Suppliers privacy notice
What personal data do we collect?
The type of personal information we collect from you will depend on the context in which we interact with you. In general, this will include, but is not limited to:
- Name and job title;
- Contact information including the company/organisation/institution you work for, telephone numbers and email addresses, where provided;
- Where you are a sole trader, payment and/or banking information;
- Information that you provide to us as part of us scoping and providing services to us which may include further employee personal data;
- Language and behaviour of yourself and/or staff that work for you that is in the public domain such as social media posts (X, Meta platforms, YouTube etc.);
- Information about your use of our information systems and IT assets;
- Further information you provide us in interviews, conversations and communications with us which may or may not be recorded;
- Assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence;
- Information collected from workforce management systems, including location data; and
- Relevant information as required by any applicable Know Your Client and/or Anti-Money Laundering regulations (which may include request for identity information such as passports and information collected from publicly available sources e.g. Companies House).
Where do we get your personal data?
We may collect personal data in a variety of ways and at a variety of times throughout our interactions with you. We refer to “direct data collection” when data is collected directly from you and we refer to “indirect data collection” when the data is not collected directly from you. Here is the list of ways we will collect your personal data from you:
- When you have approached us to become supplier (direct data collection);
- An industry, business or political based event we hosted which you attended (direct data collection);
- When you or the organisation you work for submit a proposal to become a supplier and/or entered into a contract of work with us (direct data collection);
- Where it is given to us by one of our business partners or related associates or employees (indirect data collection);
- Publicly facing websites including social media during our review of applicability to provide a service to us (indirect data collection);
- When you communicate with us or submit information via our website (direct data collection); and
- Referral from an organisation you already act as a supplier (indirect data collection).
What do we use your personal data for and what is our lawful basis for using it?
We will use your personal data for the following purposes and on the following lawful bases. We use your personal information in the context of you or the organisation you work for providing a service to us. Personal information will be used for the following purposes:
Purpose for using personal data | Lawful basis for using |
Review your applicability to provide your services to us. | The lawful basis we shall be relying in accordance with UK GDPR Article 6.1(b) where the use your personal data is necessary in the performance of a contract which you have agreed to or where we are working to enter into a contract with you. |
Conduct business operations with you including contract management. | |
Request feedback from you. | |
Conduct Equality, Diversity and Inclusion monitoring activities. | |
Resolve queries or complaints. | |
Provide you access to digital or physical infrastructure as appropriate. | |
Prevent or detect fraud or money laundering including fraudulent payments and fraudulent use of our services. | |
Process your invoice and its payment. | |
Contact you to agree on a contract or a purchase order with you. | |
Process the payment of invoices, expense claims or grant claims etc. | |
Establish, defend, or enforce legal claims or regulatory investigations. | Compliance with a legal obligation under UK GDPR Article 6.1(c). |
Manage reports of data incidents, investigating a data incident report, escalation of an incident to a data breach and subsequent remediation and reporting activities. | Compliance with a legal obligation under UK GDPR Article 6.1(c). The legal obligation is the Data Protection Act 2018, to respond to data incidents and breaches appropriately. The lawful basis we shall be relying in accordance with UK GDPR Article 9.2(g) where processing is necessary for reasons of ‘substantial public interest’ (preventing or detecting unlawful acts; protecting the public; and regulatory and legal requirements). |
To identify personal data and take relevant action upon submission of a data subject rights request. | Compliance with a legal obligation under UK GDPR Article 6.1(c). The legal obligation is the UK General Data Protection Regulation to uphold your data protection rights. Special categories of personal data used for the purpose of Substantial Public Interest (Preventing or detecting unlawful acts; Protecting the public; Regulatory requirements) under UK GDPR Article 9.2(g). |
To be able to assess any impact on individuals of a data breach involving personal data held on Labour Party systems or on third party systems. | |
To help protect an individual from neglect or physical, mental or emotional harm, or protect the physical, mental or emotional well-being of an individual. | Use of the personal data is necessary to protect the vital interests of an individual or individuals in accordance with UK GDPR Article 6.1(d). Special categories of personal data used for the purpose of Substantial Public Interest (Preventing or detecting unlawful acts; Protecting the public; Regulatory requirements) under UK GDPR Article 9.2(g). |
To deal with legal claims and ongoing litigation cases. | Compliance with a legal obligation under UK GDPR Article 6.1(c). The legal obligation is the UK General Data Protection Regulation to uphold your data protection rights. Special categories of personal data used for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity under UK GDPR Article 9.2(f). |
If you have interacted with Labour in a different way and if you expected to see something different to the list above, you can access all of our privacy notices by clicking here. If it is still not there, feel free to get in touch as mentioned below.
Who do we share your personal data with?
Any data shared with the below categories of recipients is the minimum necessary for the task they have been instructed to carry out on our behalf or in conjunction with us. Each category of recipient is subject to review by the Data Protection Team to make sure they have the right methods in place for keeping your personal data secure.
Where the sharing of personal data is within the context of a product or service being supplied under contract to Labour, a Data Processing Agreement, in accordance with GDPR Article 28 is put in place. This makes sure the supplier cannot use your personal data outside of the list of uses above.
Within the purposes of using your personal data, as listed above, we will share your personal data with the following:
- Pre-approved digital communications and storage providers;
- Pre-approved online survey platform providers;
- Pre-approved IT service providers where there is a requirement for activities to be part of a digital services supply chain; and
- Where applicable to the service being provided, Labour Party organisations, Labour Candidates hoping to be elected, Labour Councillors, Labour Mayors and Labour Members of Parliament (MPs).
There may be scenarios where we are subject to a legal obligation to disclose or share your personal data, such as with law enforcement agencies, regulatory bodies or public authorities in order to prevent or detect crime, or prove we have adhered to their request. We will only ever disclose your personal data to these third parties to the extent we are required to do so by law.
Data sharing with a third-party organisation that is not a supplier of a product or service to Labour does not occur unless there is a legal obligation or sound lawful purpose for such sharing. For any such sharing we put a Data Sharing Agreement in place between Labour and the third-party containing specific information in accordance with the Information Commissioner’s Office ‘Data sharing code of practice’.
In all circumstances, the unlawful and unauthorised sharing of copies of personal data in which the Labour Party is the data controller is expressly prohibited. Any unauthorised sharing of Labour Party data is classified as a data breach which we will record and report to the ICO as required.
How long will we keep your personal data?
We will only keep personal information for as long as it is needed to fulfil the purpose for which it was collected. This is most likely to be calculated as seven (7) years after your service has ended although may be longer if there are legal or political circumstances which mean we need to keep your personal data for longer.
What are your rights and how can you express them?
To understand your data privacy rights and to submit a rights request, the best way to do so is by visiting the ‘YOUR RIGHTS’ page on our website which you can get to by clicking here.
How can you complain about our use your personal data?
The best way to make a complaint is by visiting our page on ‘HOW TO MAKE A DATA PROTECTION COMPLAINT’ which you can access by clicking here.
How can you contact us about this privacy notice?
If you have any questions about the information in this privacy notice, then you can contact the Data Protection Team via email using [email protected] or by post within a letter to:
Labour Statutory Data Protection Officer
The Labour Party, Southworks, 20 Rushworth Street, United Kingdom, SE1 0SS
When was this privacy notice last updated?
We may update this notice (and any supplemental privacy notice), from time to time as shown below. We will notify you of the changes where required by applicable law to do so.