Corporate Procurement

We collect and process personal data relating to those involved in the procurement process in order to carry out a suitability and due diligence assessment. We are committed to being transparent about how we collect and use this data and meeting our data protection obligations.

What information do we collect?

We collect and process a range of information about suppliers, contractors, potential suppliers and contractors, companies and individuals. This includes:

  • name, address and contact details, including email address and telephone number;
  • date of birth;
  • nationality and country of residence;
  • details of any conviction.

The information is collected in a variety of ways. For example, data is collected through quote and tender submissions and correspondence with you using the Council's online e-Sourcing portal, SE Shared Services.

Why do we process personal data?

The data is necessary to ascertain the suitability of the companies owned or controlled by you before progressing the procurement and awarding the contract in accordance with the Public Contract Regulations 2015.

Who has access to the Data?

Your information may be shared with the parties set out below for the purposes stated above:

  • Other Council departments
  • Consultants assisting the Council with the Procurement
  • National Fraud Initiative (NFI)
  • Her Majesty's Revenue and Customs (HMRC)
  • Cabinet Office
  • Legal representatives of other parties in case of any challenges

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. Our processors are not permitted to use your personal data for their own purposes and are only permitted to process your personal data for specified purposes and in accordance with our instructions and data protection laws. They are also obliged to implement appropriate technical and organisational measures to ensure the security of the data.

Your data will not be transferred to countries outside the European Economic Area.

How do we protect data?

We take the security of your data seriously. The organisation has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed and is not accessed except by its employees in the performance of their duties. Data will only be processed by members of staff authorised by us for this purpose. Access to Council systems is limited to members of the Corporate Procurement team and other service departments whose job role requires access to the personal data.

For how long do we keep data?

Your personal data, along with all the information submitted during the procurement exercise, is kept for a period of 3 years in accordance with the requirement outlined in the Procurement Regulations. If you are awarded the contract, your personal data along with all the tender information will form part of the contract and will be held for a period of 6 years (if executed underhand) or 12 years (if executed as a Deed) after the expiry of the Contract.

Your Rights

As a data subject, you have a number of rights. You can:

  • access and obtain a copy of your data on request (known as a subject access request)
  • require us to change incorrect or incomplete data
  • ask us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing. Where possible we will seek to comply with your request, but we may be required to hold or process information to comply with a legal requirement.
  • object to the processing of your personal data in certain circumstances. We may still be required to hold or process information if there are legitimate grounds for doing so.

You can make a subject access request by following the instructions for making a subject access request.

To contact us about any of your other data protection rights, please contact the Data Protection Officer.

If you believe that Runnymede Borough Council has not complied with your data protection rights, you should initially contact our Data Protection Officer and if dissatisfied with the outcome you can make a complaint to the Information Commissioner. You can find out further information on making a complaint to the Information Commissioner on their website