Data protection notice for students and applicants

This notice sets out how we deal with the personal information of people who are applying to, or studying at, Cardiff University’s branch campus in Astana, Kazakhstan.

This notice may be updated from time to time to ensure continued compliance with current legislation and to reflect best practice. For the avoidance of doubt this is a collective notice on behalf of Cardiff University and Cardiff University Kazakhstan, where this document refers to a collective (e.g. we or us), it is referring to both parties. All references to “Cardiff University” in this notice are references to Cardiff University within the UK (charity number 136855).

Legal roles of parties

Cardiff University is an Operator under the Law of the Republic of Kazakhstan “On Personal Data and Its Protection” No. 94-V dated 21 May 2013 (as amended) (the “Kazakhstan Data Protection Law“) and a Joint Controller under the UK General Data Protection Regulations (UK GDPR) (together with the Data Protection Act 2018, the “UK Data Protection Law”). The Operator determines the purposes and means of processing personal data and is responsible for ensuring its protection.

Cardiff University Kazakhstan is an Owner and a Processor under Kazakhstan Data Protection Law and a Joint Controller under the UK GDPR. The Owner is responsible for the database located in Kazakhstan containing personal data and has primary responsibility for ensuring the data is collected, processed, and protected in accordance with the law.

Both parties are legally responsible for processing your personal data in accordance with both sets of data protection legislation. In order to carry out its functions and obligations in respect to your study, it is necessary for us to collect, store, analyse and sometimes disclose your personal data.

We collate information about you at enquiry, application and enrolment stage in order to answer your enquiry, fulfil any event bookings, manage your application(s), administer your studies, provide services, and award qualifications. We will also use some of the information for analysis and monitoring.

Cardiff University is registered as a Data Controller with the Information Commissioner’s Office (ICO) to process personal data. Reg no Z6549747.

Personal information we collect about you and where we get it from

The following gives an indication of the types of information which are currently collected and processed at different stages from initial enquiry, application, through to enrolment and throughout your time at the University:

Your Identity including name, Date of Birth, Gender and Nationality
IIN number (Kazakhstan national identity card no.) and your student number
Your qualifications achieved and currently being undertaken including supporting documents such as qualification check declaration, degree details and relevant employment history
Contact details
Passport or national identity (details and scan)
Any student photograph*
Your attendance at the University (including any suspension or exclusion information)
Disability or other medical data
details of extenuating circumstances, a severe and exceptional circumstance in the period immediately prior to, or at the time of, an assessment
details of any pastoral, financial, care or academic support given prior to, or during, your time at university including mental health and wellbeing information
details of any disciplinary or formal/informal conduct issues
English language proficiency (existing qualification), determination of requirement to carry out an English language test and when one is required, study dates and result
Application result (whether offered or rejected)
How your studies are funded, including fee information, intention to apply for a scholarship and scholarship details (including Unified National Test score)
Details of your examination and assessment results during your time at the University
Record of consent from parents (for under 18s to study or residence),
Social media contact
- Any enquiries you send us
- Any event bookings that you make with us
- Any courses of interest
- How you would prefer to receive marketing

This personal data includes categories of data classed as special category data such as that collected for equality of opportunity monitoring including ethnicity, religious beliefs or sexual orientation. You can find more information on special category data in our appropriate policy document on request.

We may collect your personal information directly from you, from other individuals or third-party organisations. For example, data: will be shared between Cardiff University and Cardiff University Kazakhstan; might be received from your agent in relation to your application; will be obtained from your passport or other identity documents such as your driving licence; will be obtained from documentation completed by you when you enrol; or through interviews, meetings or other assessments. We will also hold information supplied by third parties such as references.

*Your photograph will be used, where necessary, for the purposes of identifying you in the course of the University’s legitimate business, and will appear on your University Student ID card.

What is our legal basis and purpose for processing your personal data?

The Kazakhstan Personal Data Law generally recognises only one specific legal basis for the collection and processing of personal data – data subject consent. Cardiff University Kazakhstan will always process your personal data on the legal basis of your consent. To the extent that Kazakhstan Data Protection Law applies to any processing of personal data carried out by Cardiff University, Cardiff University will also process such personal data on the legal basis of your consent to comply with Kazakhstan Data Protection Law. The consent we collect will include the mandatory provisions required under the Kazakhstan Personal Data Law.

This consent is valid from the date of signing and shall remain effective for the duration of a Student’s studies and for a period of 6 years thereafter, unless a longer retention period is required by law or justified for lawful purposes (e.g. archiving our core student record, verification of education).

With respect to the UK GDPR the purposes and related legal basis under which Cardiff University may process your personal data, are set out below (although given the complexity of the relationships that the university has with its students, this is not exhaustive):

Purpose	Lawful basis
Student experience
The administration of your studies including: EnquiriesEvent bookings/ attendanceapplicationenrolmentassessment, progression and awardsconduct matters, complaints, appeals and reviewsattendance and engagementfinancial information e.g. fees, funding, sponsorship	Article 6(1)(e) – necessary for performance of a task carried out in the public interest or in the exercise of official authority vested in Cardiff University (“public task”);
The production and, as appropriate, distribution of research and educational materials (including recording of educational activities and online learning provision)	Article 6(1)(e) – Public task
Providing access to, and security of, university facilities (including library services and IT services)	Article 6(1)(e) – Public task
To consider and provide support for disability or health related adjustments	Article 6(1)(c) – necessary for compliance with a legal obligation that Cardiff University is subject to (“legal obligation”)
To support student wellbeing and provide pastoral care, where such services are in place.	Article 6(1)(e) – Public task Article 6(1)(e) – necessary for the purpose of Cardiff University’s or a third party’s legitimate interests, but only where the processing does not fall within our core public function, is not unwarranted and will not cause a prejudicial effect on your rights and freedoms, or legitimate interests (“legitimate interests”)
To provide support and opportunities (including verification of your award) to enhance your prospects in terms of your future education and career.	Article 6(1)(e) – Public task
To fulfil the University’s obligations/need
Carrying out statutory duties to provide information to external agencies or in life-or-death situations (see ‘Sharing information with others’ for further details)	Article 6(1) (c, d and e) – Legal obligation Vital interests Public task
Meeting our legislative obligations e.g. health and safety or immigration	Article 6(1)(c) – Legal obligation
Developing and maintaining an alumni programme	Article 6(1)(f) – Legitimate interest
To produce management statistics and to conduct internal research into the effectiveness of our programmes of study	Article 6(1)(e) – Public task
Internal and external auditing purposes	Article 6(1)(c) – Legal obligation
To provide you with any advice and information which you have requested e.g. via social media contact. Further information about handing of your data when you request advice via Cardiff University’s website is available on Cardiff University’s website privacy notice.	Article 6(1)(a) – Consent
Marketing
To contact you with further information we think you might be interested based on, where possible, the course(s) you have applied for	Article 6(1)(f) Legitimate interest
To monitor the effectiveness of marketing material by analysing opened mail returns and click-throughs (3)	Article 6(1)(f) Legitimate interest
To create lookalike audiences for the purposes of advertising to users with similar characteristics on platforms such as Facebook, Instagram, X (formerly Twitter), Snapchat or TikTok. You can update your preferences by accessing your privacy settings on these sites. (3)	Article 6(1)(f) Legitimate interest
From time-to-time, other activities that fall within the pursuit of the university’s legitimate business and do not infringe your rights and freedoms (3)	Article 6(1)(f) Legitimate interest

Sharing information with others

Both Cardiff University and Cardiff University Kazakhstan will routinely share data with each other for the purposes identified at the outset of this notice (including the administration of your application, studies, services and awards). This sharing will be in compliance with cross-border and restricted international transfer requirements of both the Kazakhstan Data Protection Law and UK Data Protection Law.

Information will also be shared with Private Company “Cardiff University Kazakhstan Holdings Limited (“Holding Company”), one of the founding entities of Cardiff University Kazakhstan. As part of its governance and oversight role, the Holding Company may be informed or consulted on certain educational, financial, and administrative matters. In addition, some staff members of the Holding Company may be involved in specific stages of academic operations, such as participation in the Admissions Committee and Graduation processes.

We may share your relevant personal data with other external organisations. This list is not exhaustive and any disclosures that we make will be in accordance with UK Data Protection Law and Kazakhstan Data Protection law and your interests will always be considered.

Disclosure to	Details
Qualified Centre of Education Public Foundation QCEF	As a co-founders of the University, Cardiff University Kazakhstan’s executive body is accountable to QCEF for all aspects of its operations, including certain categories of student data.
Potential employers or providers of education whom you have approached.	To confirm your qualifications.
UK Government/state agencies with duties relating to the prevention and detection of crime, collection of a tax or duty or safeguarding national security.	In order to allow the assessment, and payment and collection of relevant taxes or benefits. To aid the police or other relevant state services This happens only as necessary and in consideration of your rights and freedoms.
Government authorities of the Republic of Kazakhstan	These include: Local executive bodies (Akimats);The Ministry of Science and Higher Education;The Ministry of Defence (in relation to military registration);The Ministry of Internal Affairs (particularly in the case of foreign students) and;other authorised bodies, in accordance with the legislative requirements of Kazakhstan.
Plagiarism detection service providers	In accordance with the contract with the service provider (e.g. Turnitin) to ensure academic standards.
Third-party service provider	Where we contract with a service provider to assist with the efficient delivery of university business and activity (e.g. to provide administration support in application processing). These organisations are contractually bound to keep your data safe and only use it as Cardiff University tell them to.

How long your information will be held

Cardiff University will retain your personal information in line with their respective retention policies. You can access Cardiff University’s Records Management Policy and Records Retention Schedules on its website. Cardiff University Kazakhstan’s retention approach will comply with applicable Kazakhstani legislation.

We will maintain a core student record of your studies permanently. Details of what will be held as part of that record can be found at Section 3.6 of the Student Administration and Support Records Retention Schedule.

Security of your information

Both Kazakhstan Data Protection Law and UK Data Protection Law requires us to keep your information secure within the databases maintained in both countries. This means that your privacy will be respected, and all appropriate measures will be taken to prevent unauthorised access and disclosure. Only members of staff who need access to relevant personal data will be authorised to do so. Information about you in electronic form will be subject to password and other security restrictions, while paper files will be stored in secure areas with controlled access. You can find out more about Cardiff University’s Information Security Framework by referring to the university Information Security Policies.

Cardiff University Kazakhstan will implement appropriate technical and organisational security measures in line with Kazakhstani Data Protection Law and sector best practices.

Some processing may be undertaken on our behalf by organisations contracted for that purpose. Organisations processing personal data on our behalf will be bound by an obligation to process personal data in accordance with data protection legislation.

Your data protection rights

Under the UK Data Protection Law you have a number of rights such as a right to request a copy of personal data we hold about you. To find out more about your rights under UK Data Protection Law and how you can exercise them, please see our web page your data protection rights.

Under Kazakhstan Data Protection Law personal data subjects have rights in relation to:

receiving information or clarification regarding the processing of his personal data;
prevention of processing if the personal data is inaccurate or not necessary for the stated purpose of processing;
submitting a condition of prior consent when processing personal data for marketing purposes;
to appeal to the authorized body for the protection of the rights of personal data subjects;
to exercise other rights provided for by the legislation of the Republic of Kazakhstan;
revoking consent to the processing of personal data only in the cases provided for by the legislation of Kazakhstan.
Limitation of the Right to Withdraw Consent – Please be advised that the data subject has the right to withdraw previously given consent for the collection and processing of their personal data, except in cases explicitly provided for in paragraph 2 of Article 8 of the Law of the Republic of Kazakhstan “On Personal Data and Their Protection”.

Consent cannot be withdrawn where:

– the processing is required for archival purposes in accordance with the legislation of the Republic of Kazakhstan, including long-term storage of academic records;

– the data is needed to verify academic achievements, awards, or recognitions received by the student;

– it is necessary to justify the fact of incomplete studies (e.g., academic withdrawal, expulsion, or voluntary departure);

– the data subject has outstanding obligations to the data controller, including but not limited to contractual obligations under an education agreement.

In such cases, the data controller shall continue processing the personal data until the specified purposes are achieved, or until the retention period prescribed by the legislation of the Republic of Kazakhstan has expired.

Do we transfer information outside the UK and Kazakhstan?

The regular transfer of data between Cardiff University and Cardiff University Kazakhstan will be carried out in compliance with cross-border transfer requirements of Kazakhstan Data Protection Law and the requirements of UK Data Protection Law for any restricted international transfers of personal data. In some cases, data may also be stored in Kazakhstan by Cardiff University Kazakhstan or its contracted partners, in accordance with Kazakhstani data protection laws and information security laws.

The information stored by Cardiff University is stored on our secure servers, or on our cloud-based systems. These are located within the UK or in countries/areas which are considered to have adequate privacy and information security provisions, such as the EEA. However, there are times when we will need to store information outside these locations and where we do, we will carry out transfer risk assessments where required to ensure that appropriate security measures are taken to protect your privacy rights. This may mean imposing contractual obligations on the recipient of your personal information where no other relevant safeguards exist. Technical measures such as encryption will also be considered.

How to raise a query, concern or complaint

If you still have queries, concerns or wish to raise a complaint about the means your data is processed by Cardiff University, details of how you can contact the University Data Protection Officer and Information Commissioner’s Office are available on our UK Data protection page.

If you still have queries, concerns or wish to raise a complaint about the means your data is processed by Cardiff University Kazakhstan, details of how you can contact the Data Protection Representative – Talgat Zhussipbek, t.zhussipbek@qcef.kz. If you which to exercise your rights to appeal you can contact the Ministry of Digital Development, Innovations, and Aerospace Industry of the Republic of Kazakhstan: info@mdai.gov.kz, www.egov.kz.