpose of the research will be explained to the individual and will be given the option to not take part in the research. The research organisations will delete the participants’ contact details once the research is complete.
To support the research Welsh Government/WEFO may link participant records from the monitoring data to other information about them held by the Welsh Government and UK Government departments. This might include the Longitudinal Educational Outcomes dataset, Careers Wales data, the Lifelong Learning Wales Record, records held by HMRC and DWP, the Labour Force Survey, Annual Population Survey and ESF Participants Survey. This will be done only for the purpose of evaluating the impact EU funds support has had on the people who took part and research on related topics undertaken by the Welsh Government/WEFO or approved social research organisations. Welsh Government/WEFO will never publish information which would identify any individuals.
Monitoring data (including the individual participant records) will also be shared with relevant Welsh Government teams and European Commission (EC) auditors to help determine whether the project has followed the correct procedures and to ascertain the validity of claims. The eligibility information will also be shared with these teams for such purposes. Welsh Government may also share both types of data with independent auditors.
7. What is the lawful basis for controlling or processing personal data under ESF and ERDF?
The relevant section of the GDPR for collecting personal data in relation to the Structural Funds is Article 6(1)(e) where:
“processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller”
The European Regulations governing Structural Funds give the Welsh Government official authority to process the personal data referred to above. Article 54(2) of Regulation (EU) No 1303/2013 common provisions on the European Structural and Investment Funds (CPR Regulation) states that “Member States shall provide the resources necessary for carrying out evaluations, and shall ensure that procedures are in place to produce and collect the data necessary for evaluations, including data related to common and where appropriate programme-specific indicators.”
Furthermore, the EC ESF Monitoring and Evaluation Guidance states that “a complete data set in respect of the personal variables of the common output indicators is required in order to be able to report on the common indicators based on representative samples as set out in Annex I and Annex II ESF” (page 17). Annex I of Regulation (EU) No 1304/2013 on the European Social Fund (ESF Regulation) lists a range of data to be collected. These are outlined in ESF Annex A - Participants database.
The EC ESF Monitoring and Evaluation Guidance also states that “the individual participants' data for all person-related indicators must be recorded and stored in a way that allows a Member State to perform the tasks it is legally required to perform. Therefore all records should include, as a minimum: an identifier for the operation/project; a personal identifier that allows an individual to be traced and re-contacted; dates of starting and leaving an operation; and access to values for all variables needed for indicators” (page 18).
In addition, data is collected relating to Welsh Language to ensure we can demonstrate the programmes are being delivered in line with the Welsh Language (Wales) Measure 2011.
8. What about Sensitive Personal Data?
The GDPR recognises that some types of personal data are more sensitive, and so need more protection. This is classed as ‘special category data’.
The only special category data Welsh Government/WEFO is asking EU funded beneficiaries to collect are data concerning Ethnicity / whether from a Black and Minority Ethnic background; Migrant Status; Work Limiting Health Condition; and Disability. To process special category data, the Welsh Government/WEFO needs to satisfy a specific condition under Article 9 of GDPR. Welsh Government is using special category condition (g), i.e.:
“processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”
The ESF regulation requires the Managing Authority (in this case, WEFO) to collect data relating to disability, migrant status and ethnicity. We also use this data to help ensure equitable participation from all areas of society in the European Funded Programmes in line with the Equality Act 2010. It is allowable for an individual to refuse to provide such data unless it is needed to demonstrate eligibility for the Operation.
When data is used for research purposes no identifiable data will be published without explicit consent from the individual; e.g. case studies.
All data will be handled in line with Welsh Government policy.
9. What rights do participants have in relation to their data?
Under GDPR, individuals have a range of rights in relation to their data. However, some of these rights depend on the lawful basis under which Welsh Government/WEFO is processing their data. While EU funded participants’ rights are briefly discussed below, it is important you visit the ICO website to ensure you fully understand these rights.
(a) The right to be informed
You must provide participants with the following information: your lawful basis for processing the data (see Section 7 of this guidance); your purposes for processing their personal data (see Section 5); your retention periods for the personal data (see Section 10); who it will be shared with (see Section 6); the identity and contact details of the data controller and the contact details of the Data Protection Officer (see Section 3); and the participants’ rights in relation to their data (this section). You should set this out in a Privacy Notice.
(b) The right of access
Participants have the right to access their personal data held by you / Welsh Government/WEFO.
(c) The right to rectification
Participants have the right to have inaccurate personal data rectified, or completed if it is incomplete. Participants can make a request for rectification verbally or in writing.
(d) The right to erasure
The right to erasure is also known as ‘the right to be forgotten’ and, in certain circumstances, gives individuals the right to have their personal data erased. Generally, participants do not have the right to erasure because this right does not apply if using the public task lawful basis. The only circumstances under which this right would apply would be if participants’ personal data is no longer necessary for the purpose which you originally collected or processed it for, or if you have processed the personal data unlawfully. Neither of these circumstances should arise as personal data should only be held for the duration of Welsh Government/WEFO retention periods (unless you have justification for keeping it longer) and this guidance is intended to help beneficiaries ensure they are processing personal data lawfully.
(e) The right to restrict processing
Participants have the right to request the restriction or suppression of their personal data in the following circumstances:
- the participant contests the accuracy of their personal data and you are verifying the accuracy of the data;
- the data has been unlawfully processed and the participant opposes erasure and requests restriction instead;
- you no longer need the personal data but the participant needs you to keep it in order to establish, exercise or defend a legal claim; or
- the individual has exercised their right to object (g) to you processing their data, and you are considering whether your legitimate grounds override those of the participants.
In practice, these circumstances are highly unlikely to occur.
(f) The right to data portability
The right to data portability allows individuals to obtain and reuse the personal data for their own purposes across different services. The right to data portability only applies when your lawful basis for processing this information is consent or for the performance of a contract; and you are carrying out the processing by automated means (i.e. excluding paper files). Therefore participants do not have the right to data portability.
(g) The right to object
Participants have the right to object to the processing of their personal data. However, they must give specific reasons why they are objecting to the processing of their data and you / Welsh Government/WEFO can continue processing if Welsh Government/WEFO can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual. The ICO advises that we consider any objection on its own merits, rather than refusing it outright.
If one of your participants exercises their right to object to the processing of their personal data please contact your PDO for further advice. In practice, whilst Welsh Government/WEFO may not agree to stop processing the data as part of our verification of participant eligibility Welsh Government/WEFO may agree to exclude the participant from any research fieldwork (e.g. surveys) or any data linking undertaken for research purposes.
(h) Rights in relation to automated decision making and profiling
These rights relate to automated individual decision-making (making a decision solely by automated means without any human involvement), and profiling (automated processing of personal data to evaluate certain things about an individual). Welsh Government/WEFO will not be undertaking any automated decision-making or profiling and Welsh Government/WEFO will not be asking you to do so either so these rights do not apply. If you intend to undertake any automated decision-making or profiling based on the data Welsh Government/WEFO is asking you to collect you must ensure you uphold participants’ rights in this area.
10. What is the data retention period?
The data retention date will vary for each operation, and WEFO/WG will inform beneficiaries of their data retention period. The data retention date could be as late as 31 December 2026.
11. What about additional data?
If beneficiaries collect additional information to what is set out in Section 4 then beneficiaries need to ensure they meet the requirements as laid out in the GDPR.
12. What if I want to use the data in Section 4 for other uses?
If beneficiaries want to use the data in Section 4 for other purposes apart from those identified in Section 5 (i.e. apart from monitoring, research and evaluation or for confirming eligibility of participants, activities or expenditure), then beneficiaries need to ensure you meet the requirements as laid out in the GDPR.
13. When must beneficiaries contact Welsh Government?
Beneficiaries must contact the Welsh Government/WEFO immediately if a data breach occurs or if you receive a request from a participant relating to the data which is held on them. In these circumstances please contact WEFO.PPIMS@gov.wales.