General Data Protection Regulation

What is the General Data Protection Regulation?

General Data Protection Regulation (GDPR) is the new legal framework in the EU which will come into force on 25 May 2018.  There will also be a new Data Protection Act, which is currently going through Parliament. This new Act will supplement the GDPR and provide new rights to individuals concerning their personal data. 

Data Protection Officer

Under the new law, the Council must have a named Data Protection Officer who is responsible for data protection matters and available to contact by members of the public.  The Council’s Data Protection Officer is Steve Berry. 

If you wish to contact the Data Protection officer, please email 

What will this new law mean for me?

The rights that individuals have about how their personal data is handled and stored are being changed and enhanced.  You can find out about the GDPR rights on the ICO website. 

You will have the right to know how the data has been processed and make requests, in certain circumstances.  These are outlined below.

You can view the Council’s Privacy notice on the following link.

To request information we hold about you - subject access requests

Under the new law, like now, everyone can make a written request to the Council for the information it holds about them.   Please only ask for the information you actually need, to save time and allow us to be more efficient.  When the new law comes into force, there will be no fee.  You will need to provide proof of your identity and address. Once we have a valid request we will have a month to provide the information requested which we can extend in some circumstances.  We will be allowed (as we are now) to remove (redact) information, for example, legal advice or information about other people. We will have a web form for you to make a subject access request, in the meantime requests should be submitted to .  


If we are relying on consent to process your data, you can request to withdraw consent or restrict/object to some elements of the processing. The Council does not rely on consent in most cases because it has legal duties to do certain tasks. For example, processing planning applications, collecting Council tax payments and social work tasks are based on legal duties, not on consent. 

Legal basis

We will need to consider appropriate lawful grounds for processing your data if you have consented to the processing and decide later to withdraw your consent.


To comply with the new law we must provide detailed information on why and how we are processing personal data.

Data portability 

To transfer personal data from our electronic processing system to and into another organisation's electronic processing system.


Where we rely on your consent as your legal basis to process your personal data, you have the right to withdraw your consent and ask for your data to be deleted.  As explained above we will not rely on consent in many cases.


After 25 May 2018, you will have the right to make changes to inaccurate data.

Automated decisions and profiling 

After 25 May 2018, if we process your personal data based on automated decisions, and this will have a legal or similarly significant effect on you, then you can request a written explanation of the decision made and you can contest the results of the decision.  Blaenau Gwent County Borough Council does not carry out automated decision making or profiling that come under this definition.  


When it comes into force, we will have to be able to demonstrate how we comply with the new law when collecting and processing your personal data.

We appreciate that these new rights might seem complicated.  You can find more information on the ICO website. If you need help in exercising your new rights when the new law comes into force in May 2018 you may contact the Council’s contact centre, or email

Personal data and ‘special categories of personal data’

The new law will apply only to ‘personal data’.  You can find out more about personal data and the new GDPR regulations on the Information Commissioner’s website. Special category personal data will be personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or is about their health, sex life or sexual orientation and includes genetic and biometric data. The Council will need to comply with more safeguards when processing special personal data.

The Council’s commitments under GDPR

Blaenau Gwent County Borough Council’s commitment will be to ensure that the data is: 

  • Processed lawfully, fairly and in a transparent manner.
  • Collected is for a specific and legitimate purpose. It will not be used for anything other than this stated purpose.
  • Relevant and limited to whatever the requirements are for which they are processed.
  • Accurate, and where necessary, kept up to date.  Any inaccuracies will be amended or removed without undue delay.
  • Stored for as long as required, as specified on our records retention policy.
  • Secured with appropriate solutions, which protect the data against unauthorised or unlawful processing and against accidental loss, destruction or damage. 

The Council will demonstrate its compliance with these principles.

The Council’s commitment to processing personal data lawfully

The Council will ensure that it meets the conditions necessary for processing personal data lawfully and will ensure this is adequately recorded.  There are a number of ways that processing can be lawful.  Consent is one method, but it is important to know that consent is not always required and the Council can lawfully process personal data as long as a condition is met.  You can find out more about the conditions on the ICO website.