Here we explain what personal information we collect, why we collect it and what we do with it.
We also explain your rights in respect of your own personal information.
Watch a short guide to how we process personal data:
Controller's contact details
Registers of Scotland is the controller for the personal data we process, unless otherwise stated.
There are many ways you can contact us including on our website, by email and by phone. Please view our contact us page for more details.
Contacting our Data Protection Officer
As a public body, we have appointed a Data Protection Officer whose role includes advising and assisting individuals whose personal we collect and use. You can contact the RoS Data Protection Officer at any time to raise any query or concern you have in respect of how RoS uses your personal information by emailing dataprotection@ros.gov.uk.
Your rights
Data protection legislation gives you rights, which we are required to help you exercise, should you wish to. These are summarised in the table below.
In all cases, some information, such as that held on public registers, will not be covered. If you wish to access information from public registers you should do this through the appropriate mechanism for the particular register and, if necessary, pay the applicable fee.
| Right | What it means |
|---|---|
| Information | You have the right to clear information about how we collect and use your personal information – this privacy notice is one example of how we do this |
| Access | You have the right to request a copy of the personal information we hold about you |
| Correction | You have the right to ask for your personal data to be deleted under certain circumstance |
| Objection to processing | You have the right to object to our use or your personal information under certain circumstances |
| Restriction on processing | If you make an objection, our use of your personal information may be temporarily suspended whilst we deal with your request |
| Portability | You have the right to ask for a copy of your personal information in a machine readable format to pass to another organisation under certain circumstances |
All requests to exercise your rights should be addressed to the RoS Data Protection Officer and you should receive a response within one calendar month.
How we share personal information
We sometimes need to share your personal information with other organisations for statutory or regulatory reasons, or because doing so is in the general public interest.
Some of these third parties may be based outside the UK. Where this is the case, we ensure that the organisation has appropriate safeguards in place to protect the personal data being processed.
The UK government has stated that transfers of data from the UK to the EEA (countries in the EU and also Iceland, Liechtenstein and Norway) are permitted as they have determined that EEA states offer a similar level of protection for personal data as in the UK. Therefore, personal data can continue to be shared from the UK to the EEA without the need for further safeguards.
The privacy notices for each of our core processing activities contain further detail on instances where personal data is transferred outside of the UK and EEA and the safeguards in place to protect the personal data being processed.
These organisations include:
- UK government bodies (for example HMRC)
- Scottish Government, its agencies and non-ministerial departments (for example Revenue Scotland)
- Local government and administration (for example Valuation Joint Boards)
- Law enforcement and regulatory agencies (for example Police Scotland).
Like most organisations, we ask third parties who are part of our own supply chain to collect and use your personal information to help us perform our functions. In each case they do this under explicit instructions from us and are not allowed to pass your information to others without our permission, or to use it for any further purpose.
These organisations include:
- the suppliers of our IT systems and infrastructure including Microsoft and Amazon Web Services (AWS) who are our primary cloud storage providers across our core processing activities. For more information, see Microsoft’s privacy notice and AWS’s privacy notice.
- suppliers of communications systems and services
- suppliers of office and building services
- suppliers of professional services (such as recruitment specialist or legal advisors).
They retain your information only as long as is necessary and we ensure that they return to us, or destroy, any remaining information at the end of our contract with them.
As a public body, RoS is required to comply with statutory obligations to provide access to information (for example the Freedom of Information (Scotland) Act). It may be necessary for us to disclose your personal information to a third party in response to a relevant statutory request. Requests are considered on a case-by-case basis, and we will only disclose your information where we are legally required to do so. You can find more information on the website of the Office of the Scottish Information Commissioner.
For more detailed information on how we share personal information please see the privacy notices for each of our core processing activities.
Complaint to the Information Commissioner’s Office
If you wish to complain about how we are processing your personal data, you can do so by contacting the Information Commissioner’s Office (ICO) via online form, email, phone, live chat or post. For full details see the ICO website.
Changes to this privacy notice
This privacy notice will be updated as necessary to reflect any changes to the way in which we process personal data. If you have any questions about this privacy notice you can contact our Data Protection Officer (DPO) on dataprotection@ros.gov.uk.
Last updated 13 March 2025.
Purpose of processing
As a registration authority, we have a statutory obligation to compile and maintain public registers, and to make these registers available for public inspection. This is essential to establishing and protecting the legal rights of individuals by placing certain information in the public domain.
Lawful basis for processing
We will process your personal data for this purpose in line with our legal obligation to compile and maintain public registers.
Categories of personal data
Land Register of Scotland and the General Register of Sasines,
We collect and use the names and addresses of the buyer and seller of property which is being registered.
Register of Persons Holding a Controlled Interest in Land (RCI)
We collect and use the names and addresses of the owner of the land (called the “recorded person”) and the names, addresses and dates of birth of the persons who have a controlling interest over their decisions in relation to that land which is being registered (called “associates”). Once processed, this information, with the exception of the dates of birth, is entered on the public register and is available for public inspection. Where a security declaration is in effect, the associate’s name and address will not be available on the public register.
Crofting Register
We collect and use a range of personal information including names and addresses of individuals who have rights in respect of crofts.
Register of Inhibitions
We collect and use a range of personal information including names and addresses of individuals who are subject to legal inhibition.
Register of Deeds, Register of Judgements, Register of Protests
We collect and use a range of personal information including names and addresses of individuals who are the subject of registered deeds, writs, judgements or protests.
Register of Applications by Community Bodies to Buy Land and Register of Community Interests in Land
We collect and use a range of personal information including the names and addresses of individuals who have rights as agricultural tenants or represent community bodies.
Source of personal data
To compile the Land Register of Scotland and the General Register of Sasines, we collect information via an application form, usually submitted to us by a solicitor acting on behalf of the applicant(s).
To compile the Register of Persons Holding a Controlled Interest in Land (RCI), we collect information via an on-line submission service, submitted to us by the recorded person or an authorised professional representative acting on their behalf.
We collect and receive information on our other registers directly from applicants, and sometimes from other organisations, such as the Accountant in Bankruptcy (AiB), the Crofting Commission, or the Scottish Government.
Retention period
Personal data held on our public registers is kept permanently as part of our statutory obligations.
Draft applications submitted using any of our online, digital submission services are retained for 365 days as we recognise that there can sometimes be a delay between starting the application form and submission. After this period, the draft form and any data entered into the form will be deleted.
Recipients of the data
We make our registers available in line with our statutory obligations and the general public interest in accessing information from public registers.
In some cases, we manage registers on behalf of, or in partnership with, other organisations, such as the Scottish Government and Scottish local authorities. For the Scottish Landlord Register, the Scottish Letting Agent Register, and the Scottish Property Factor Register we act as a data processor. For more information, please see the privacy notices for each of these registers below:
We also make information from the Register of Sasines and the Register of Inhibitions available under license to a range of public bodies, for the purpose of the public interest and to conveyancing companies on the basis of a legitimate commercial interest. We make information from the Land Register of Scotland available under licence to our customers on the basis of a legitimate commercial interest.
Will the data be transferred outside the UK or EEA?
No.
Your rights in relation to this data
For processing that is necessary for compliance with legal obligations you have the right to:
- Access
- correction
- restriction on processing.
Is it obligatory to supply this data and what are the consequences of not supplying the data?
Yes, you are obliged to supply this data in order to achieve registration.
Will the data be used in automated decision making?
In certain circumstances, part or all of the registration process is undertaken by automatic means. Where a deed can be registered automatically, the decision to do so is based on a combination of the presence of the required information in the required format in the application and analysis of deed characteristics.
Purpose of processing
If you, or someone acting on your behalf, requests products or services from us, for example through our website, ScotLIS or eServices portal, we will collect and use your personal information in order to provide you with that service. This includes services where you sign up to receive alerts.
We may also use this information to contact you in relation to our products or services in the future; you can opt out of these communications.
You can browse our websites and the Knowledge Base without disclosing your personal information.
However, our website uses essential cookies to function correctly, and some third-party services may also set cookies on your browser. Any cookies that collect and use your personal information will request your consent when you access the website for the first time. You can change your privacy settings in relation to cookies at any time via your internet browser settings.
Find out more about cookies on our cookies notice.
Lawful basis of processing
In most cases we will collect information about your behaviour as a customer, for example which products and services you are using and how often, in order to help us meet our contractual obligations to you.
Categories of personal data
This will include collection and use of your personal details, contact information and financial information when applicable.
Source of personal data
If we already hold the information requested, then we will access it and use it to provide you with the product or service you have requested.
If we need to collect additional information from you, such as payment information, we will do so and use it for the same purpose.
Recipients of the data
For some transactions, RoS use a third-party payment processor, Stripe who are based in the United States. For more information, see Stripe’s privacy notice.
For card payments taken over the phone, RoS use a third-party payment solution, Cirrus PCI Pro and Pay 360. For more information, see Cirrus’s privacy notice and Pay360’s privacy notice.
RoS use a third-party direct debit verification tool, Bottomline. For more information, see Bottomline’s privacy notice.
We use GOV.UK Notify, provided by the Government Digital Service (GDS), to share invoices or other important updates about services for some of our registers. For more information, please see GOV.UK Notify’s privacy notice.
Retention period
We retain this information for a maximum of 7 years after its first use.
Will the data be transferred outside the UK or EEA?
Stripe are based in United States and your personal data may be transferred there. Stripe are compliant with the UK Extension to the EU-U.S. Data Privacy Framework when transferring data to the United States.
Your rights in relation to this data
For processing that is necessary for performance of a contract or for undertaking steps necessary for entering into a contract you have the right to:
- Access
- correction
- restriction on processing
- portability.
Is it obligatory to supply this data and what are the consequences of not supplying the data?
Yes, supplying this information is obligatory. You cannot use our services without supplying this information.
Will the data be used in automated decision making?
No.
Purpose of processing
We collect and process personal data about visitors to our offices for security and safety reasons so that we know who is in our buildings.
Lawful basis of processing
Processing of personal data for this purpose is necessary for our legitimate interests.
Categories of personal data
If your visit is planned, we’ll send your name and visit information to reception before your visit. This is so they know to expect you and who to contact on your arrival. We also ask all visitors to sign in and out at reception.
If you require a visitor’s car parking space, we will also require details of your vehicle.
Images are recorded by Closed-circuit television (CCTV) which operates outside the building and at our entrances.
We have Wi-Fi on site for visitors to use. We log traffic information in the form of sites visited duration and date sent/received. We don’t store IP addresses.
Source of personal data
Personal data will be gathered from visitors directly or by CCTV cameras located in our buildings.
Retention period
CCTV footage is retained for 30 days after the date of capture, although we may process footage for a longer period, for example, if footage is relevant to an investigation.
Personal data held in Cloudbooking will be retained while your account is active. Data from inactive Cloudbooking accounts are anonymised after 12 months.
Visitor sign in information is retained for two years.
Recipients of the data
We use a third-party desk and carpark space booking solution, Cloudbooking. For more information see Cloudbooking’s privacy notice.
In certain circumstances we may be required to disclose CCTV images to certain bodies of authority, such as the police and emergency services.
Will the data be transferred outside the UK or EEA?
No.
Your rights in relation to this data
For processing that is necessary for the purposes of our legitimate interests you have the right to:
- Access
- correction
- restriction on processing
- objection
- erasure.
Is it obligatory to supply this data and what are the consequences of not supplying the data?
Yes, supplying this information is obligatory. You cannot visit our office without supplying this information.
Will the data be used in automated decision making?
No.
Purpose of processing
We collect and process your information because you have entered into, or wish to enter into a contract with us, to be a tenant in one of our buildings.
If you choose to use our guest network service (wired access to the internet) we will process some personal data in order for you to access and use this service.
Closed-circuit television (CCTV) operates outside the building and at our entrances. This is for security and safety reasons.
Lawful basis of processing
Processing of this data is necessary for performance of a contract or for undertaking steps necessary for entering into a contract.
Processing of personal data captured by CCTV is necessary for our legitimate interests.
Categories of personal data
This will include collection and use of personal identifiers such as name and contact details.
Personal data gathered from use of our guest network service (wired access to the internet) include email address, authentication attempts, activation and last login dates, IP address and MAC address.
Visual images as recorded by CCTV.
Source of personal data
Personal data will be collected directly from you as part of the contract process, when you register to use our guest network service or by CCTV cameras located in our buildings.
Retention period
CCTV footage is retained for 30 days after the date of capture, although we may process footage for a longer period, for example, if footage is relevant to an investigation.
Personal data gathered from use of our guest network service will be retained while your account is active. Your data will be deleted when your account has been inactive for 1 month.
Personal data will be retained in Cloudbooking while your account is active. Data from inactive Cloudbooking accounts are anonymised after 12 months.
Recipients of the data
We use a third-party desk and carpark space booking solution, Cloudbooking. For more information see Cloudbooking’s privacy notice.
In certain circumstances we may be required to disclose CCTV images to certain bodies of authority, such as the police and emergency services.
Will the data be transferred outside the UK or EEA?
No.
Your rights in relation to this data
For processing that is necessary for performance of a contract or for undertaking steps necessary for entering into a contract you have the right to:
- Access
- correction
- restriction on processing
- portability.
For processing that is necessary for the purposes of our legitimate interests you have the right to:
- Access
- correction
- restriction on processing
- objection
- erasure.
Is it obligatory to supply this data and what are the consequences of not supplying the data?
Yes, supplying this information is obligatory. You cannot be a tenant in one of our buildings without supplying this information.
Will the data be used in automated decision making?
No.
Purpose of processing
If you sign up to any of our communications, campaigns, events or surveys, including through our social media channels, we will collect and use your personal information for the purpose of communicating and consulting with you, facilitate our events and we may inform you about our products and services.
We monitor the usage and uptake activity of all of our newsletters, for example whether or not the message is received, opened and clicked on, to ensure its effectiveness.
Lawful basis of processing
We will process your personal data for this purpose in line with our contract with you or on the basis of your consent, whichever applies.
If we need to pass information on to a third party for event facilitation reasons, consent will be sought at the time of booking.
Categories of personal data
This will include collection and use of personal identifiers such as name and email address.
Source of personal data
We will process the personal data that you provide us with when you subscribe to any of our communications, campaigns, events or surveys.
Retention period
We’ll keep your information for as long as is necessary to fulfil our contract with you, or for as long as we still have your consent to do so.
Recipients of the data
We use a third party, Salesforce, a cloud-based CRM software to store customer contact information. For more information, see Salesforce’ privacy policy.
We use a third party, BigMarker, as our virtual events platform who are based in the United States. For more information see BigMarker’s privacy policy.
We use, a third party, Mailchimp, to send our newsletters who are based in the United States. For more information see Mailchimp’s privacy notice.
Will the data be transferred outside the UK or EEA?
BigMarker are based in the United States and your personal data will be stored and processed on BigMarker’s servers at AWS data centres in the USA. BigMarker are complaint with the UK standard contractual clauses when transferring data to the United States.
Mailchimp are based in United States and your personal data may be transferred there. Mailchimp are compliant with the UK Extension to the EU-U.S. Data Privacy Framework when transferring data to the United States.
Your rights in relation to this data
For processing that is necessary for performance of a contract or for undertaking steps necessary for entering into a contract you have the right to:
- Access
- correction
- restriction on processing
- portability.
For processing that is carried out on the basis of your consent you have the right to:
- Opt-out of these communications at any time. You can withdraw this consent at any time by emailing communications@ros.gov.uk or by using our mailing list unsubscribe form.
- erasure.
Is it obligatory to supply this data and what are the consequences of not supplying the data?
No, supplying personal data for purpose is optional. If you choose not to provide your data for this purpose, we will not be able to send your communications about our campaigns, events or surveys.
Will the data be used in automated decision making?
No.
Purpose of processing
If you contact us with an enquiry, comment or complaint, we will use the personal information you provide to us to respond and resolve your issue.
To make an enquiry, comment or complaint, you can use our contact form.
Lawful basis of processing
We will process your personal data for this purpose on the basis of your contract with you and our public task.
Categories of personal data
This will include collection and use of your personal details and any other personal data you provide to us as part of your enquiry, complaint or feedback.
We may ask you to provide additional personal information if it is necessary for this purpose.
Source of personal data
We will process the personal data that you provide us with in order to respond to your enquiry.
Retention period
We will retain any information you provide for up to 7 years after receiving it.
Recipients of the data
Our email service is provided by Microsoft Office 365. Enquiries, complaints and feedback submitted by email are processed within Microsoft Office 365. For more information, please see Microsoft's privacy policy.
We use a third-party, Salesforce, as our customer relationship management (CRM) platform. For more information see Salesforce’s privacy notice.
Our telephone system is provided by a third party, Cirrus. For more information see Cirrus’s privacy policy.
We use a third-party, Squiz, to host our external website content management system (CMS). For more information see Squiz’s privacy policy.
Will the data be transferred outside the UK or EEA?
No.
Your rights in relation to this data
For processing that is necessary for performance of a contract or for undertaking steps necessary for entering into a contract you have the right to:
- Access
- correction
- restriction on processing
- portability.
Public task:
- Access
- correction
- restriction on processing
- objection.
Is it obligatory to supply this data and what are the consequences of not supplying the data?
No, supplying personal data for purpose is optional. However, if you choose not to provide your data for this purpose, we will not be able to respond to your enquiry, feedback or complaint.
Will the data be used in automated decision making?
Communications to or from Registers of Scotland by telephone may be automatically logged, monitored and/or recorded for lawful purposes.
Purpose of processing
If you agree to take part in our research or testing, we will collect and use your personal information for research purposes to improve our products and services.
Lawful basis of processing
We will process your personal data for this purpose based on your consent.
Categories of personal data
This will include collection and use of your personal details, identifiers, opinions and any other personal data contained in user experience recordings.
Source of personal data
We will process the personal data that you provide us with.
Retention period
We keep the personal data from the sessions for two years after the end of the project, and your contact details for as long as we have your consent to contact you.
Recipients of the data
This personal data will only be processed by RoS for this purpose.
Will the data be transferred outside the UK or EEA?
No.
Your rights in relation to this data
You can withdraw your consent to use your data for research activities at any time by contacting userresearch@ros.gov.uk.
Is it obligatory to supply this data and what are the consequences of not supplying the data?
No, supplying personal data for purpose is optional. However, if you choose not to provide your data for this purpose, you may not be able to participate in research and testing.
Will the data be used in automated decision making?
No.
Purpose of processing
If you apply to work for or with us, whether as an employee, advisor or consultant, we will process your personal information for the purpose of recruitment, and in anticipation of entering into a contract with you.
If you leave employment at RoS, we will continue to process your personal information to end your contract with us, to fulfil any outstanding obligations we have as your former employer, and to meet our statutory obligations.
Lawful basis of processing
Processing of this data is necessary for performance of a contract or for undertaking steps necessary for entering into a contract.
Categories of personal data
This will include collection and use of your personal details, financial information, health information, and information relating to your performance, attendance and activity at work.
Source of personal data
Personal data will be collected as part of the recruitment process either from you directly or via an agency involved in the recruitment process.
Retention period
If you are unsuccessful, we will retain your information for two years before destroying it, in line with Civil Service recruitment principles.
Employee information is held only for as long as is necessary and in line with our HR Personnel Retention Framework.
Recipients of the data
We use a third-party recruitment and onboarding system provided by Cornerstone. For more information, please see Cornerstone’s privacy notice.
We use a third-party, McAdam King, to carry out assessments as part of our recruitment process. For more information, please see McAdam King’s privacy notice.
We use a third-party, Amiqus, to carry out right to work and reference checks as part of the pre-employment process. For more information, please see Amiqus’s privacy notice.
Will the data be transferred outside the UK or EEA?
No.
Your rights in relation to this data
For processing that is necessary for performance of a contract or for undertaking steps necessary for entering into a contract you have the right to:
- Access
- correction
- restriction on processing
- portability.
Is it obligatory to supply this data and what are the consequences of not supplying the data?
Yes, certain categories of personal data must be supplied for these purposes and if you do not supply this personal data, you may not be able to work for RoS.
Will the data be used in automated decision making?
No.
Purpose of processing
If you are part of our supply chain, we will process your personal information for the purpose of procuring and consuming goods and services, and to fulfil our contract with you.
We will collect and use the personal data of anyone providing a service on one of our sites (such as cleaning staff and security guards) for health and safety purposes so that we know who is in our buildings.
Lawful basis of processing
Processing of this data is necessary for performance of a contract or for undertaking steps necessary for entering into a contract.
Categories of personal data
This may include your personal contact information and information required for you to supply products and services to us.
Source of personal data
As part of the procurement process, we gather the necessary information from suppliers. On occasion this happens through a third-party reseller.
Retention period
We keep this data for 7 years after the end of the financial year.
Recipients of the data
Where necessary for the same purpose we may share this information with other suppliers and service providers, or with our customers.
We share supplier payment data with the National Fraud Initiative (NFI). We do this for fraud prevention and detection in the public interest. Find out more about the NFI and its privacy notice.
We use a third-party cloud service, ServiceNow, to store and manage our contract information. For more information see ServiceNows’s privacy notice.
We use a third-party cloud service, Docusign, to facilitate electronic signatures on contracts. For more information see Docusign’s privacy notice.
Will the data be transferred outside the UK or EEA?
No.
Your rights in relation to this data
For processing that is necessary for performance of a contract or for undertaking steps necessary for entering into a contract you have the right to:
- Access
- correction
- restriction on processing
- portability.
Is it obligatory to supply this data and what are the consequences of not supplying the data?
Yes, supplying this information is obligatory. You cannot enter into a contract with us without supplying this information.
Will the data be used in automated decision making?
No.