Privacy Notice

Privacy Notice for OPEN SME Programme

This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with data protection legislation.

It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

Who we are?

The OPEN SME Programme is an online programme developed by a consortium led by Manchester Metropolitan University involving University of Bolton, University of Manchester, and University of Salford; and is funded by the Greater Manchester Combined Authority and Growth Company. We are committed to protecting the privacy and security of your personal information.

The funder Greater Manchester Combined Authority (GMCA) is the Data Controller. The University and our partners are data processors, who process your personal data on behalf of GMCA. We are responsible for ensuring your personal data is held securely and processed in line with the data protection legislation.

This Privacy Notice for the programme is written by the Manchester Metropolitan University on behalf of GMCA.

What information does the OPEN SME Programme collect?

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are special categories of more sensitive personal data, which require a higher level of protection.

The types of information we will collect and hold about you include:

  • Personal contact details such as your name, title, address, telephone numbers, email address.
  • Business data: business name, address, company house number, UTR (where applicable), business legal status, age of business, sector, turnover, profit, number of employees, selling channels, etc.
  • Other support programmes you have attended previously.
  • Qualifications.
  • Where applicable, information about the requested business support needs and potential provision and assistance suggested to/agreed with you.
  • Information about your use of or participation in the online programme, including but not limited to the number of logins, time of participation, length of participation, module study statistics, diagnostic/assessments/benchmarking scores/reports.
  • Correspondence with or about you, for example email or letters to you about the programme and support requested or provided through us.
  • Photographs for use in marketing (where applicable, separate consent for this will be sought from the participant).
  • Recordings of your attendance and participation in our online clinic/drop-in sessions.

We may also hold categories of more sensitive personal information: equality monitoring information such as information about your age, gender, ethnic origin, disability.

Most of the information we hold about you will have been provided by you, but some may come from other external sources and intermediaries, such as referrals from the University partners. Data will be stored in the online programme platform, the University’s designated secure SharePoint locations, email systems and project-based CRM system.

The purposes of the processing / why does the OPEN SME Programme process personal data?

This section includes an explanation of our lawful basis for processing.

As Data Processor, MMU relies on the lawful basis of GMCA in its processing of participant data. These are:

Article 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. And,

Article 6(1)(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

As equalities data are requested from the data subjects, the following Article 9 lawful basis for processing special category information applies:

9(2)(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

The basis under DPA 2018 for processing equalities data is Schedule 1(2)(8) – Equality of opportunity or treatment.

We will only use your personal information when the law allows us to. The University needs to process data to enter you into a contract with GMCA, and to comply with our contractual obligations, for example, providing you with the agreed business support services, making claims to funders supporting the projects or undertaking many of the activities listed in the following paragraph. GMCA also need to process your data in order to comply with legal obligations, for example, subsidy control legislation.

The OPEN SME Programme needs to process personal data to pursue its legitimate business interests. Processing personal data allows the project to:

  • Operate recruitment and promotion processes.
  • Maintain accurate and up-to-date programme participant records and contact details.
  • Operate and keep a record of activities and outcomes of the programme.
  • Maintain contact with you to ascertain the impact and results of the programme and your learning experience.
  • Communicate with you regarding learning journey progress, content updates, and programme news.
  • Provide referrals where applicable and appropriate to other business support agencies we believe could help you and your business.
  • Maintain and promote equality in the workplace.
  • Undertake business management and planning, including accounting and auditing.
  • Perform analysis aimed at improving programme quality, effectiveness and user experience.
  • Obtain feedback and conduct evaluations to enable further development and improvement of our projects (current and new).
  • Ensure network and information security and compliance with information and communication policies.

Where special categories of personal information are processed, such as those relating to your gender, ethnicity or disability, this is done for the purposes of equal opportunities and diversity monitoring.

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

We do not envisage that any decisions will be taken about you using automated means, however we will notify you if this position changes.

Recipients / who has access to data?

Your information may be shared with project delivery staff of Manchester Metropolitan University as well as the University’s Partners and Funders mentioned previously (and its representatives and auditors).

We will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual obligations, for instance we may need to pass on certain information about you to the relevant funding bodies as controller. The OPEN SME Programme also shares data with third parties that process data on its behalf, for example consultants and auditors.

We do not send your personal data outside the European Economic Area. If this changes in the future, you will be notified of this and the safeguards in place to protect the security of your data.

How does the OPEN SME Programme protect data?

The OPEN SME Programme takes the security of your data very seriously and has internal policies and controls in place to try and ensure that your data is not lost, accidentally destroyed, misused, or disclosed, and is not accessed except by its employees in the performance of their duties. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality. For more information, please see the University’s Data Protection Policy.

Where the OPEN SME Programme or the University asks third parties to process data on its behalf, for example consultants or evaluators, they do so on the basis of written instructions, are under a duty of confidentiality and must ensure that they have appropriate technical and organisational measures in place to keep the data secure.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Data retention / how long does the OPEN SME Programme and University keep data?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, contractual or reporting requirements.

Your personal data will be stored throughout your involvement with the OPEN SME Programme, and for a period afterwards: due to funding requirements, OPEN SME programme data need to be retained until at least 31st December 2035 or until notified by the funder that records can be destroyed.

In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once project records are no longer required contractually and/or for statutory purposes, we will securely destroy your personal information in accordance with our data retention policy.

What if you choose not to provide personal data?

Where applicable, certain information are required to allow the OPEN SME Programme to enter into a contractual relationship with you as project funding streams have eligibility criteria that must be complied with.

OPEN SME programme is funded by public funding. You have certain obligations as a beneficiary of the programme to provide the OPEN SME Programme with data, in order, for example, to ascertain eligibility to access the funded support; ascertain previous state aid / UK subsidy awards etc.

Your duty to data accuracy

It is important that the personal information we hold about you is accurate and current. At the point that participants agree to enrol on the programmes, the University relies on the individual to provide accurate information and keep your own online profile up to date and accurate.

Data subject rights

As a data subject, under data protection legislation, you have various rights in relation to your personal data. You can:

  • Request access to your own data by making an access request – this enables you to receive a copy of the personal information we hold about you and check that we are lawfully processing it.
  • Request that we erase your personal data where we are not entitled by law to process it or it is no longer needed for the purpose it was collected.
  • Request that processing of your data is restricted – this enables you to ask us to suspend the processing of personal information about you, for example if you want to establish or ascertain the reason for processing it.
  • Object to processing of your personal information where we are relying on our legitimate interests and there is something about your particular situation which makes you want to object to processing on this ground.
  • Request the transfer of your personal information to another party.

In most situations, we will not rely on your consent as a lawful basis for processing your data. If we do request your consent to process your data for a specific purpose, you are under no obligation to provide it and you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing before your consent was withdrawn.

If you wish to make an access request or assert any of the rights detailed above, please contact the Data Protection Officer using the contact details below.

Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) as the supervisory authority in respect of the processing of your personal data. We would encourage you to expend our internal complaints procedure through our initial contact and the University Data Protection Officer, prior to contacting the ICO. If you wish to contact the ICO the following contact information can be used: or telephone: 0303 123 1113. For any further contact information please see:

Contacting us

For further information about this privacy notice, and how we process your data, please contact in the first instance.

The Data Controller GMCA’s Data Protection Officer can be contacted on

Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

Sorry, but there are no products matching this criteria. Please try again.