Procurement activity privacy notice

Personal information submitted as part of the procurement process may include:

• name
• home or business address and postcode
• email address
• driving licence number
• passport or ID card number
• photograph
• personal financial information
• National Insurance number
• tax, benefits or pension records
• employment records (including self-employed and voluntary work)
• educational record
• criminal and court records (including alleged offences)

We'll be the data controller for any personal data you provide about your:

• tender
• quote
• contract management activities with the WRA

This includes invoicing, payments and debt management.

Before any contract is let, the personal information provided as part of a tender will be processed with the specific consent of the person whose information is contained in that tender, under UK GDPR Article 6(1)(a).

Suppliers will need to complete a consent declaration upon return of a quotation or tender. You can change your consent at any time. Any personal information covered by your consent will be removed from the information we hold.

For any contract that’s let, the processing of personal information will be deemed necessary for the performance of that contract, under UK GDPR Article 6(1)(b).

During the whole procurement process, we may share the data you provide with fraud prevention agencies. They may use this information, including any personal data, to prevent fraud, money laundering and to verify your identity.

We may also enable law enforcement agencies to access and use your data to detect, investigate and prevent crime. Fraud prevention agencies can hold your personal data for different periods, depending on use. You can contact them for more information.

If we or a fraud prevention agency determine that you pose a fraud or money laundering risk, we may:

• refuse to award a contract you applied for
• suspend a contract
• end an existing contact with you

Fraud prevention agencies will keep a record of any fraud or money laundering risk. Others may then refuse to provide you services, financing, awarding contracts or employment.

We may share data about payments made to successful contractors in line with guidance prepared by HM Treasury.

We may share data for collaborative procurements (for example, by the National Procurement Service) to:

• undertake tender evaluation
• allow Welsh public sector organisations to undertake purchasing requirements under existing contractual arrangements

Examples where we might do this

• A catalogue of products or services where the account managers’ details are provided.
• For services accreditations.
• Training of an individual who may be used to complete a project or deliver a service.

Organisations included are:

• government departments
• local authorities (including schools)
• health authorities and associated bodies
• police
• fire and rescue service
• higher and further education bodies
• sponsored bodies (such as Natural Resources Wales)
• other public and charitable organisations that have access to WRA collaborative procurements

We also input or share information into Microsoft Dynamics 365, our enterprise resource planning tool.

We collect and store data and information about an individual and their agent securely. We'll only pass this on to other parties where it’s lawful to do so and via controls which:

• require an identified purpose
• ensure that data and information are transmitted to those parties securely

We keep personal information contained in files in line with our retention policy.

Your personal data may be kept for between 5 to 20 years after the contract or framework end date.

This retention includes:

• call-off contracts under framework or master services agreements (MSA) which may continue beyond the end date and all payments have been made
• financial data that we may need to keep for 7 years
• an unsuccessful tender, quotation, or expression of interest that contain your details for 6 years after the contract or framework end date, for audit purposes

Under the data protection legislation, you have the right to:

• access data we hold about you
• require us to correct inaccuracies in that data
• complain to the Information Commissioner’s Office (ICO) who is the independent regulator for data protection

In certain circumstances, you also have the right:

• to object to or restrict data processing
• for your data to be erased

For further details about the information we hold and its use, or if you want to exercise your rights under the UK GDPR, see contact details.

We keep our privacy notices under regular review. If we make changes to this notice, we’ll amend the date on this page.