Privacy notice for suppliers

1st Jan 2020

This privacy notice tells you what to expect as a supplier regarding the personal information collected and processed by the Joseph Rowntree Foundation (JRF).

Key points

  • We typically use your personal information for purposes related to your relationship with Joseph Rowntree Foundation or Joseph Rowntree Housing Trust.
  • We might share your data with third parties, including third-party service providers.
  • We respect the security of your data and treat it in accordance with the law.
  • We may transfer your personal information outside the EU and, if we do, you can expect a similar degree of protection in respect of your personal information.


1 What is the Purpose of this privacy statement?

1.1 Under data protection legislation, Joseph Rowntree Foundation and Joseph Rowntree Housing Trust ("the Foundation") is required to explain to our suppliers why we collect information about you, how we intend to use that information and whether we will share your information with anyone else.

1.2 This statement applies to all current, prospective and former suppliers.

1.3 This statement does not form part of any license agreement or other contract to provide services. We may update this statement at any time.

1.4 It is important that you read this statement so that you know how and why we use information about you. It is also important that you inform us of any changes to your personal information during the time you are a supplier with us so that the information which we hold is accurate and current.

2 Who are we?

2.1 We are: Joseph Rowntree Foundation, a company limited by guarantee (12132713) and a registered charity (Scotland: SC049712; England and Wales: 1184957). Joseph Rowntree Housing Trust, a charitable housing association registered under the Co-operative and Community Benefit Societies Act 2014 (82009) and a registered Social Landlord with the Homes and Communities Agency (L0057). Both of The Homestead, Water End, Clifton, York, YO30 6WP.

2.2 The Foundation is a "data controller". This means that we are responsible for deciding how we hold and use personal information about you.

3 Our data protection officer

3.1 Our Data Protection Officer is responsible for overseeing what we do with your information and monitoring our compliance with data protection laws.

3.2 If you have any concerns or questions about our use of your personal data, you can contact our Data Protection Officer by writing to:

Data Protection Officer
Joseph Rowntree Foundation
The Homestead
40 Water End
York YO30 6WP

Or by email at: [email protected]

3.3 If you have any questions about our use of your personal data, you can raise those questions with our Data Protection Officer.

4 Why are we collecting your information?

4.1 The information that you provide to us is required in order for us to procure goods and/or services and make payments to you.

5 Types of personal information we use

5.1 We are collecting information about you which is relevant to procuring goods and/or services and making payments. This includes:

5.1.1 personal details (such as name);

5.1.2 contact details (such as your personal telephone number and email address);

5.1.3 confirmation of your identity (such as a copy of your driving licence);

5.1.4 information about your tax status (such as HMRC records of self-assessment);

5.1.5 financial information (such as bank account details);

5.1.6 complaints information;

5.1.7 security information (such as CCTV footage, swipe card information, etc)

6 Source of your personal information

6.1 The above information which we collect about you will be obtained through a variety of sources which include:

6.1.1 from you directly as part of the process of becoming a supplier;

6.1.2 from third parties as part of the process of becoming a supplier (such as credit checks, trade references); and

6.1.3 information obtained about you in the course of our working relationship.

7 What we do with your information

7.1 We use the types of personal data which we have listed above for the following purposes:

7.1.1 The process of applying for and becoming a supplier (such as making a decision about procuring goods or services; determining the payment terms for your invoices such as payment in advance)

7.1.2 Make payments to you for goods and/or services;

7.1.3 Complaints (such as gathering evidence in relation to any complaints made by or about you; dealing with legal disputes involving you);

7.1.4 Determining your continued supplier status;

7.1.5 To comply with our legal obligations such as to prevent fraud.

8 What may happen if you do not provide your personal information?

8.1 If you refuse to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as making payments without your bank information), or we may be prevented from complying with our legal obligations (such as deducting tax if required to do so).

9 Complying with data protection law

9.1 We will comply with data protection law. At the heart of data protection laws are the "data protection principles".

10 What is our lawful basis for using your information?

10.1 In accordance with the data protection laws, we need a "lawful basis" for collecting and using information about you. There are a variety of different legal bases for using personal data which are set out in the data protection laws.

10.2 The lawful bases on which we rely in order to use the information which we collect about you for the purposes set out in this statement will be:

10.2.1 using your information in this way is necessary for us to perform the contract between us and you in order to take steps at the request of you prior to entering into the contract; and

10.2.2 using your information is necessary for us to comply with legal and regulatory obligations to which we are subject.

11 Sharing your information

11.1 We will share your personal information with third parties where required by law, where it is necessary to administer the contractual relationship with you or where we have another legitimate interest in doing so.

Which third-party service providers process my personal information?

11.2 ”Third parties” includes third-party service providers (including contractors and designated agents) and other entities within our group. This may include our auditors, banks or other financial institutions to facilitate payments and contractors who work on our systems.

How secure is my information with third-party service providers?

11.3 All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

11.4 We may share your personal information with other third parties, for example with a regulator or to otherwise comply with the law.

12 Security of your information

12.1 We have put in place measures to protect the security of your information. Details of these measures are available upon request.

12.2 Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

12.3 We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

13 Can we use your information for any other purpose?

13.1 We typically will only use your personal information for the purposes for which we collect it. In limited circumstances we may use your information for a purpose other than those set out in this policy. If we intend to do so, we will provide you with information relating to that other purpose before using it for the new purpose.

13.2 We may use your personal information without your knowledge or consent where such use is required or permitted by law.

14 Storing your information and deleting it

14.1 We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal information are available in our retention policy which is available on request. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

14.2 In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer a supplier we will retain and securely destroy your personal information in accordance with our data retention policy.

15 Your rights

15.1 Under certain circumstances, by law you have the right to:

15.1.1 Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

15.1.2 Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

15.1.3 Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).

15.1.4 Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.

15.1.5 Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

15.1.6 Request the transfer of your personal information to another party.

15.2 If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer in writing.

16 Right to complain to the ICO

16.1 You also have the right to complain to the Information Commissioner's Office (the "ICO") if you are not satisfied with the way we use your information. You can contact the ICO by writing to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

17 Changes to this privacy statement

We reserve the right to update this privacy statement at any time, and we will provide you with a new privacy statement when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.