Privacy policy

We’re committed to protecting the privacy and security of your personal information. 

As a data controller we’re responsible for deciding why and how we hold and use personal information about you.

This policy with our privacy notices describe how we collect and use personal information, such as:

• for tax collection and management
• about our staff to do with their employment
• from who we get goods and services
• we collect from social media interaction
• saved as files (known as ‘cookies’) from our online services

Data protection legislation requires us to let you know about the information contained in our privacy notices.

You should read all notices that apply to you when we’re processing your personal data, so you know how and why we’re using your information. We may sometimes need to provide you with extra privacy notices.

As a statutory body, we have statutory functions and a legal duty of confidentiality. This is set out in the Tax Collection and Management (Wales) Act 2016 (TCMA).

We’ll only share your personal data with third parties where we’re legally allowed to do so.

We’ll always comply with data protection law. Personal information we hold about you must be:

• used lawfully, fairly and in a transparent way
• collected only for valid purposes that we’ve clearly explained to you and not used in any way that is incompatible with those purposes
• adequate, relevant and limited to what’s needed for the purpose of the processing
• accurate and kept up to date
• kept in a form that identifies you for only as long as needed for the purposes we’ve told you about
• kept securely

We process data about:

• members of the public
• customers and clients
• businesses
• suppliers and service providers
• advisers, consultants and other professional experts
• complainants and enquirers
• taxpayer agents and representatives
• relatives, children, guardians, dependents and associates
• offenders and suspected offenders
• job applicants
• workers
• tax payments and liabilities

Depending on the reason for our processing, we may collect, store and use specific categories of information about you. This includes:

• your contact details, such as name, title, address, email addresses and phone numbers
• gender
• marital status
• National Insurance number, passport, driving licence and other identification
• bank account details
• your employment
• your business activities
• your domestic and business properties
• civil findings and your convictions
• tracking and monitoring data, for example, cookies, when you use our digital services or social media

We’ll also collect, store and use special categories of more sensitive information, where relevant to our role, such as:

• about your health
• about criminal activities and investigations

We collect personal information directly from you, such as when:

• you, your representative or agent use our services
• you submit tax returns to us
• you contact us and correspond with us
• we communicate with you
• we undertake checks on tax returns and transactions
• you use GOV.WALES and our social media (also see Cookies)
• you attend an event or webinar

We may also receive your personal information directly from third parties such as:

• other government departments
• public authorities
• publicly available sources
• your agent or representative (if applicable)
• intelligence sources
• whistleblowing

We’ll only use your personal information when the law allows us to.

Most commonly, we’ll use your personal information where needed:

• to comply with a legal obligation
• to carry out a task in the public interest or in the exercise of our official authority as a government department
• to assess or collect tax, including civil investigations and proceedings
• for the prevention, investigation, detection or prosecution of crime

We may sometimes ask you for consent to use your personal information. But your consent is not required for the common uses mentioned.

When we’ll use your personal information

We need all the categories of information mentioned in this policy for us to comply with legal obligations and carry out our role.

But we’ll only collect and use your personal data when we need to. In our case as a revenue authority, for the collection and management of devolved Welsh taxes:

• Land Transaction Tax
• Landfill Disposals Tax

We’ll also process your personal data:

• when carrying out any of our lawful functions
• to check that data we hold about you is accurate and up to date
• to compare it against other information to help reduce tax risk, as well as combat tax avoidance and evasion
• to help us confirm your identity when you contact us or access our services
• to provide and improve services to you (including testing our systems)
• to produce statistics, but we’ll never publish details about an individual taxpayer
• to conduct analysis which helps us to improve our services
• to contact you about our functions and activities
• to enable you to access our services
• when gathering information from other sources (for example banks or financial reporting services)

In some circumstances, we’ll lawfully share your data with:

• third-party service providers
• UK and Welsh government departments
• public authorities
• law enforcement agencies in the UK and European Union (EU)
• debt collection agencies

We’ll also share your data with your consent when you authorise us to do so, such as with your agent or representative. We require third parties to respect the security of your data and to handle it lawfully too.

We may share your personal information with third parties

• When required or allowed by law.
• When you authorise us to do so.
• Required for the performance of our role as a government department.

We’ll also share your personal information with the police and other law enforcement agencies where needed. This will sometimes involve sharing special categories of personal data. For example, data about criminal convictions or allegations.

Use of third-party service providers

We use or work with contractors and other third-party service providers who will process personal data on our behalf. Those third parties are usually our data processors. They can only process your personal data on our instruction or agreement for specified purposes. We do not allow our data processors to use your personal data for their own or other purposes.

We also have some situations where third-party service providers will process personal data as a data controller, for example, our auditors. In these circumstances, we still have strict controls over how the third party can use your data.

We follow strict security standards and treat the security of your data very seriously.

We have robust procedures to safeguard and secure the information we collect about you. All our staff get regular training to keep data safe. Anyone who process personal data on our behalf has to demonstrate they have training and procedures in place to keep data safe.

We also limit access to your personal information to those who have a business or legal need to do so, or have access authorised by you.

Our third-party service providers will only process your personal information:

• on our instruction
• with our agreement
• where they've agreed to secure and treat the information confidentially and keep it secure

We've taken steps to make sure there's an appropriate level of security for personal data processed via our services.

There are procedures in place to deal with any suspected data security breach. We’ll notify you and the regulator of a suspected breach where we’re legally required to do so.

Storing your data

We store all your personal information in the UK and will not transfer it outside the UK. We require third-party service providers who process data on our behalf to do the same. Third parties not under our direct control may store your data in the UK and EU.

We keep your personal information:

• only for as long as it's needed for the purposes why we’re using it
• in line with our published retention and disposal schedule

In some circumstances, we’ll anonymise your personal information so that it can no longer link to you. We’ll use such information without further notice to you.

Our Data Protection Officer oversees compliance with data protection obligations.

For any questions about this policy, related privacy notices, or how we handle your information, contact our Data Protection Officer. Complains should also be directed to this contact in the first instance:

You can also complain directly to the Information Commissioner’s Office (ICO). The ICO is the UK supervisory authority for data protection issues.

Any changes to this policy will be updated on this page; for example, any new uses of personal data.

Revisit this page and any privacy notices that apply as you use our services to make sure you’re aware:

• of what information we collect
• how we use personal data
• when we may share data with other organisations

From time to time, we may also contact you through other means about the processing of your personal data.

Please read privacy notices that apply to you and to see your rights for each type of processing.