Cardiff Data Protection & GDPR Compliance

Technology and Data Wales 4 Minutes Read · published February 12, 2026 Flag of Wales
Cardiff, Wales councils must manage personal data under UK data protection law while providing public services to residents and businesses. This guide explains how Cardiff Council approaches data protection, resident rights, enforcement pathways and practical steps for making requests or reporting breaches. It summarises who enforces compliance, where to find official forms, common violations, and how to appeal or escalate concerns so you can act promptly and with the correct contacts.

Legal basis and scope

Local public bodies in Cardiff process personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, together with council-specific privacy notices that set lawful bases and retention limits. The council publishes data protection guidance and contact points for requests on its data protection pages Cardiff Council Data Protection[1].

Keep a clear record of the request date and the method you used to contact the council.

Penalties & Enforcement

Enforcement is primarily the responsibility of the Information Commissioner’s Office (ICO) for statutory breaches; the ICO can issue fines under the UK GDPR and pursue corrective measures. Cardiff Council handles internal compliance, staff discipline and operational corrective actions through its Data Protection Officer and governance processes ICO administrative fines[2].

  • Monetary fines: ICO penalties can reach "up to £17.5 million or 4% of annual global turnover, whichever is greater" for the most serious breaches (see ICO).
  • Local monetary penalties: specific local fine amounts for council data breaches are not specified on the Cardiff Council data protection pages cited above [1].
  • Escalation: ICO enforcement follows a graduated approach (warnings, information notices, enforcement notices, monetary penalties); exact escalation thresholds for council actions are not specified on the council page.
  • Non-monetary sanctions: orders to stop processing, data-erasure directions, compliance notices, audits and court action are available to the ICO and can lead to binding corrective measures.
  • Enforcer & contact: the ICO is the statutory regulator; Cardiff Council’s Data Protection Officer manages local compliance and complaints — contact details appear on the council data protection pages [1].
  • Appeals & review: decisions by the ICO can be subject to appeal to the First-tier Tribunal (Information Rights); time limits for appeals are set out by the ICO and tribunal rules and not detailed on the Cardiff council page.
  • Defences and discretion: lawful processing, reasonable excuse and the existence of a statutory gateway or exemption may apply; permit or lawful basis documentation should be retained.
The ICO is the statutory regulator for data protection enforcement in the UK.

Common violations and typical outcomes

  • Unauthorized disclosure of personal data — may prompt ICO investigation, corrective notice or monetary penalty.
  • Poor retention or lack of records — likely compliance notice and requirement to change records management.
  • Failure to respond to Subject Access Requests (SARs) within time — may lead to enforcement action; SAR cost or refusal grounds must be documented.

Applications & Forms

Cardiff Council publishes guidance and forms for Subject Access Requests and other data access matters on its website; the council provides details on how to submit a request and contact points on the access page Access to your personal data[1]. If a specific official form or fee is required, the council page lists it; otherwise the council states how to submit requests via email or post.

Action steps

  • To request your data: use the council’s Subject Access Request guidance and form or contact the Data Protection Officer as instructed on the council pages [1].
  • To report a breach: notify the council’s DPO and, for serious breaches, consider reporting to the ICO via its online reporting forms [2].
  • If dissatisfied: escalate internally through the council complaints procedure, then to the ICO or tribunal if unresolved.

FAQ

Who enforces data protection for Cardiff Council?
The Information Commissioner’s Office (ICO) is the statutory regulator; Cardiff Council’s Data Protection Officer handles local compliance and complaints.
How do I make a Subject Access Request?
Follow the council’s guidance and form on the Access to your personal data page; submit by the methods listed there.
What fines can be issued for breaches?
The ICO can issue substantial fines under UK GDPR (see ICO guidance); specific local monetary penalties are not specified on the Cardiff Council data protection pages.

How-To

  1. Identify the request type (SAR, rectification, erasure) and gather identity evidence.
  2. Use Cardiff Council’s online guidance or form to submit the request as instructed on the council pages [1].
  3. Note the submission date and keep copies; await council confirmation and response within statutory timescales.
  4. If you receive no satisfactory response, complain to the council and then escalate to the ICO using the ICO reporting process [2].

Key Takeaways

  • Cardiff Council manages local data requests; the ICO is the statutory regulator for enforcement.
  • Keep clear records when you submit requests or report a breach to preserve appeal rights.

Help and Support / Resources

  1. [1] Cardiff Council - Data protection and FOI
  2. [2] ICO - Administrative fines under the GDPR

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data