Suppliers Privacy Notice
This Privacy Notice outlines how Canterbury Christ Church University (the Data Controller) collects, uses, and protects personal data in relation to the procurement of goods and services.
This Privacy Notice outlines how Canterbury Christ Church University (the Data Controller) collects, uses, and protects personal data in relation to the procurement of goods and services. It applies to individuals and representatives of organisations who have supplied, or are in the process of supplying, goods or services to the University.
We are committed to handling your personal data responsibly and transparently, in accordance with the Data Protection Act 2018 and UK General Data Protection Regulations (GDPR) and any other relevant legislation. This notice is intended to ensure you are fully informed about how your personal information is used and the rights you have in relation to it.
You can access our Data Protection Policy here.
1. What personal information do we collect about you?
When you engage with the University in relation to the supply of goods and services, we collect and retain relevant personal data. This information is used for the purposes set out in Section 3 of this Privacy Notice.
We may process the following categories of personal data about you:
- Name
- Job title
- Address
- Telephone numbers
- E-mail address
- Details of any conflicts of interest.
If you participate in a procurement process, your details will be recorded and processed within the University’s designated e-tendering platform.
2. How do we collect your information?
The University may collect your personal data through a range of methods and sources, depending on your relationship with us and the nature of our interaction. We may collect your personal information:
- Directly from you – for example, through the University’s Supplier Evaluation Form.
- From third parties – for example, from the Cabinet Office through the Central Digital Platform.
- From publicly available sources – for example, from your companies website, contracts or other publicly available sources.
3. How do we use your personal data?
The University may process your personal data for the following purposes:
- To evaluate, award, manage, and administer any tenders, quotations, or expressions of interest you submit in relation to the supply of goods and services;
- Where a contract is awarded, to support the effective administration, performance, and monitoring of the contractual relationship;
- To carry out necessary due diligence checks, including financial, compliance, and reputational assessments, as part of our procurement procedures;
- To prevent and detect fraud, bribery, corruption, or other unlawful activities in accordance with the University's internal policies and legal obligations; and
- To comply with statutory and regulatory requirements, including those under the Procurement Act 2023, the Data Protection Act and UK GDPR 2018, and relevant financial and audit legislation.
4. The lawful basis we use to process your data
Data protection law sets out reasons for collecting and processing your personal data. In this section, we outline the legal bases the University uses.
We will be processing your data under:
- Article 6(1)(b) Contract "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
When you enter into a contract with us or show interest in entering into a contract with us, we will process your personal data under this legal basis. We do this in order to fulfil our contractual obligations.
We may need to process your data in order to ensure we are complying with our statutory obligations and legal requirements.
- Article 6(1)(c) Legal obligation "processing is necessary for compliance with a legal obligation to which the controller is subject"
If the law requires us to, we may need to collect and process your personal data. For example, we need to ensure we meet our statutory obligations including those related to the Cabinet Office.
We may also need to process your data under this legal basis to ensure we comply with anti-fraud, anti-money laundering and anti-bribery legislation, including the detection and reporting of suspected fraud or corrupt activity; for responding to lawful requests from regulatory bodies or law enforcement agencies such as the Police.
5. Who do we share your personal data with?
We may share your personal data with trusted third-party service providers who act as data processors on our behalf. These may include providers of IT systems, procurement platforms, due diligence tools, or audit services, all of whom support our operational and compliance obligations.
We may also disclose your personal data where necessary to comply with our legal obligations under the Procurement Act 2023, including transparency and reporting duties, or as required under the Data Protection Act 2018 and UK GDPR, and any other relevant legislation. This may involve sharing data with regulatory bodies, government departments, or law enforcement authorities where disclosure is legally mandated.
Whoever we share your information with, we will only share what is relevant and necessary to perform the specific task or to meet our legal obligations.
6. How long do we keep your personal data?
We retain personal data only for as long as is necessary to fulfil the purposes set out in this Privacy Notice, including to satisfy legal, regulatory, and contractual obligations. This includes our obligations under the Data Protection Act 2018 and UK GDPR and all applicable procurement legislation, including the Procurement Act 2023.
In relation to the supply of goods and services to the University, we retain personal data for the duration of the contract and for a period of six years thereafter, in line with our legal and statutory requirements for financial record keeping, auditing and procurement transparency. When identifiable records are no longer required for the purposes set out in this Privacy Notice, they are either anonymised or securely disposed of according to our Confidential Waste Policy.
7. How do we protect and store your personal information?
We are committed to safeguarding the personal data we processes and have robust internal policies and controls to prevent unauthorised access, accidental loss, destruction, misuse, or disclosure of personal data. Access to personal information is strictly limited to authorised University personnel who require it for the performance of their duties in connection with procurement and contract management.
We are Cyber Essentials accredited, demonstrating our commitment to implementing industry-recognised cybersecurity practices to protect against common online threats and ensure a secure IT environment.
Where personal data is shared with third-party processors in the course of delivering goods and services, such parties are contractually required to act solely on the University's instructions, to implement appropriate technical and organisational safeguards, and comply fully with the requirements of the Data Protection Act and UK GDPR 2018.
8. The data controller and further information
Canterbury Christ Church University is the Data Controller for this personal data.
Please click the link below to access further information regarding:
- The Data Controller
- The name and contact details of the University Data Protection Officer
- Where to make a complaint
- Your Rights as a Data Subject
- How to contact the Regulator
Version control
Title: Suppliers Privacy Notice
Process Owner: Director of Procurement
Department responsible: Finance Department
Date approved: 21/07/2025
Date of review: 21/07/2027
Date last amended: 21/07/2025