Procurement privacy notice
Information collected from you
The council collects and processes a range of information about suppliers, contractors, potential suppliers and contractors, companies and individuals, including:
- identity Data such as first name, maiden name, surname, title, nationality and country of residence, date of birth;
- contact Data such as email address and telephone numbers;
- special Category such as details of any convictions;
- communications Data such as your communications with us and any council used third parties including registration of services, complaints and compliments;
- company data such as registration number, immediate parent/ultimate parent company, address, trading status, details of persons of significant control.
Different methods are used to collect data from and about you including via:
Direct interactions. You may provide your identity, contact and financial data by filling in forms or by corresponding with us via the council’s e-Sourcing portal, post, telephone, email or otherwise. This includes personal data you provide when you:
• tender or correspond via the e-Sourcing portal;
• provide feedback;
• respond to queries, clarifications or complaints.
Purposes for which your personal data will be used
Table 1 contains a description of all the ways the council plans to use your personal data and which of the legal bases are relied on to do so. Legitimate interests are also identified where appropriate.
Note that your personal data may be processed for more than one lawful ground depending on the specific purpose for which it is being used. Please email data.protection@surreyheath.gov.uk (link sends email) if you need details about the specific legal ground being relied on to process your personal data where more than one ground has been set out.
| Purpose/activity | Type of data | Lawful basis for processing |
|---|---|---|
| To register you as a new supplier | As detailed above | Necessary for our public task Performance of a contract with you Consent |
| To respond to queries, complaints and compliments |
(a) identity (b) contact (c) communication |
Necessary for our public task |
| To ascertain the suitability of your company or companies controlled by you prior to contract award in accordance with the Public Contract Regulations 2015 | As detailed above | Necessary for our public task |
Sharing your data
Your personal data may have to be share with the parties set out below for the purposes outlined in Table 1.
- Specific third parties including:
- Other third parties to whom we may choose to transfer, or merge parts of our service or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
- Other council departments.
- Consultants assisting the council with the Procurement.
- His Majesty’s Revenue and Customs (HMRC)
- Cabinet office.
- Legal representatives of other parties in case of any challenges; all third parties are required to respect the security of your personal data and to treat it in accordance with the law.
Where your information is shared, it will only be done so when your consent has been obtained in writing or when it is required for additional legal reasons.
All third parties are expected to respect the security of your personal data and to treat it in accordance with the law. Third-party service providers are not permitted to use your personal data for their own purposes and are only permitted to process your personal data for specified purposes and in accordance with council instructions. Only ever is the minimum information shared.
Transferring data outside of the EEA
Your personal data is not transferred outside the European Economic Area (EEA) by the council or any of its third parties.
Data security
Appropriate security measures have been implemented to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, access to your personal data is limited to employees, agents, contractors and other third parties who have a need to know; they will only process your personal data on council instructions and they are subject to a duty of confidentiality.
Data breaches
Procedures are in place to deal with any suspected personal data breach and you will be notified of any applicable regulator of a breach when legally required to do so.
Data retention
Your personal data is only retained for as long as necessary to fulfil the purposes it is collected for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, the amount, nature, any applicable legal requirements and sensitivity of the personal data is considered together with the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which your personal data is processed and whether those purposes can be achieved via other means.
In some circumstances you can ask for your data to be deleted, see the individual rights procedure.
In some circumstances your personal data may be anonymised (disassociated from you) for research or statistical purposes, in which case the information may be used indefinitely without further notice to you.
Your rights with regards to data
Please see Your Legal Rights section of the Surrey Heath Borough Council Privacy Notice.