Skip to main content

Procurement Service Privacy Notice

How we use your personal information for Procurement purposes

The Council provides services for local communities and the people who live in them.  Undertaking this work means that we must collect and use information about the people we provide services to and keep a record of those services. Because we collect and use personal information about individuals we must make sure that they know what we intend to do with their information and who it may be shared with. 

We have summarised in this privacy notice some of the key ways in which we use your personal information for Procurement purposes. This information should be read in conjunction with the Council’s corporate privacy notice.


This privacy notice is intended to provide information about how the Council will use (or ‘process’) your personal data for Procurement purposes.

The Procurement Service is responsible for procurement strategy and policy, procurement efficiency, innovation, improvement and the delivery of inter-service procurement projects, including interfaces with suppliers and providers to secure wider social, economic, environmental and cultural well-being outcomes for the County Borough.

The Service also acts as the centre of expertise for procurement advice and best practice within the Council and as the point of contact with Welsh Government for all procurement activities.

All Service areas depend on external organisations for the provision of bought-in goods, services and works, therefore it is important that a clear strategy exists for enabling, planning and managing the use of these resources.

When processing the personal data, we process only the minimum amount necessary in relation to the purpose.

The Data Controller

The Council is the data controller for the personal data we process, and is registered with the Information Commissioner’s Office (ICO) as a controller (Z47870100).

How to contact us for data protection matters or concerns

If you have any concerns or would like to know more about how the service using your personal information we’d encourage you to contact us in the first instance in one of the following ways:

By email :

By telephone : 01443 281181

In writing : Procurement, Porth Plaza, 30, Foundry Place, Town Centre, Porth CF39 9PN

The Data Protection Officer

The Data Protection Officer (DPO) can be contacted in relation to data protection matters.

Should you have the need to contact the Data Protection Officer directly you can do so via email to the following email address;

The categories of personal data we process

We utilise personal & financial information supplied by contractors which is pertinent and relevant to the tendering of goods and services for RCT service areas to meet provision of service requirements.

This information can include details of individuals and / or organisations with whom the authority will establish trading relationships in accordance with provision of goods works and service requirements.

In our conduct of the same, we will collect the following personal information, for example:

  • Name, address, contact information (telephone and email where appropriate)
  • Identity information and documentation
  • Organisation & Business information
  • Additional information in relation to the Procurement Process requirements to enable us to progress our service. This will depend on the type of procurement being undertaken. We would only use this information when required to conduct Procurement matters on behalf of the Council.

We process personal information relating to identified natural persons in conjunction to deliver services outlined in section 1 above.

Why we process the personal data

We process personal data only for the purposes of carrying out procurement duties such activities to include:

  • Establishing a list of potential suppliers
  • Tenders or quotations
  • Evaluation and selection
  • Contract Management

Our lawful basis for processing the personal data;

Under the General Data Protection Regulation (GDPR), our lawful basis for processing the personal data to undertake our Procurement statutory function is:

  • Legal Obligation (c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Public Task - Article 6 (e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The primary legislation, regulations and guidance that supports this includes but is not limited to;

  • The Public Contract Regulations
  • RCT Contract Procedure Rules

Who or where we get the personal data from

We may receive the personal data from the following categories of individuals or organisations:

  • Directly from suppliers
  • Welsh Government
  • ICT systems and websites
  • Other public bodies

Who we share personal data with

We may share personal data with the following key organisations to fulfil our statutory procurement function.

We may, on your consent, share personal contact details with Council approved contractors  solely for the purpose of sub-contracting opportunities.

When sharing the personal data, we only share the minimum amount necessary in relation to the purpose.



Welsh Government

In relation to collaborative procurements to undertake tender evaluations, contract management or other purchasing requirements. An example of this may be a catalogue of products or services where the account managers’ details are provided or for services accreditations/training etc of an individual who may be used to complete a project or deliver a service.


Other Public Sector Bodies

As above


Sub-contracting opportunities (where consent has been obtained to share contact details for this purpose)

Data Processors

A data processor is a company or organisation that processes personal data on behalf of a controller. The category of data processors that the Service uses is;

-       IT system suppliers / service providers

Our data processors act only upon our instruction. They cannot do anything with the personal data unless we instruct them to do so. They will not share the personal data with any organisation apart from us or use it for their own purposes. They will hold it securely and retain it for the period we instruct.

Should you have a specific query relating to our data processors, please contact the Data Protection Lead.

How long we retain the personal data

We retain the personal data contained within the Procurement service records as follows:

Basic Record Description

Statutory Provision

Retention period

Tenders / Quotations

The Public Contract Regulations

6 years after resulting contract expiry or completion date


Contracts – Under seal or major contracts

The Public Contract Regulations

12 years after contract expiry or completion date

Contracts – not under seal

The Public Contract Regulations

6 years after contract expiry or completion date

Business Directory Contact Details


Until an opt out request is recieved

In keeping with the General Data Protection Regulation storage limitation principle, records are periodically reviewed. Not all personal data is retained. Only personal data that is relevant to the record is retained for the entire retention period. Information that has no long term or evidential value is routinely destroyed in the normal course of business.  

Your data protection rights

The General Data Protection Regulation (GDPR) gives you important rights, including the right to access the personal information the services hold about you.

Click here for further information on your information rights and how to exercise them. 

Your right to make a data protection complaint to the Council

You have the right to complain to the Council if you believe we have not handled your personal data responsibly and in line with good practice.

If you have a concern, we encourage you to contact the us in the first instance. Most concerns can be resolved relatively quickly through a simple phone call or email to us. Should you wish to make a formal complaint you can do so via our Corporate Feedback Scheme.

Your right to make a data protection complaint to the ICO

You can complain to the ICO if you are unhappy with how we have used your data, but we encourage you to contact us first.

The ICO’s contact information is:           

  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Helpline number: 0303 123 1113
  • Website: