Data protection information notice for suppliers
Organisations usually act as data controllers with respect to some of the personal data provided by suppliers, and there is an obligation under data protection law to notify data subjects - that is, individuals whose personal data is being processed - about the parameters of that processing.
With the coming of the General Data Protection Regulation (GDPR) organisations across and indeed beyond the European Union are investing significant resources in improving their data protection compliance profiles, and we expect that information notices of this kind will become more common over the coming years.
This notice has been drafted to take into account both the GDPR, in both its EU and UK forms, and the associated regulatory guidance.Ask about this document
Data protection information notice for suppliers contents
- Introduction: commitment to privacy (suppliers); document applies to controlled personal data; data controller name.
- The personal data that we collect: introduction to categories; processing of contact data ; processing of communication data; processing of deliverables data (suppliers); processing of services data (suppliers); processing of usage data (software and IT systems); processing of other data; disclosure of third party personal data.
- Purposes of processing and legal bases: setting out purposes etc of personal data processing; processing for operations (suppliers); processing for communications (suppliers); processing for record keeping; processing for security; processing for insurance and risk management; processing for legal claims; processing for legal compliance and vital interests protection.
- Providing your personal data to others: intra-group disclosures of personal data; disclosure of personal data to insurers etc; disclosures of personal data to subcontractors; disclosure of personal data necessary for legal compliance etc.
- International transfers of your personal data: introduction to international personal data transfers; UK to EEA and EEA to UK personal data transfers; international transfers within business; international transfers to other recipients.
- Retaining and deleting personal data: data retention introduction; personal data retention default rule; personal data retention specific rules; personal data retention criteria; personal data deletion exception.
- Security of personal data: appropriate technical and organisational security measures; personal data stored on secure servers and computers; encrypted storage of personal data; unencrypted data sent over internet is insecure; password security (software and IT systems).
- Amendments: changes to document published on website; notification of changes to document.
- Your rights: introduction to data subject rights summaries; list of data subject rights; summary of right to access personal data; summary of right to rectification of personal data; summary of right to erasure of personal data; summary of right to restrict processing of personal data; summary of right to object to processing of personal data; summary of right to object to processing of personal data for direct marketing; summary of right to object to processing of personal data for research purposes; summary of right to personal data portability; summary of right to complain to data protection supervisory authority; summary of right to withdraw consent to personal data processing; exercise of data subject rights.
- Our details: legal name; company registration details; place of business; contact information.
- Representatives: identity and contact details of EU representative of data controller; identity and contact details of UK representative of data controller.
- Data protection officer: data protection officer contact details.