Privacy notice for suppliers

How we use your personal data

How we use your personal data

We collect and process your personal information if you work for or are a representative of a supplier which provides services to us.

This privacy notice describes how and why we process your information.
If you are sole trader or independent contractor providing services to us, refer to our Privacy notice for independent contractors and contract workers.

To find out more about how we handle personal data, read our privacy notice

Data controller

The NMC is the data controller in relation to your personal information.

Information we collect about you prior to entering into a contract for services with a supplier you work for

Before we enter into a contract for services with a supplier you work for, we collect and process:

  • your name and job title and any contact details for you that your supplier has provided to us;
  • any information your supplier has provided to us about your skills and expertise.

Information we collect if we enter into a contract for services with a supplier that you work for

  • Once we’ve entered into a contract with a supplier that you work for, we may collect and process further information about you, including:
  • your name, job title and any contact details that your supplier has provided to us;
  • any information your supplier has provided to us about your skills and expertise;
  • records of your activity on our IT systems;
  • CCTV images of you if you attend our premises;
  • any recordings of your voice and conversations where meetings are recorded to aid note-taking or where telephone calls are recorded for training purposes;
  • photograph and name used in security ID access control card for access to NMC buildings;
  • the terms of NMC’s contract with the supplier you work for.

How we collect information about you

The majority of the information we collect about you will be information given to us by the supplier that you work for.

We may also collect information about you from:

  • our IT systems;
  • CCTV images (if you attend our premises);
  • recordings of meetings.

Why we process your personal information

We collect and process your information to contact you during the supplier procurement process and while the supplier you work for is providing services to us.

Where we collect information about your skills and expertise we do this to assess the suitability of your service company to provide services to us.

If we enter into a contract with a supplier that you work for, we’ll process your information to:

  • manage our contractual relationship with the service company you work for;
    comply with our legal obligations (for example, our health and safety obligations);
  • grant you access to our buildings and IT systems where necessary;
  • investigate and respond to complaints or legal claims;
  • contact you in case of an emergency.

If in the future we intend to process your personal data for a different purpose, we’ll provide you with updated privacy information.

How and why we collect health information

We don’t collect any health information about you unless the supplier you work for shares health information with us in the context of asking us to make a reasonable adjustment for a disability.

We’re under a legal obligation to make reasonable adjustments to prevent people with disabilities from being placed at a substantial disadvantage, as well as ensuring they have a fair and equal chance of accessing our services.

Our legal bases for processing your information

If you work for a supplier which is providing services to us we generally process your information because it’s necessary to take steps to enter into a contract with the supplier you work for, and/or to perform our contract with the suppler.

In some cases, we’re also under a legal obligation to process your information. For example, we process any health information you provide us in order to comply with our legal obligation to make reasonable adjustments.

Where we use your personal details to contact you in an emergency, we’ll only do so where it’s necessary to protect your vital interests or that of another person.

Who has access to your information?

We’ll share your information internally with members of staff, for example those involved in the procurement process and members of our finance team to ensure that the supplier you work for receives payment.

Where your data is stored on our IT systems, our IT staff will also have access to it in the course of their work.

We may also share your information with external third parties in the following ways:

  • with other suppliers who provide procurement services on our behalf;
  • with legal advisors in the event of a complaint or legal claim.

How do we protect your information?

We take the security of your data seriously. We have internal policies and controls in place to keep your data secure. You can view our information security policy and data protection policies on our privacy notice page.

How long do we keep your information?

We only keep your data for as long as we need it.

We may keep some information about you for a period of time after our contract with you or the service company you work for has ended where this is provided for in our contract with you or the service company.

Read our corporate retention schedule here

Keeping your information up-to-date

It’s your responsibility and that of the supplier you work for to ensure that information we hold about you is up-to-date by informing us of any changes to your personal information.

International transfers of data

We’ll only transfer your personal data outside the United Kingdom where we use a supplier to process personal data on our behalf and the supplier operates outside the UK.

We have policies and procedures in place to ensure that where your data is processed outside the UK it is adequately protected.


Use of Closed Circuit Television (CCTV) at our sites

CCTV is in operation at our sites at:

  • 23 Portland Place, London
  • 1 Westfield Avenue, London
  • 2 Stratford Place, London
  • 10 George Street, Edinburgh

Where we’re not the sole occupier of the building (all offices other than 23 Portland Place) there’s additional CCTV which is controlled by the building owners or management company.

We record CCTV images of people when entering and leaving our premises as well as at strategic locations throughout the buildings. This is for the purposes of security and safety monitoring and the investigation of alleged criminal offences. We may share our CCTV images with law enforcement and courts if this is needed.

We wouldn’t normally use the information in either CCTV recording to contact you. In the event that a safety, security, or criminal incident has occurred we may use information we have collected to contact you. This may be to tell you about the incident or suspected incident and to request information we may need to investigate the matter further, update you about any investigation, or to tell you of the outcome.

Legal basis for processing your information in CCTV images

We use our premises to perform our regulatory functions. We consider that ensuring the security and safety of our premises is necessary for to perform a task carried out in the public interest and/or in our official authority as a regulator.

We also consider that we have a legitimate interest in using CCTV images to keep our premises safe and secure.

For more information about how we use CCTV, you can ask to see the CCTV policy.

If you object to the way we use CCTV, you can contact foi&dparequests@nmc-uk.org

Your personal data on our IT systems

We have to use IT systems to process your personal data. In addition, our IT systems create data about you by, for example, recording websites that you visit and emails that you send from our corporate IT network.

What if you don’t provide personal data?

Certain information, such as contact details, are necessary to enable the NMC to enter into a contract with the supplier that you work for. If you don’t provide this information we may not be able to enter into a contract with the supplier you work for.


Your rights

Right to be informed

You have the right to know about how and why we collect and use your information. This privacy notice forms part of our work to inform you about the information we hold about you and how we use it.
You can request further information or clarification on our use of your information at any time by filling in this form or emailing us at foi&dparequest@nmc-uk.org.

Right of access

You have the right to request a copy of the information we hold about you.

In most cases the information will be provided to you free of charge. Only if the request is manifestly unreasonable or excessive or is a repeated request for the same information we would apply a charge based on the costs of providing the information.

There are circumstances where we’ll hold information but will not be able to provide it in response to a request. In such circumstances we would tell you that this is the case (unless compelled by law not to do so). We would also not supply information about a person if we haven’t been given enough details to identify them from that information.

You can request a copy of the information we hold about you by emailing us at foi&dparequest@nmc-uk.org.

Right to rectification

You have the right to ask us to correct any information we hold if it’s incorrect.

Where proportionate and practical we’ll ensure that any organisation we have shared the information with also corrects it.

You can make your request by emailing us at
foi&dparequest@nmc-uk.org.

Right to erasure

In some circumstances you may have the right to ask us to remove information we hold about you.

There are limitations to this right. For example, if we are compelled by law to keep information about you or it is integral to our activities as a regulator.

You can make your request by emailing us at foi&dparequest@nmc-uk.org.

Right to restrict processing

You have the right to ask us to restrict the processing of your information for specific purposes for specific periods of time.

In many instances the right to restrict the processing of your information does not arise, for example, where we process your information because of a legal obligation.

You can make your request by emailing us at foi&dparequest@nmc-uk.org.

Right to data portability

You have the right to request your information in a machine readable format, using common standards or file types. This right only applies where you have provided the information to us yourself, we are processing the information based on your consent or to fulfil a contract and when the processing is carried out by automated means.

You can make your request by emailing us at foi&dparequest@nmc-uk.org.

Right to object

You have the right to object to us processing your information. This includes the right to object to direct marketing and the right to object to your information being used for research.

There are a number of exemptions to this right. If we’re not able to comply with your request we’ll advise you of our decision within one month of your request setting out the reasons.

You can tell us of your objection by contacting foi&dparequest@nmc-uk.org.

Rights related to automated decision making including profiling

You have the right to request human intervention in any automated decision making processes where this process is not based on your consent, authorised by law or necessary for the performance of a contract.

Automated decision making is where a decision is taken about you using an electronic system without human involvement. We don’t currently make decisions using automated processes.

If you have an enquiry about our use of automated decision making, you can make your request by emailing us at foi&dparequest@nmc-uk.org.


Consent

If you have consented to the processing of your data, you have the right to withdraw that consent at any time. If you wish to withdraw your consent, contact foi&dparequest@nmc-uk.org.

As outlined in this privacy notice, in most instances we process your data on a legal basis other than consent.

Data Protection Officer

Our Data Protection Officer can be contacted by emailing DPO@nmc-uk.org.

Your right to complain to the Information Commissioner’s Office (ICO)

You have a right to complain to the Information Commissioner’s Office (ICO). The contact details for the ICO can be found on the ICO website.

If more than one data controller processes your data

The NMC is the data controller in relation to your personal information. The supplier you work for is also a data controller for your information. To exercise your data protection rights you may need to contact the supplier you work for which is also a data controller in relation to your personal data.

I want to...