Welsh Revenue Authority procurement activity privacy notice.


This notice informs an individual or a business about the processing of their personal data by The Welsh Revenue Authority (WRA) and the lawful uses to which their data will be put, when they either:

  • submit tenders / request for quotes 
  • express an interest in a tender / quote
  • become a supplier to the WRA

The WRA will manage procurement activities to undertake its work. The procurement activities could include:

  • tenders / request for quotes
  • evaluations/selection
  • contract award
  • contract management

Personal information that individuals, organisations and suppliers submit to the WRA when responding to activities throughout the procurement process could be communicated to the WRA in a number of ways. This could include but may not be limited to: Sell2Wales, eProcurement tools, email, paper and verbally.

Which data will the WRA hold?

The personal information submitted as part of the procurement process, may include:

  • name
  • home / business address including postcode
  • email address
  • driving license number
  • passport /ID card number
  • photograph
  • personal financial information
  • National Insurance number
  • tax / benefits/pension records
  • employment records (including self-employed and voluntary work)
  • educational record
  • criminal and court records (including alleged offences).

Who is the data controller?

The WRA will be the data controller for any personal data you provide in relation to your tender, quote, contract management activities (including invoicing, payments and debt management).

What is the legal basis for the processing?

Ahead of any contract being let, the personal information provided as part of a tender will be processed with the specific consent of the individual(s) whose information is contained in that tender (GDPR Article 6(1)(a)). Suppliers will be required to complete a consent declaration upon return of quotation / tender. That consent may be revoked at any time, at which point any personal information covered by that consent will be removed from the information held by WRA.

For any contract that is let, the processing of personal information will be deemed necessary for the performance of that contract (GDPR Article 6(1)(b)).

How will the data held by the WRA be used?

The personal data and information held by the WRA will be used as part of the following procurement processes:

  • tenders / request for quotes
  • evaluations/selection
  • contract award
  • contract management

Wider data sharing of the data and information held by the WRA

During the procurement process, the WRA may share the data you provide with fraud prevention agencies, who may use this information, including any personal data, to prevent fraud and money laundering, and to verify your identity. We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime. Fraud prevention agencies can hold your personal data for different periods of time, depending on how that data is being used. Please contact them for more information.

If the WRA, or a fraud prevention agency, determines that you pose a fraud or money laundering risk, we may refuse to award a contract you applied for, or we may suspend or terminate an existing contact with you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing, awarding contracts or providing employment to you.

The WRA may share data in relation to payments made to successful contractors in line with guidance prepared by HM Treasury.

Data may be shared by the WRA in relation to collaborative procurements (for example by the National Procurement Service) to undertake tender evaluation, or to allow Welsh public sector organisations to undertake purchasing requirements under existing contractual arrangements. An example of this may be a catalogue of products or services where the account managers’ details are provided or for services accreditations / training etc of an individual who may be used to complete a project or deliver a service.

The organisations included are:

  • government departments
  • local authorities (including schools)
  • health authorities and associated bodies
  • Police
  • Fire & Rescue
  • Higher and further education bodies
  • sponsored bodies (such as Natural Resources Wales)
  • other public and charitable organisations that have access to WRA collaborative procurements

In addition, information will be shared and or input into the WRA Enterprise Resource Planning tool Dynamics365.

Security arrangements for the data held by the WRA

The WRA will collect and store data and information about an individual and their agent securely. WRA will only pass this data and information to other parties where it is lawful to do so and via controls which:

  • require an identified purpose, and
  • ensure that data and information are transmitted to those parties securely.

How long will the WRA retain the personal information it holds?

We will keep personal information contained in files in line with our retention policy, which is available from the WRA’s website. Your personal data may be kept for between 5 and 20 years (depending on the contract) after the Contract / Framework end date, (this includes call-off contracts under Framework / Master Services Agreements (MSA) which may continue beyond the Framework / MSA end date) and all payments have been made. Financial data may be required to be retained for 7 years. If you are unsuccessful with respect to a tender, or quotation, or expression of interest, your details may be kept for 6 years after the Contract / Framework end date for which you provided them, for audit purposes.

An individual’s rights

Under the data protection legislation, you have the right:

  • to access the personal data the WRA holds on you
  • require us to rectify inaccuracies in that data
  • to (in certain circumstances) object to or restrict processing
  • for (in certain circumstances) your data to be ‘erased’
  • to lodge a complaint with the Information Commissioner’s Office (ICO) who is the independent regulator for data protection

Contact points for information and complaints

For further details about the information the WRA holds and its use, or if you want to exercise your rights under the GDPR, please see contact details below:

Data Protection Officer    
Welsh Revenue Authority
PO Box 110 
CF37 9EH 
Email: data@wra.gov.wales 
Web: beta.gov.wales/wra 

The contact details for the Information Commissioner’s Office are: 

Information Commissioner’s Office (Wales) 
Churchill House 
17 Churchill Way 
CF10 2HH 
Tel: 029 2067 8400 / 0303 123 1113 
Email: casework@ico.org.uk 
Web: ico.org.uk