Purchase to pay privacy notice
Who we are and what we do
The Corporate Procurement department are responsible for the Council's Purchase to Pay Service which includes processing and making payments to suppliers and other third parties for the Council and other organisations the Council provides 'purchase to pay' services for, for example Sunderland Care and Support, Together for Children.
What personal information do we collect?
In order to enable us to carry out Purchase to Pay services effectively we collect the following information about you:
- Name
- Address
- Contact details e.g. telephone number, email address
- Personal identifiers (where appropriate) e.g. NI number Tax details (where appropriate) e.g. VAT number, Construction Industry Tax Scheme)
- Bank details
- Payment terms
Other personal information held is:
- Details of purchases made from you
- Payment history details
What is your personal information used for?
The personal information collected by the Purchase to Pay Service is used for the following purposes:
- processing and making of payments to suppliers and other third parties, and
- the prevention and detection of fraud and error. For more details refer to the Council's National Fraud Initiative Privacy Notice
We will only use information collected lawfully in accordance with the GDPR and future UK Data Protection legislation.
We will not use any information we hold about you for any purpose other than that for which it was collected, unless we have obtained your consent beforehand or we are required by law to provide your personal information to a third party.
What is the Legal Basis for Processing Personal Data?
The legal bases for the using your personal data for the purposes described above, as defined by Article 6(1) of the GDPR, are:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6(1)(a));
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b));
- processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c)).
Who do we share your personal information with?
Your personal data may be shared with:
- Cabinet Office (as part of the National Fraud Initiative)
- Government agencies e.g. HMRC.
- Bacs Payment Scheme Ltd (formerly known as BACS)
We do not share information about you with anyone without your consent unless the law requires or allows us to do so. We will always seek your positive consent to share information if there is no legal basis to share.
In all cases where we must pass on information, we will only share the minimum amount of information required and will use the most secure method to transfer data.
How do we keep your information secure?
The security of your personal information is important to us. This is why we follow a range of security policies and procedures to control and safeguard access to and use of your personal information.
All information is held securely with physical, organisational and electronic access controls to ensure your personal information remain secure both at rest and when in transit. Access to the data is restricted to authorised personnel only and is password protected. All data is encrypted during the transmission of data.
How long we will retain your personal information for?
The Council has agreed retention periods which set out the period of time personal data will be retained by the Council. These are available on our website.
Data Transfers
No personal data processed as part of the Purchase to Pay Service is transferred overseas to any other country
Automated Decision-Making
No automated decision making is made as part of the Purchase to Pay arrangements.
Marketing
At no time will your information used as part of the Purchase to Pay Service be used for marketing or sales purposes.
It will only be used for the purposes described earlier in this document.
Your Information Rights
Under data protection legislation, you have the right to request access to information about you that we hold. If you are 12 or over, we will usually consider you to be old enough to understand your rights and to make a Subject Access Request yourself, if you want to. If you are younger than 12, your parent will normally have to make a request on your behalf.
To make a request for your personal information, contact
Access to Files Team
Sunderland City Council
City Hall
Plater Way
Sunderland
SR1 3AA
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- e) claim compensation for damages caused by a breach of the Data Protection regulations
Raising a Concern
If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance.
You can contact our Data Protection Officer as follows:
Data Protection Officer
City Hall
Plater Way
Sunderland
SR1 3AA
Telephone: 0191 520 5555
E-mail: data.protection@sunderland.gov.uk
Alternatively, you can contact the Information Commissioner's Office, who is an independent regulator. The contact details are:
- on line at:https://ico.org.uk/
- by post: Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
- by telephone: 0303 123 1113 (local rate) or 01625 545 745 d) by fax: 01625 524 510
Further Information
For further information on the use of personal data by the Purchase to Pay Service at Sunderland City Council please email the Purchase to Pay Service at Accounts.Payable@sunderland.gov.uk
For further information on data protection and GDPR arrangements at Sunderland City Council please contact the Council's Data Protection Officer (see contact details above)