GDPR Privacy Notice
The Data Protection Act (DPA), Privacy and Electronic Communications Regulations (PECR) and most recently The General Data Protection Regulation (GDPR), are in place to control how your data is shared and mitigate it from being used irresponsibly. Combined, these rights cover the safeguarding of personal data, protection against the unlawful processing and the unrestricted movement of personal data within the EU.
Contracts Advance (CA) confirms that its GDPR data management policy has been implemented to ensure that any personal data provided to us, by any means, will never be sold, rented or otherwise distributed or made public without your express consent.
CA’s Policy Notice on personal data management can be seen below.
PERSONAL DATA MANAGEMENT
- Client Database Management
CA collects personal details from prospective and current clients. This data is collected through multiple channels such as telephone calls/contact forms and is stored on a CRM system. This third-party supplier is both GDPR and EU-U.S. Privacy Shield Framework compliant.
Personal data is also stored on the CA web application. All traffic (transferral of files) between the CA application and your web browser is encrypted using HTTPS and SSL connections. All company profiles are password protected.
All personal details which are processed by CA for business purposes and to deliver on contractual obligations (Art6(1)b) with CA clients.
- Contract and Framework data processing
CA gathers data from over 350 portals throughout the UK, Ireland and Europe. This data often includes personal details of the individual who is procuring the work on behalf of the contracting authority. Under GDPR this data is processed as legitimate business information (Art6(1)F). Furthermore, when published by the buyer, this data is made openly available for the purpose of providing information about the tender in question (e.g. to request documents). As a re-distributor of this data, we honour the original rationale for disclosing such information i.e. dissemination of openly sourced information on tenders and associated notices.
- Newsletter and information requests
Any requests for information through the CA marketing website are processed by MailChimp, a third party with email marketing service provider. Personal details are not stored within MailChimp, but rather, transferred into CA’s CRM.
Responses will be handled directly with the individuals who have requested information. Any personal details processed are done so under Art6(1)b in order to take steps at the request of the data subject prior to entering into a contract.
Personal details will only be processed in line with the original request for information.
Personal details – gathered, both pre-contract and during a contract, will remain within CA’s database and can be removed by request of the individual at any time. Email and phone correspondence pertinent to the contractual discussions and the subsequent contract itself will be maintained. Any additional marketing or newsletters from CA shall only be circulated if consent has been provided.
- The FOI Act and Personal data processing
Any personal data gathered and or processed, by CA, through a Freedom of Information (FOI) request will only be gathered through publicly accessible sources (public tender portals). CA confirms that it shall only process this data in the manner for which it was originally intended. This includes requesting information from the data subject which is required for the performance of a contract or to take steps to enter into a contract with the data subject. Data is only made available to clients of CA as a part of its contractual obligation to these clients (Art6(1)b). It should be noted that GDPR does not apply to information already in the public domain.
- Data breaches
CA will report any known unlawful data breaches of its database, or the database(s) of any third-party data processors to all relevant persons and authorities within 72 hours of the breach, if it is apparent that personal data stored in an identifiable manner has been compromised.
- Data requests
Any requests for information pertaining to an individual’s Personal Details, from CA, a form of identification must be provided. This identification could be provided in the following manner:
A copy of your driving licence, passport, birth certificate and a utility bill not older than three months. A minimum of one piece of photographic identification and a supporting request document is required.
If CA is dissatisfied with the quality, further information may be sought before releasing personal data. All requests should be made to the CA DPO (Alex Joiner) by email, firstname.lastname@example.org or by phone +44 (0) 75 25 85 27 42.
Should you wish to make a compliant about how your personal data is processed by CA or its partners, you have the right to complain to the company’s DPO (Alex Joiner) by email, email@example.com or by phone +44 (0) 75 25 85 27 42.