Privacy notice for suppliers

How we use your personal data

We collect and process your personal information if you work for or are a representative of a supplier which provides services to us.

This privacy notice describes how and why we process your information.

If you are sole trader or independent contractor providing services to us, refer to our Privacy notice for independent contractors and contract workers.

To find out more about how we handle personal data, read our privacy notice

Data controller

The NMC is the data controller in relation to your personal information.

Information we collect about you prior to entering into a contract for services with a supplier you work for

Before we enter into a contract for services with a supplier you work for, we collect and process:

  • your name and job title and any contact details for you that your supplier has provided to us;
  • any information your supplier has provided to us about your skills and expertise.

Information we collect if we enter into a contract for services with a supplier that you work for

Once we’ve entered into a contract with a supplier that you work for, we may collect and process further information about you, including:

  • your name, job title and any contact details that your supplier has provided to us;
  • any information your supplier has provided to us about your skills and expertise.
  • records of your activity on our IT systems;
  • CCTV images of you if you attend our premises;
  • any recordings of your voice and conversations where meetings are recorded to aid note-taking or where telephone calls are recorded for training purposes.
  • photograph and name used in security ID access control card for access to NMC buildings
  • the terms of NMC’s contract with the supplier you work for.

How we collect information about you

The majority of the information we collect about you will be information given to us by the supplier that you work for.

We may also collect information about you from:

  • our IT systems;
  • CCTV images (if you attend our premises)
  • recordings of meetings.

Why we process your personal information

We collect and process your information to contact you during the supplier procurement process and while the supplier you work for is providing services to us. 

Where we collect information about your skills and expertise we do this to assess the suitability of your service company to provide services to us. 

If we enter into a contract with a supplier that you work for, we’ll process your information to:

  • manage our contractual relationship with the service company you work for;
  • comply with our legal obligations (for example, our health and safety obligations);
  • grant you access to our buildings and IT systems where necessary;
  • investigate and respond to complaints or legal claims;
  • contact you in case of an emergency.

If in the future we intend to process your personal data for a different purpose, we’ll provide you with updated privacy information.

How and why we collect health information

We don’t collect any health information about you unless the supplier you work for shares health information with us in the context of asking us to make a reasonable adjustment for a disability.

We’re under a legal obligation to make reasonable adjustments to prevent people with disabilities from being placed at a substantial disadvantage, as well as ensuring they have a fair and equal chance of accessing our services.

Our legal basis for processing your information

If you work for a supplier which is providing services to us we generally process your information because it’s necessary to take steps to enter into a contract with the supplier you work for and/or to perform our contract with the suppler.

In some cases we’re also under a legal obligation to process your information. For example we process any health information you provide us in order to comply with our legal obligation to make reasonable adjustments.

Where we use your personal details to contact you in an emergency, we’ll only do so where it’s necessary to protect your vital interests or that of another person.  

Who has access to your information?

We’ll share your information internally with members of staff, for example those involved in the procurement process and members of our finance team to ensure that the supplier you work for receives payment. 

Where your data is stored on our IT systems, our IT staff will also have access to it in the course of their work.

We may also share your information with external third parties in the following ways:

  • with other suppliers who provide procurement services on our behalf;
  • with legal advisors in the event of a complaint or legal claim.

How do we protect your information?

We take the security of your data seriously. We have internal policies and controls in place to keep your data secure. You can view our information security policy and data protection policies on our privacy notice page.

How long do we keep your information?

We only keep your data for as long as we need it.

We may keep some information about you for a period of time after our contract with you or the service company you work for has ended where this is provided for in our contract with you or the service company.

Read our corporate retention schedule

Keeping your information up-to-date

It’s your responsibility and that of the supplier you work for to ensure that information we hold about you is up-to-date by informing us of any changes to your personal information.

International transfers of data

We’ll only transfer your personal data outside the United Kingdom where we use a supplier to process personal data on our behalf and the supplier operates outside the UK.

We have policies and procedures in place to ensure that where your data is processed outside the UK it is adequately protected.

Use of Closed Circuit Television (CCTV) at our sites

CCTV is in operation at our sites. Where we’re not the sole occupier of the building (all offices other than 23 Portland Place) there’s additional CCTV which is controlled by the building owners or management company.

We record CCTV images of people when entering and leaving our premises as well as at strategic locations throughout the buildings. This is for the purposes of security and safety monitoring and the investigation of alleged criminal offences. We may share our CCTV images with law enforcement and courts if this is needed.

Our legal basis for recording CCTV

We use our premises to perform our regulatory functions. We consider that ensuring the security and safety of our premises is necessary to perform a task carried out in the public interest and/or in our official authority as a regulator.

We also consider that we have a legitimate interest in using CCTV images to keep our premises safe and secure.

For more information about how we use CCTV, you can ask to see the CCTV policy.

Your personal data on our IT systems

We have to use IT systems to process your personal data, for example, to store your contact details and to provide you with a building access pass if you visit our premises. In addition, our IT systems create data about you by, for example, recording any activity on our corporate IT network.

If you are given access to our IT systems in the course of your work and you use our IT systems for personal use, this may result in data about your private life being processed and stored by our IT systems.

What if you don’t provide personal data?

Certain information, such as contact details, are necessary to enable the NMC to enter into a contract with the supplier that you work for. If you don’t provide this information we may not be able to enter into a contract with the supplier you work for.

Your rights

Right to be informed

You have the right to know about how and why we collect and use your information. This privacy notice forms part of our work to inform you about the information we hold about you and how we use it.

You can request further information or clarification on our use of your information at any time by filling in this form or emailing us at foi&dparequest@nmc-uk.org.

Right of access

You have the right to request a copy of the information we hold about you.

In most cases the information will be provided to you free of charge. Only if the request is manifestly unreasonable or excessive or is a repeated request for the same information can we apply a charge. We would apply a charge based on the costs of providing the information.

There are circumstances where we’ll hold information but will not be able to provide it in response to a request. In such circumstances we would tell you that this is the case (unless compelled by law not to do so). We would also not supply information about a person if we haven’t been given enough details to identify them from that information

You can request a copy of the information we hold about you by emailing foi&dparequest@nmc-uk.org.

Right to rectification

You have the right to ask us to correct any information we hold if it’s incorrect.

Where proportionate and practical we’ll ensure that any organisation we have shared the information with also corrects it.

You can make your request by emailing foi&dparequest@nmc-uk.org.

Right to erasure

In some circumstances you may have the right to ask us to remove information we hold about you.

There are limitations to this right. For example, if we are compelled by law to keep information about you or it is integral to our activities as a regulator.

To make your request email us at foi&dparequest@nmc-uk.org.

Right to restrict processing

You have the right to ask us to restrict the processing of your information for specific purposes for specific periods of time.

In many instances the right to restrict the processing of your information does not arise, for example, where we process your information because of a legal obligation.

To make a request to restrict processing contact foi&dparequest@nmc-uk.org.

Right to data portability

You have the right to request your information in a machine readable format, using common standards or file types. This right only applies where you have provided the information to us yourself and we are processing the information based on your consent or to fulfil a contract and when the processing is carried out by automated means.

To make a request email foi&dparequest@nmc-uk.org.

Right to object

You have the right to object to us processing your information. This includes the right to object to direct marketing and the right to object to your information being used for research.

There are a number of exemptions to this right. If we’re not able to comply with your request we’ll advise you of our decision within one month of your request setting out the reasons.

You can tell us of your objection by contacting foi&dparequest@nmc-uk.org.

Rights related to automated decision making including profiling

You have the right to request human intervention in any automated decision making processes where this process is not based on your consent, authorised by law or necessary for the performance of a contract.

Automated decision making is where a decision is taken about you using an electronic system without human involvement. We don’t currently make decisions using automated processes.

If you have an enquiry about our use of automated decision making, contact foi&dparequest@nmc-uk.org.

Consent

If you have consented to the processing of your data you have the right to withdraw that consent at any time. To withdraw your consent, contact foi&dparequest@nmc-uk.org.

As outlined in this privacy notice, in most instances we process your data on a legal basis other than consent.

Data Protection Officer

Our Data Protection Officer can be contacted by emailing DPO@nmc-uk.org.

Your right to complain to the Information Commissioner’s Office (ICO)

You have a right to complain to the Information Commissioner’s Office (ICO). The contact details for the ICO can be found on the ICO website.

If more than one data controller processes your data

The NMC is the data controller in relation to your personal information. The supplier you work for is also a data controller for your information. To exercise your data protection rights you may need to contact the supplier you work for which is also a data controller in relation to your personal data.