Guidance

Crown Commercial Service privacy notice

Updated 22 May 2024

Your data

This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR) which specify what individuals have the right to be informed about.

Purpose

The purpose(s) for which we are processing your personal data is:

Activity	Purpose
Contact us	To enable Crown Commercial Service to route messages to the relevant team, and to respond to your queries. Contact us call recordings are used to quality assure inbound calls and to help train our staff.
Third Party Verifications	To allow verification of information such as registered address, previous company names, directors’ details, accounts, annual returns and company reports, or to make assessments on credit, risk, marketing or sales. Third party sources used include (but are not limited to) information which is available on Companies House, Charity Commission and other charity registers.
Net Promoter Score (NPS) User Research	To capture your feedback on our and our suppliers’ service, including Net Promoter Score survey. This feedback helps us identify areas for improvement.
Procurement Supplier Questionnaire (SQ)	To allow you to buy from a Crown Commercial Service route to market. To allow you to supply to a Crown Commercial Service route to market. To analyse framework utilisation. To charge a levy. To perform spend analytics. To produce Data Insight and Management Information (MI) on buyer, supplier and operational performance. To perform due diligence on government suppliers. To publish public sector contracts on publicly accessible websites.
Marketing	To capture your marketing preferences. To send you marketing information, such as newsletters and surveys. To capture website traffic statistics.
Training, Webinars and Virtual Meetings	To provide video conference webinars. To manage and analyse attendance of those webinars. To provide training both internally and for users of CCS services Webinars may be recorded, and posted onto publicly accessible webpages.
Moderns Slavery Assessment Tool (MSAT)	To provide access to the Modern Slavery Assessment Tool, which captures supply chain information and processes, and makes recommendations for improvements.
To conduct data matching exercises for the purposes of the prevention and detection of fraud	To verify companies with which Crown Commercial Service has a business relationship are still active and trading, and that bank account details provided are valid.
Provision of a route to report fraud, bribery or corruption	To capture information on potential fraud bribery or corruption for investigation.
Health Assurance	To capture in collaboration with NHS Procurement information and pre-employment checks for a pool of health care staff for employment at health care bodies and NHS Trusts.

Your data

We will process the following personal data:

Activity	Data
Contacting us Net Promoter Score (NPS) User Research Procurement Marketing Training, Webinars and Virtual Meetings MSAT	Name Email address Address Telephone number Job Title Organisation Dun & Bradstreet Data Universal Numbering System (DUNS number) IP Address of website visitors Contact us call recordings Contact details of contract publisher Contact details of contract awardee Contact details of review and mediation bodies
Supplier Questionnaire	Company Registration Number Charity Registration Number VAT Number Professional Trade Registration Numbers Person of Significant Control (PSC) name PSC Addresses PSC Nationality PSC Criminal Conviction Check (date and nature of conviction)
User Research, Training, Webinars and Virtual Meetings	Video or Audio recordings of individuals including staff, customers, suppliers and the public
Procurement	Bank account numbers e-Payment card details
Marketing	Social Media usernames
Prevention and Detection of Fraud	Reference Number (Customer ID) Bank Sort Code Bank Account Number Company Name Company Registration Number Company Address, County and Postcode Dates at which to check if company was active Proprietor Forename and Surname Proprietor Date of Birth Data sets as described by the National Fraud Initiative service in the Cabinet Office data public sector data specifications
Health Assurance	Employee information to NHS Employers CHECK standards which includes special category personal data.

Legal basis of processing

The legal basis for processing your personal data is:

Activity	Legal Basis
Contacting us Net Promoter Score (NPS) Marketing MSAT SQ Health Assurance Prevention and Detection of Fraud	For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The Statutory Instrument 2009 No.81 Sets out the Crown Commercial Service official authority; The procurement of goods and services for the public sector, and tasks incidental to this, such as promoting new services and incidental information to existing services to public sector buyers.
Procurement	It is necessary for the performance of, or to enter into a contract to which you are a party, for example, where we hold your contact details in relation to a business matter, it will be based on the contract you have with your employer. For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The Statutory Instrument 2009 No.81 Sets out the Crown Commercial Service official authority. The procurement of goods and services for the public sector, and tasks incidental to this, such as promoting new services and incidental information to existing services to public sector buyers.
User Research, Training, Webinars and Virtual Meetings, Contact us phone call recordings	Because you consent to us doing so

Sensitive (special category) personal:

• Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The legal bases for processing your sensitive personal data are:

• UK GDPR Article 6(1)(a), and Article 9(2)(a)
  The data subject has given explicit consent.
• UK GDPR Article 6(1)(e)
  For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The Statutory Instrument 2009 No.81 Sets out the Crown Commercial Service official authority. The procurement of goods and services for the public sector, and tasks incidental to this, such as promoting new services and incidental information to existing services to public sector buyers.
• UK GDPR Article 9(2)(g)
  The processing is necessary for reasons of substantial public interest, on the basis of domestic law and shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Criminal convictions personal data:

• The processing by us of personal data relating to criminal convictions and offences or related security measures is carried out only under official authority.

The legal bases for the processing by us of personal data relating to criminal convictions and offences or related security measures are:

• UK GDPR Article 6(1)(e): which permits processing where necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• UK GDPR Article 9(2)(g) the processing is necessary for reasons of substantial public interest.
• Data Protection Act 2018 Schedule 2(1)(2) Crime and Taxation.

Recipients

Activity	Recipient
All Activities	As your personal data will be stored on our IT infrastructure it may be shared with our data processors who provide email, document management and storage services. Your data may also be shared with one of our IT suppliers. These include: - customer relationship management software suppliers - procurement software providers - supplier registration system providers - travel, venue and hotel booking systems - social media systems - email marketing systems - video conferencing, and ticketing systems - feedback and survey systems - management Information systems - e-marketplace systems - finance and forecasting systems - energy management and forecasting systems - call recording systems
Procurement	Framework suppliers, in the case that you are buying from that framework. Potential buyers, by listing framework supplier contact information on the publicly accessible purchasing websites. Public Sector contract opportunities are published on a publicly accessible website.
MSAT	Data is shared as required with Cabinet Office and Home Office
Prevention and Detection of Fraud	Data sets as described National Fraud Initiative service. The National Fraud Initiative privacy notice can be found here: National Fraud Initiative privacy notice.
Counter Fraud Bribery and Corruption	Where we are required by legislation the information will be shared with appropriate bodies
Health Assurance	Data is shared with the NHS Workforce Alliance

Where personal data have not been obtained directly from you

It will have been obtained from your employer.

It will have been obtained from an organiser of an event you attended.

It will be obtained from external publicly available sources

We periodically purchase public sector mailing lists of corporate subscribers only. Where we engage in email marketing to businesses we will ask for your marketing preferences, and give you an easy way to opt out.

Retention

Activity	Retention Schedule
General Enquiry details	3 years
Complaint information	3 years
NPS data	3 years
User Research data	3 years
Procurement, SQ & MSAT	7 years
Marketing	3 years
Webinar	3 years
Contact us call recording	1 month
Prevention and detection of fraud	6 years after legal proceedings are completed
Counter Fraud Bribery and Corruption	3 years – whistleblowing 3 years for fraud investigation reports and working papers
Health Assurance	7 years

Irrespective of these retention periods, where appropriate, personal data will be anonymised or deleted as soon as practically possible.

Automated decision making

Your personal data will not be subject to automated decision making, except in some cases to deliver targeted marketing information, for example a newsletter in relation to a framework you are part of.

Your rights

You have the right to request information about how your personal data are processed, and to request a copy of that personal data.

You have the right to request that any inaccuracies in your personal data are rectified without delay.

You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.

You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.

You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.

You have the right to object to the processing of your personal data where it is processed for direct marketing purposes.

You have the right to object to the processing of your personal data.

In relation to video or audio recordings

You have the right to withdraw consent to the processing of your personal data at any time.

In relation to all activities other than Marketing and Net Promoter Score (NPS):

You have the right to request a copy of any personal data you have provided, and for this to be provided in a structured, commonly used and machine-readable format.

In relation to automated profiling of your data for marketing purposes:

You have the right, in relation to automatic profiling, to obtain human intervention in the outcome, to express your point of view, and to contest the decision reached by automatic profiling.

International transfers

Activity	Transfer
Document storage and management	Non-EEA. The supplier uses model contract clauses
Other IT Suppliers	Where data is held outside the UK it will be subject to equivalent legal protection through an adequacy decision or the use of Standard Contractual Clauses or International Data Transfer Agreements.

Questions and Complaints

Contact Crown Commercial service if you:

• have any questions
• think that your personal data has been misused or mishandled
• want to make a data subject request

Email: gdprgeneralenquiries@crowncommercial.gov.uk

The data controller for Crown Commercial Service is the Cabinet Office – a data controller determines how and why personal data is processed.

The contact details for the Data Protection Officer are:

Data Protection Officer
Cabinet Office 
70 Whitehall
London
SW1A 2AS

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.