Supplier Privacy Notice

Legal

We, Seetec Group (comprising; Seetec Business Technology Centre, the Kent, Surrey & Sussex Community Rehabilitation Company, Seetec Employment & Skills Ireland DAC, the Outsource Training Group of companies and any other company comprising the Seetec Group) are committed to protecting personal information in connection with your company and its employees’ privacy and promise to collect, process and share your data safely and securely in connection with your business transactions with us. Our Supplier Privacy Notice tells you how we do this and what your rights are. Any personal data processed in line with our Privacy Notice is controlled by us, as the data controller.

We want you to be confident that your data will be kept Safe and Secure whilst in our care, that’s why we will always tell your company what we collect and how we use it.

We will never sell personal information in connection with your company and its employees’ information to third parties.

Personal information in connection with your company and its employees’ data is important to us, that’s why it is protected by industry best practice systems and processes, is stored securely and we are committed to maintaining the Confidentiality, Integrity and Availability of personal information in connection with your company and its employees’ information at all times.

This privacy notice tells you what to expect when the Seetec Group of companies collects personal information in connection with your company and its employees.

Personal information we collect in connection with your company and its employees

  • Personal information in connection with your company and its employees provided whilst completing the initial application process to become a preferred supplier, including registered and trading names, address, VAT number, email addresses, telephone number(s), bank details and credit references. We may collect some of this contact information when your company interacts with us including during the on-boarding process and subsequently collected or processed during our business dealings with your company and its employees.
  • Details (and copies) of personal information in connection with your company and its employees’ communications and interactions with us via our Shared Services teams (including Finance) or otherwise, including by email, telephone (voice recordings) and post.
  • Copies of documents showing personal information in connection with your company and its employees provided to prove its identity (including incorporation certificates and bank details) when your company initially engages with us, at regular intervals thereafter or where there is a legal reason to request this from your company and its employees.
  • Details of any credit ratings as a result of background checks conducted at commencement and at regular intervals during and in connection with your company and its employees’ business dealings with us.
  • We may also receive other data directly from your company and its employees or from various third parties and public sources, including from social media channels (if you interact with us through those channels), or other third parties including from previous customers and credit reference agencies.

 

How and why we use personal information in connection with your company and its employees’ data

We have set out the primary ways we use personal information in connection with your company and its employees’ data, and why in the table below. We have also identified what our legal basis or legitimate interests are where appropriate.

It is usually necessary for us to process personal information in connection with your company and its employees’ data in order to fulfil our obligations under our terms and conditions with your company and its employees, or to comply with a legal or statutory requirement of various government departments, including HMRC, DWP, MOJ, ESFA, DEASP etc.

 

  How we use personal information in connection with your company and its employees’ data Why we use your personal data Where your data is stored
Registration to become a preferred supplier Company required to provide information to join preferred supplier list Part of the registration process. Contractual obligation. SAP/ SAGE
Application form, bank details, VAT number and status, published accounts, ethical procurement policy Used to set up new supplier record To ensure we are entering into commercial arrangements with a bona fide organisation Contractual obligation. Restricted Finance shared folder and SAP/ SAGE
Invoices and credit notes To record the transaction. Part of the business process. Legal and Contractual obligation. Restricted Finance shared folder and SAP/ SAGE
Payment details and remittances To evidence payments for services rendered Evidence to show discharge of legal obligations and provide audit trail for regulatory authorities and shareholders. Legal and Contractual obligation. Restricted Finance shared folder and SAP/ SAGE
Bank details To provide payments for services rendered directly into  your company’s bank account To enable payment properly due invoices for goods and services supplied. Contractual obligation. Restricted Finance shared folder and SAP/ SAGE
Credit reference reports To inform risk judgements about continuity of supply To ensure that we can provide a continuous supply of goods and services in furtherance of our contractual obligations with our commissioners and customers Restricted Finance shared folder and SAP/ SAGE

Where personal information in connection with your company and its employees’ information is held in SAP/ SAGE – it is your company and its employees’ responsibility to ensure that the information (such as address, contact details, bank accounts etc) is up to date and that you advise us promptly of any changes. Speak to your Finance contact for advice on how to go about this.

How your information is shared

We sometimes share the data we collect from your company and its employees with the following third parties:

  • Stakeholders and commissioners where personal information in connection with your company and its employees’ role is in conjunction with a contract being delivered by one or more parts of the organisation.
  • Cloud providers of software systems and solutions used by the group in connection with the fulfilment of your contract for goods and services.
  • Professional advisers including lawyers, bankers, auditors and insurers – for the purposes of providing consultancy, legal, insurance and accounting services.
  • Garda, Police or other such regulatory authority – as part of an investigation or otherwise for legal or regulatory purposes.
  • Auditors – to audit our systems and processes for the purposes of ensuring efficiency, or regulatory or contractual compliance.
  • UK and Irish law enforcement agencies and third-party security companies – for the purposes of ensuring that we comply with the law and have adequate security measures in place.
  • We will disclose personal information in connection with your company and its employees’ information to third parties if we are under a duty to disclose or share personal information in connection with your company and its employees’ data in order to comply with any other legal or regulatory obligation or request.

 

How long do we keep your information?

  • We will only keep personal information in connection with your company and its employees’ data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal or contractual requirements.
  • At the end of that retention period, your data will either be deleted or anonymised (so that it can no longer be associated with you) for research or statistical purposes.
  • To determine the appropriate retention period for company data, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorised use or disclosure of personal information in connection with your company and its employees’ data, the purposes for which we process personal information in connection with your company and its employees’ data and whether we can achieve those purposes through other means, and the applicable legal requirements.
  • In some circumstances your company and its employees may be entitled to ask us to delete their data: see ‘Your rights’ below for further information.

 

How we protect personal information in connection with your company and its employees’ data

We have put appropriate technical and organisational measures in place to protect personal information in connection with your company and its employees’ data:

  • We are independently certified to a number of industry recognised standards, including ISO27001:2013 which helps us maintain the highest levels of security across our entire business.
  • Our security controls are designed to maintain the Confidentiality, Integrity & Availability of personal information in connection with your company and its employees’ information at all times.
  • Our group-wide staff training and awareness portfolio covers key risk areas and specific controls associated with all sensitive data.
  • Wherever possible, we ensure the online cloud services are accessed using https rather than http, meaning that all information that is sent and received over the internet is encrypted for additional security.
  • We have selected and deployed technical measures such as password complexity requirements, anti-virus and anti-malware software, firewalls, encryption, email and internet filtering and VPNs for secure remote access.
  • We have implemented soft controls such as Clear Desk, Clear Screen policies, preferred supplier and ethical procurement policies.
  • As described in this Privacy Notice, we may in some instances disclose personal information in connection with your company and its employees’ data to third parties. Where we do, we require that third party to have appropriate technical and organisational measures in place to protect personal information in connection with your company and its employees’ data via robust contracts and agreements; however in some instances we may be compelled by law to disclose personal information in connection with your company and its employees’ data to a third party, and have limited control over how it is protected by that party.
  • Our systems and technical security controls are regularly audited by independent auditors to ensure we maintain our security accreditations.
  • Personal information in connection with your company and its employees’ data is not processed or transferred outside of the European Economic Area (EEA).

 

Your rights

You have the right:

  • to ask us not to use personal information in connection with your company and its employees’ data for direct marketing.
  • to ask us not to process personal information in connection with your company and its employees’ data where it is processed on the basis of legitimate interests, if there are no compelling reasons for that processing;
  • to request from us access to information held about personal information in connection with your company and its employees (see below);
  • to ask for the information we hold about personal information in connection with your company and its employees to be rectified if it is inaccurate or incomplete;
  • to ask that we stop any consent-based processing of personal information in connection with your company and its employees’ data after you withdraw that consent;
  • to ask, in certain circumstances, to delete the company data we hold about you;
  • to ask, in certain circumstances, for the processing of that information to be restricted;
  • to ask, in certain circumstances, for data portability; and
  • to ask, in certain circumstances, for your data to be moved to another controller.

 

Get in touch with us

If you have any questions about our Privacy Notice, including any requests to exercise your rights, please contact the Data Protection Officer using the details set out below:

 

By post to:

Data Protection Officer

Seetec Group,

75-77 Main Road,

Hockley,

Essex,

SS5 4RG.

 

By email to:

dataprotection@seetec.co.uk

dataprotection@seetec.ie

dataprotection@ksscrc.co.uk

dataprotection@outsourcetraining.org

 

Data Subject Access Request (DSAR)

In order to request a copy of the data that the Seetec group of companies holds about personal information in connection with your company and its employees, please send your request in writing to the Data Protection Officer at the above address. To enable us to process your request, you must include the following information:

  • your full name;
  • a description of the data that you are requesting, including a date range; and
  • the date of the request.

To verify your identity and ensure the information is being provided to the data subject, we may ask you to verify your identity, therefore you will be asked to provide:

  • a copy of your certificate of incorporation
  • proof of your address in the form of a photocopy of a utilities or service provider bill.

Under usual circumstances, we are obligated to provide the information you have asked for within ONE MONTH.

If you are unhappy with our processing of personal information in connection with your company and its employees’ data, you have the right to complain to the Information Commissioners Office (ICO) in the UK or the Data Protection Commissioner (DPC) In Ireland at any time.

The ICO contact details are available here: https://ico.org.uk/concerns/

The DPC contact details are available here: https://www.dataprotection.ie/docs/Making-a-Complaint-to-the-Data-Protection-Commissioner/r/18.htm.

We would, however, appreciate the chance to deal with any concerns before you approach the ICO or the DPC, so please contact the Data Protection Officer in the first instance.