Privacy Policy for Suppliers

What information do we hold about you and why?

Becoming a supplier or responding to a tender

When a prospective supplier submits information in response to an invitation to tender or request for quotation, we will collect the following information from you (which is likely to include personal data of the supplier, particularly if they are a sole trader, or the personal data of its directors, representatives or staff):

  • The supplier’s full name and address – to contact the supplier in relation to the tender submission or quotation.
  • The supplier’s contact details (including telephone numbers and email address) – to contact the supplier about the submission or quotation.

It is necessary to process this information for the purposes of evaluating submissions to tenders. Our legal grounds in relation to this processing is contract, in that the processing is necessary because you have asked us to consider your response in relation to a tender or quotation exercise.

When responding to a tender exercise with a value of more than £10,000, we will also ask for information about:

  • Whether the supplier, its directors or any other person(s) having powers of representation, decision or control of the supplier have been convicted of any of the offences listed in the invitation to tender (including conspiracy; an offence under sections 28 or 30 of the Criminal Justice and Licensing (Scotland) Act 2010; corruption; bribery; incitement to commit a crime; fraud; money laundering.

It is necessary to process this information for the purposes of meeting our fiduciary duty to safeguard charitable assets, as outlined in the Charities and Trustee Investment (Scotland) Act 2005. To do this, we manage our procurement processes in line with regulatory best practice, including the Procurement (Scotland) Regulations 2016.

To process information about criminal convictions and offences we must also meet a specific condition in Schedule 1 of the Data Protection Act 2018 (2018 Act) and comply with the additional safeguards set out in that Act.

The relevant condition in relation to this processing is Schedule 1, Part 2, Paragraph 12 of the 2018 Act, in that the processing is necessary for the purposes of complying with a regulatory requirement which involves the Trust taking steps to establish whether a prospective supplier has committed an unlawful act, or been involved in dishonesty, malpractice or other seriously improper conduct where this is necessary for reasons of substantial public interest. As a charitable body, the Trust considers this processing in the substantial public interest when evidencing its fiduciary duty to safeguard charitable assets.

Successful tenders

If you are successful, we will use your contact details for the purposes of managing our contract with you. We will also collect the following information (which will include personal data if the supplier is a sole trader):

  • The supplier’s bank details – to process payments in relation to the contract.
  • The supplier’s insurance details – to assess whether suitable insurance provisions are in place.

It is necessary to process this information to fulfil our contractual obligations to you and to meet our legal obligation to safeguard our charitable assets, as outlined in the Charities and Trustee Investment (Scotland) Act 2005. In doing so we follow best practice procurement guidelines, including those outlined in the Procurement (Scotland) Regulations 2016.

We will retain your information for 6 years after the contract expiry, in line with our Records Retention and Management Policy. We will not share your personal data with any third parties unless we are conducting a joint procurement exercise with another organisation and when this applies, we will inform you in the invitation to tender.

Unsuccessful tenders

If your tender submission is unsuccessful, your information will be securely destroyed 1 year after the tender exercise has been completed, in line with our Records Retention and Management Policy. We will not share your personal data with any third parties unless we are conducting a joint procurement exercise with another organisation and when this applies, we will inform you in the invitation to tender.

New suppliers outwith the tender process

If you are a new supplier, appointed outwith the tender process, we will use your contact details for the purposes of managing our contract with you. We will also collect the following information (which will include personal data if the supplier is a sole trader):

  • The supplier’s bank details – to process payments in relation to the contract.
  • The supplier’s insurance details – to assess whether suitable insurance provisions are in place.

It is necessary to process this information to fulfil our contractual obligations to you and to meet our legal obligation to safeguard our charitable assets, as outlined in the Charities and Trustee Investment (Scotland) Act 2005. In doing so we follow best practice procurement guidelines, including those outlined in the Procurement (Scotland) Regulations 2016.

We will retain your information for 6 years after the contract expiry or 6 years from the end of the financial year in which the final goods or services are provided by you, in line with our Records Retention and Management Policy.

Who will have access to your data and who will we share it with?

The following Trust employees and volunteers will have access to your personal data:

  • Employees and volunteers who require the contact details to request a product or service from the successful tenderer. This data will be limited to name, telephone number, email address and postal address only.

The successful suppliers’ bank details are stored on a supplier payment system to allow for BACS payments to be made. Only employees responsible for processing such payments will have access to this data. The supplier payment system is hosted by Microsoft and the data held within the system is held within the European Economic Area (EEA)*. The Trust has a contract in place with Microsoft which governs the processing of this data and requires Microsoft to act only on our instructions and not to process the data for any other purpose.

*The EEA countries are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Norway and Liechtenstein.