Data Protection Officer Service Privacy Notice

i‑West Data Protection Officer Service Privacy Notice

About this Privacy Notice

This Privacy Notice explains how One West (i‑West) uses personal data when providing Data Protection Officer (DPO) services to our customers and when responding to individuals who may contact us directly.

It should be read alongside the One West Privacy Notice (which provides overarching information about how we process personal data).

Clients should refer to their individual DPO Service Agreement for further detail on the scope of services provided.

This notice is intended to be clear, transparent and proportionate, reflecting the independent and advisory nature of the DPO role.

Who we are

i‑West is part of One West, a trading arm of Bath and North East Somerset Council.

When providing DPO services, One West acts as a data controller in its own right for personal data it processes in order to carry out the DPO role independently, as required by UK GDPR.

This is separate from the customer organisation’s role as data controller for the personal data they process.

Contact details

One West
Guildhall, High Street, Bath BA1 5AW
Email: i‑west@bathnes.gov.uk
Telephone: 01225 395959

Data Protection Officer

Rob Long

Bath and North East Somerset Council
Email: data_protection@bathnes.gov.uk

The DPO service and our role

i‑West provides professional DPO services to public bodies and other organisations. Our role includes advising on data protection obligations, monitoring compliance, and acting as a point of contact for data subjects and the Information Commissioner’s Office (ICO).

To maintain independence, One West:

  • acts separately from the customer’s management and operational decision‑making
  • does not receive instructions on how to perform DPO tasks
  • provides advice and assurance rather than implementing data protection measures on behalf of the customer

Responsibility for compliance with data protection law remains with the customer organisation in their role as data controller.

When we receive personal data

We may receive personal data in the course of delivering DPO services, including but not limited to:

  • when advising on personal data breaches
  • when supporting Subject Access Requests (SARs) or other individual rights requests
  • when reviewing complaints relating to data protection
  • when advising on or reviewing Data Protection Impact Assessments (DPIAs)
  • when individuals contact us directly in our role as DPO
  • when evidence or contextual information is shared to support compliance reviews

Where possible, we encourage customers and individuals to:

  • provide anonymised or redacted information
  • share the minimum personal data necessary for us to provide advice
  • use secure methods to provide information to us

In many cases, we receive personal data indirectly from customer organisations rather than directly from the individual. Where this happens, the customer organisation remains responsible for providing privacy information to data subjects about the sharing of their personal data with One West for the provision of DPO services and for the secure provision of information to us.

Categories of personal data we process

The types of personal data we may process includes (but are not limited to):

  • contact details (such as name, job title, email address)
  • information contained within correspondence relating to DPO enquiries
  •  personal data relating to individuals where this is relevant to:
    • breach advice
    • SAR advice
    • complaints
    • DPIAs

We do not routinely require special category data. Where such data is included incidentally, it is handled with appropriate care and safeguards.

Why we process personal data

We process personal data to:

  • carry out our statutory and contractual role as a Data Protection Officer
  • advise customers on their data protection obligations
  • support the handling of data subject rights
  • provide assurance and compliance monitoring
  • act as a contact point for data subjects and the supervisory authority (ICO)
  • maintain records of professional advice and service delivery

Lawful basis for processing

When acting as a data controller for DPO‑related processing, One West relies on one or more of the following lawful bases under UK GDPR:

  • Article 6(1)(b) Contract, where processing is necessary for the provision of DPO services under a contract with a customer organisation
  • Article 6(1)(c) Legal obligation, where processing relates to our statutory DPO role and is necessary for compliance with a legal obligation to which we are subject
  • Article 6(1)(e) Public task, where processing is necessary to perform tasks in the public interest or supports public authority functions which are laid down in law
  • Article 6(1)(f) Legitimate interests, where processing is necessary for providing independent advice and assurance, and where this does not override the rights and freedoms of individuals.

Where special category data is processed incidentally, this will normally be under Article 9(2)(g) (substantial public interest) or another appropriate condition, depending on the context.

How long we keep data

As set out in our DPO Service Agreement:

  • service records such as compliance review reports, advice logs and training materials are retained as part of our professional advice history.
  • where personal data is processed as part of the DPO function, it is normally retained for two years following termination of the service, unless:
    • earlier deletion is possible, or
    • a longer retention period is required by law or where there is a legitimate business need to do so.

We review records periodically and remove personal data where it is no longer required.

Who we share information with

We treat information received in the course of the DPO service as confidential.

We may share personal data only where necessary and lawful, including but not limited to:

  • with the Information Commissioner’s Office, for example when supporting breach notifications or regulatory engagement
  • with internal One West or council colleagues where needed to deliver the service securely and effectively
  • with trustees and governors where necessary, for example when supporting data protection complaints or reviews
  • with law enforcement or safeguarding professionals
  • with legal professionals where necessary for the purposes of obtaining legal advice
  • Other Data Protection Officers, where a change in service provision requires the transfer of information to support continuity of DPO services

We do not share personal data with third parties for marketing purposes, and we do not sell personal data.

Where data is stored

Customer and service data is hosted on Bath and North East Somerset Council systems within the UK. Appropriate technical and organisational measures are in place to protect personal data, including device encryption and access controls.

Your rights

Individuals whose personal data we process have rights under data protection law, including the right to:

  • access their personal data and obtain a copy of it
  • request correction of inaccurate information
  • request erasure or restriction in certain circumstances
  • request data portability, where applicable
  • object to processing where we rely on legitimate interests
  • lodge a complaint with the Information Commissioner’s Office

One West does not carry out automated decision‑making or profiling as part of the DPO service.

If you wish to exercise your rights in relation to processing carried out as part of the DPO service, you can contact us using the details above.

Complaints

You have the right to make a complaint to us about the way in which we process your personal data.

We encourage you to raise any concerns with us in the first instance by contacting One_West@bathnes.gov.uk. We will acknowledge your complaint within 30 days and respond without undue delay.  You also have the right to make a complaint to the Information Commissioner’s Office (ICO). The ICO can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

www.ico.org.uk
Tel: 0303 123 1113

Relationship with customer Privacy Notices

Customer organisations are responsible for providing privacy information to their own data subjects about the sharing of personal data with One West for DPO services.

This Privacy Notice explains One West’s role once personal data is received by us.

Updates to this Privacy Notice

We may update this notice from time to time to reflect changes in:

  • our services
  • legal requirements
  • service delivery arrangements

The most recent version will always be available on the One West website.

Last updated: May 2026

© 2018 One-West
Top
OneWest
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.