Privacy and cookies

Privacy notice: how we use your data

Last update: 13 November 2020

The Petitions site lets you start and sign petitions to raise issues with the Welsh Parliament/Senedd Cymru (referred to hereafter as the Senedd).

The Petitions service is provided by the Senedd. We need to collect, process and store some personal data to enable you to do this.

Data Controller

The Senedd Commission is the data controller of the information you provide, and will ensure it is protected and used in line with data protection legislation.

Our Contact Details

Any queries regarding our use of your information should be sent to the Data Protection Officer at: 0300 2006565

What data we collect from you

The personal data we collect from people who sign petitions will include:

  • your name
  • your email address
  • your postcode
  • the country you live in
  • the IP address you use when starting or signing a petition

In addition, for people who start a petition we will also collect:

  • your postal address
  • your contact telephone number
  • any personal information or details that you provide within the petition itself.

We sometimes receive information relating to people who have signed petitions on paper. Paper petitions are securely stored and retained for the same period as personal data received through our own electronic petitions system. They are destroyed in a secure manner at the end of the retention period.

Why we need your data

We use this information to:

  • facilitate the petitions process
  • make sure that people only sign a petition once
  • check that you’re eligible to start a petition
  • contact you about petitions you start
  • if you choose to sign up to email updates about what happens in the Senedd on petitions you’ve signed
  • we may occasionally contact people who start or submit petitions to seek feedback on the petitions process and how it could be improved.

What we do with your data

We use your personal information to process the petition you have started or signed.

If you start a petition and we accept it, your name will be published alongside any text you include within the petition. We won’t publish any of your contact details. If you start a petition, your name will remain permanently referenced alongside the petition on the Petitions Committee’s web pages and in meeting transcripts and recordings, as part of the official record of the Senedd’s petitions process.

If you’ve signed a petition, we won’t publish any personal information about you.

We’ll use your postcode to work out how many people in Wales and within each Senedd constituency and region have signed a petition.

We will retain your personal data from the date you start or sign a petition until 12 months after it is no longer being considered by the Petitions Committee, i.e. until 12 months after the Committee considers the petition to be completed, apart from any personal data which has been published.

Any information which has been published will remain permanently online in the records of the Senedd’s petitions process, including in any material published by the Petitions Committee.

IP addresses are used to protect the petitions site and prevent fraudulent activity.

We will share your data if we’re required to do so by law – for example, by court order, or to prevent fraud or other crime.

What we’ll email you about

If a petition you’ve started is referred to the Petitions Committee, we’ll use your contact details to update you about the petition’s progress and to offer you the opportunity to provide further information and engage with the Committee.

You will receive automated confirmation emails when you set up or sign a petition.

If you’ve signed a petition, you can choose to receive updates about the progress of the petition. This might include contacting you to let you know what is happening in the Senedd in relation to your petition, such as: debates that you can watch or read, chances to respond to a consultation, or ways to let committees and Members of the Senedd know why the petition is important to you.

We may occasionally use your contact details to seek your views on the Senedd’s petitions process.

You can stop these emails at any time by clicking the “unsubscribe” link in the email.

Who has access to the data and where is it processed and stored

Senedd Commission staff administering the petitions process will have access to your personal information.

Unboxed Consulting Limited who provide technical support for the petitions system will also have access to the system for troubleshooting and maintenance purposes only.

Electronic information will be stored on Senedd ICT systems, which includes third party cloud services provided by Microsoft. Any transfer of data by Microsoft outside of the EEA is covered by contractual clauses under which Microsoft ensure that personal data is treated in line with European legislation.

The petitions system uses Amazon Web Services (AWS) cloud storage to store your data. AWS store data within the European Economic Area (EEA).

The petitions system uses the GOV.UK Notify service to send emails relating to the petitions process including updates. Emails sent are stored for 7 days. The privacy notice for the GOV.UK Notify service is available here:

How we protect your data and keep it secure

We are committed to doing all that we can to keep your data secure. We set up systems and processes to prevent unauthorised access or disclosure of the data we collect about you – for example, we protect your data using varying levels of encryption. All third parties who process personal data for us are required to keep that data secure.

Our legal bases for collecting, holding and using your personal information

Data protection law sets out various legal bases (or ‘conditions’) which allow us to collect, hold and use your personal information.

We consider that our collection and use of your information is necessary to help us facilitate the petitions process and allow the public the chance to raise and show support for issues with the Senedd.

As such, personal data is processed on the basis that it is necessary for the performance of a task carried out in the public interest in accordance with Article 6(1)(e) of the General Data Protection Regulation (GDPR), read together with section 8(d) of the Data Protection Act 2018.

Where we are required to process personal data in order to comply with a legal obligation, such as a request under access to information legislation or a court order, we will do so on the basis that processing is necessary for compliance with a legal obligation pursuant to Article 6(1)(c) of the GDPR.

We may process personal data relating to criminal convictions and offences. In order to comply with Article 10 of the GDPR, this data will be processed in accordance with our Article 6 legal basis, as outlined above, and section 10 of, and paragraph 6 of Schedule 1 to, the Data Protection Act 2018.

Finally, we may process special categories of personal data of those who start or sign a petition, and/or contribute to its passage through the Senedd’s petitions process. Special category personal data is defined in Article 9(1) of the GDPR as the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation.

Special category personal data will usually be processed on the basis that it is necessary for reasons of substantial public interest, pursuant to Article 9(2)(g) of the GDPR read in conjunction with section 10 of, and paragraph 6 of Schedule 1 to, the Data Protection Act 2018. However, where your special category personal data is made public by you, it may be processed on the basis that it has already been manifestly made public by you, pursuant to Article 9(2)(e) of the GDPR.

Requests for information made to the Commission

The Senedd is subject to access to information legislation. In the event of a request for information being made under access to information legislation, it may be necessary to disclose all or part of the information that you provide. However, we will only do this if we are required to do so by law.

What are your rights

You have certain rights over the information we hold. In summary, the rights include:

  • The right to be informed about how your personal information is used;
  • The right of access to copies of your personal information;
  • The right to rectification if your information is inaccurate;
  • The right to restrict our use of your personal information in certain circumstances;
  • The right to object to the use of your personal information in certain circumstances.

If you would like to engage any of these rights, please email

Changes to this notice

We may change this privacy notice. In that case the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, we will take reasonable steps to make sure you know.

How to complain

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Helpline number: 0303 123 1113


This website puts small files (known as ‘cookies’) onto your computer to collect information about how you browse the site.

Cookies are used to:

  • measure how you use the petitions service so it can be updated and improved based on your needs
  • remember the notifications you’ve seen so that we don’t show them to you again
  • help prevent people from fraudulently signing petitions

Some cookies are strictly necessary to ensure the secure running of this website. They are not used to identify you personally.

Find out more about how to manage cookies.

Google Analytics cookies

We use Google Analytics to collect information about how you use the service. This information helps us to improve the service and prevent fraudulent signing. When you first visit the site on a new device an option is provided to opt-in to analytics cookies.

The Google analytics cookie collects and stores information about:

  • unique users
  • informing referring sites
  • vistor and session counts
Name Purpose Expires
_ga A randomly generated reference is used to identify unique users and inform referring sites, visitor and session counts 2 years

Google isn’t allowed to use or share our analytics data with anyone, but you can opt out of Google Analytics cookies.

Session cookies

We store a session cookie on your computer to help keep your information secure while you use the service.

Name Purpose Expires
_wpets_session This keeps your information secure while you use the petitions service When you close your browser
_wpets_session This keeps your information secure while you use the petitions service When you close your browser
signed_tokens Randomly generated references used to identify what links you’ve clicked to verify your email address. When you close your browser