Guidance

Help to Grow: Digital – vendor privacy notice

Updated 25 February 2022

Logo - Help to Grow: Digital

This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR).

This notice relates to data collected under the Help to Grow: Digital scheme run by the UK government Department for Business, Energy and Industrial Strategy (BEIS).

The Help to Grow: Digital scheme is funded by BEIS and administered by PwC. BEIS is the data controller and PwC is the data processor. The parties listed in the what we do with your data will also be data processors for the scheme.

References to ‘we’ and ‘our’ in this privacy policy mean BEIS and the scheme administrator, (as applicable). Any references in this privacy policy to ‘you’ or ‘your’ means the scheme vendor participant.

This notice was last updated on 25 February 2022.

Your data

The data we collect

We will process the following personal data.

Contact details for the:

  1. applicant
  2. primary or authorised contact
  3. secondary contact

This will include:

  • full name
  • position in company
  • email address
  • phone number

The following company information will also be requested:

  • registered company number
  • registered company name
  • registered company address

Purpose

The purpose(s) for which we are processing your personal data is to carry out checks to determine if you’re eligible to take part in the Help to Grow: Digital scheme.

These checks may include (but are not limited to):

  • eligibility
  • fraud
  • credit
  • sanctions

We may use your data for monitoring and evaluation purposes, and to contact you to inform you of any future scheme updates.

Your data may also be used for statistical research and where it’s necessary for the purposes of the prevention, investigation, detection or prosecution of criminal offences including fraud.

The legal basis for processing your personal data is:

Public Task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in BEIS. In this case, to conduct checks to assess your eligibility for the scheme and to contact you regarding any future Help to Grow: Digital scheme updates.

What we do with your data

Your personal data will be shared by us with:

  • any government department involved in the Help to Grow: Digital initiative and their delivery partners
  • designated parties to compare it against other information to help combat fraud and crime
  • the scheme administrator, PwC, for the administration of the Help to Grow: Digital scheme
  • our technical suppliers Foundry4 Ltd and Veracity
  • BEIS monitoring and evaluation partners - RSM PACEC, in partnership with Behavioural Insights Team and Nesta
  • Matt Hamnett & Associates (MH+A) Ltd for support purposes
  • BEIS marketing and communications delivery partners

As your personal data will be stored on our IT infrastructure it will also be shared with our data processors Microsoft and Amazon Web Services. The Atlassian tool, Jira, will be used as a case management system to handle vendor queries.

Sources of your personal data

The government’s online automated due-diligence tool, Spotlight, will be used to conduct vendor eligibility checks.

How long we keep your data

Your personal data will be kept by us for the duration of the Help to Grow: Digital scheme, plus an additional 12 months.

The scheme will run for 3 years (until 2024) and the delivery partner services will be retained for an additional 12 months.

Data held for monitoring and evaluation purposes will be held until the end of the relevant contracts, currently scheduled until March 2025 unless extended. If extended, data held under evaluation partner contracts will be held for 9 to 12 months after the programme ends. The purpose of data storage is for evaluation purposes, such as to contact vendors for research, and to explore linking vendor data to SME level data to understand whether the programme achieved its objectives. The evaluation partners are required to be UK GDPR compliant.

How we protect your data and keep it secure

We are committed to doing what is necessary to keep your personal data secure. BEIS and the scheme administrator have set up systems and processes to prevent the unauthorised access to, loss of, or disclosure of your personal data.

BEIS and the scheme administrator enter into contractual agreements with any third-parties processing personal data on their behalf. This ensures that both parties understand their obligations, responsibilities, and liabilities under the UK General Data Protection Regulation (UK GDPR).

Please note that when transmitting information over the internet, no transmission is completely secure. We therefore cannot guarantee the security of any information that you transfer over the internet to us.

Your rights

You have the right to request:

  • information about how your personal data are processed, and to request a copy of that personal data
  • that any inaccuracies in your personal data are rectified without delay
  • that any incomplete personal data are completed, including by means of a supplementary statement
  • that your personal data are erased if there is no longer a justification for them to be processed
  • in certain circumstances (for example, where accuracy is contested) that the processing of your personal data is restricted

You also have the right to:

  • object to the processing of your personal data where it is processed for direct marketing purposes
  • request a copy of any personal data you have provided, and for this to be provided in a structured, commonly used and machine-readable format
  • withdraw consent to the processing of your personal data at any time

If you wish to withdraw your consent, please contact: vendors.helptogrow@beis.gov.uk.

International transfers

The scheme administrator and supporting service providers will process your personal data to the extent possible in the UK or the European Economic Area (EEA). Your personal data will be retained on servers located in the UK.

However, some processing activities will require authorised personnel of the scheme administrator, and certain of its service providers, who are located in the US to access personal data stored in the UK in order to support scheme delivery. All processing that takes place outside the UK/ EEA will be protected by Data Protection Agreements that include appropriate safeguards designed to protect international data transfers in line with the requirements of the EU GDPR, UK GDPR and the DPA, unless the transfer is to an ‘adequate territory’. If you would like to obtain a copy of the applicable safeguards, please contact the scheme administrator as indicated below.

In addition, as your personal data is stored on our IT infrastructure, and shared with our data processors, Microsoft, Amazon Web Services and Jira, it may be transferred and stored securely outside the UK and EEA. Where that is the case it will be subject to equivalent legal protection through the use of model contract clauses.

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113
Email: casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Contact details

The data controller for your personal data is the Department for Business, Energy and Industrial Strategy (BEIS).

You can contact the BEIS Data Protection Officer at:

BEIS Data Protection Officer
Department for Business, Energy and Industrial Strategy
1 Victoria Street
London
SW1H 0ET
Email: dataprotection@beis.gov.uk