Skip to content

Privacy Policy

The Association of North East Councils Limited trading as the North East Procurement Organisation ("NEPO", "We") is committed to protecting and respecting your privacy.

This policy (together with our website terms and conditions of use, cookie policy and any other documents referred to) sets out the basis on which any Personal Data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your Personal Data and how we will treat it.

1. Key Terms

Some of the key terms used in this policy are as follows:

 

Controller

the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the UK GDPR.

Data Subject

is a term used in data protection legislation – it means the individual to whom the Personal Data relates. For simplicity, in this policy, we sometimes refer to these people as an ‘individual’.

Personal Data

information (in any format) that relates to a living individual who can be identified from that information, either on its own or when it is combined with other information held by us. Personal Data includes identifiers, such as user names and IP addresses.

Personal Data Breach

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Process or Processing

any use of, or activity carried out in relation to, Personal Data, including collecting, recording, organising, storing, retrieving, altering, using, disclosing and destroying Personal Data.

Processor

a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

Special Category Personal Data

Personal Data revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.

UK GDPR

means the European General Data Protection Legislation as it has been incorporated into the laws of England and Wales, Scotland and Northern Ireland.

2. Important information and who we are

The Controller is:
The Association of North East Councils Limited, trading as the North East Procurement Organisation
Sunderland City Council 
City Hall 
Plater Way 
Sunderland
SR1 3AA 

Our Data Protection Officer is:
Sunderland City Council 
City Hall
Plater Way
Sunderland
SR1 3AA
Nick.Humphreys@sunderland.gov.uk


You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

We keep our Privacy Policy under regular review. This version was last updated in April 2024. Historic versions can be obtained by contacting us. 

Our website www.nepro.org.uk may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave the website, we encourage you to read the privacy policy of every website you visit.

3. The data we collect about you

Personal Data, or personal information, means any information about an individual from which that person can be identified either on its own or when used together with other information.

We may collect, use, store and transfer different kinds of Personal Data about you in connection with our services and website which we have grouped together as follows:

  • Identity Data: first name, last name, username or similar identifier title
  • Contact Information: organisation's name, role, e-mail address, and postal address and telephone numbers, type of business e.g. SME and areas of interest
  • Log in information: username and password.
  • Marketing preferences: details of your marketing preferences.
  • Participation details: We may also ask you for information (such as additional contact information) in connection with or participation in any procurement activities facilitated by us and/or any third party, and you may also provide information when giving us feedback or completing profile forms and when you report a problem with our website and/or services.
  • Other information from your interaction with our website, services, content and advertising (to the extent that it constitutes Personal Data): including computer and connection information, statistics on page views, traffic to and from the site, ad data, IP address and standard web log information.
  • Details of correspondence: if you contact us, we may keep a record of that correspondence.
  • Technical information (to the extent that it constitute Personal Data): details of your visits to our website including, but not limited to, traffic data, location data, internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, weblogs and other communication data, whether this is required for our own purposes or otherwise and the resources that you access and other technology on the devices you use to access this website. (please see below for more details regarding cookies).
  • Financial Information: credit scoring information
  • Information we receive from other sources: We may receive information about you if you use any of the other websites we operate or the other services we provide. In this case we will have informed you when we collected that data that it may be shared internally and combined with data collected on this site. We are also working closely with third parties (including, for example, business partners, sub-contractors in technical services, advertising networks, analytics providers, search information providers,) and may receive information about you from them.

 

We may also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your Personal Data but is not considered Personal Data in law as this data will not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this privacy policy.

We do not collect any Special Category Personal Data about you. Nor do we collect any information about criminal convictions and offences.

Where we need to collect Personal Data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. We will notify you if this is the case at the time.

Cookies

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them see our cookies policy.

4. How is your Personal Data collected?

We use different methods to collect Personal Data from and about you including through:

  • Direct interactions.You may give us your identity and contact information by filling in forms on our website. This includes, but is not limited to, Personal Data you provide when you submit information to the website or give us feedback or contact us.
  • Automated technologies or interactions.As you interact with the our website, we will automatically collect technical data about your equipment, browsing actions and patterns. We collect this Personal Data by using cookies and other similar technologies. Please see our cookie policy for further details.
  • Third parties or publicly available sources.We work closely with third parties (including, for example, business partners, sub-contractors in technical services, advertising networks, analytics providers, search information providers,) and may receive information about you from them. More specifically, we may receive Personal Data about you from third parties as set out below:
  • Technical data (such as analytics) from Google (based outside the UK);
  • Contact information from Companies House;
  • Financial and risk data from Creditsafe or similar credit agencies;
  • Contact information and participation details from local authorities participating in tender processes;
  • Participation and contracts awarded; and
  • Contract award notification including Contracts Finder.

In certain circumstances we may act as a Processor when we process Personal Data obtained from a third party, as opposed to a Controller. In those circumstances we will be processing the Personal Data on the third party's behalf in accordance with their instructions, and the third party's Privacy Policy will apply.

We only receive Personal Data from third parties where it is necessary for us to do so. Any third parties who share Personal Data with us or each other are expected to obtain all necessary consents from, and to provide all necessary fair processing information to, the Data Subjects of the Personal Data, in each case to enable us and each other to lawfully process the Personal Data.

5. How we use your Personal Data

It is necessary for the services and website that we use and store Personal Data. We are committed to the privacy of every individual who visits our website or engages with our services. We are also committed to transparency about how we use Personal Data and informing people of their rights in relation to the use and storage of Personal Data. More information about your rights is available at the end of this policy. We use your Personal Data for a variety of different purposes during the course of us providing our services and the website. The main purposes for which we use your Personal Data are set out below. Under data protection law, we can only use your Personal Data if we have a legal basis to do so. Examples of where we have a legal basis to process your Personal Data include when:

  • we have your consent;
  • it is necessary to enter into or perform a contract we have with you (or to take steps at your request prior to entering into that contract);
  • it is necessary to comply with a legal obligation; or
  • it is in our legitimate interests to process your Personal Data.

We have set out below, in a table format, a description of the main purposes for which we plan to use your Personal Data in connection with our services and website and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your Personal Data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your Personal Data where more than one ground has been set out in the table below.

 

Purpose / Activity

Lawful basis for processing including basis of legitimate interest

Sending you marketing communications

 

Consent

Manage our relationship with you (including handling any complaints or queries you might make)

Performance of a contract with you

Necessary for our legitimate interests (for running our business)

 

Inform you of events or updates you have asked for or contact you if we need to obtain or provide additional information.

 

Performance of a contract with you

Necessary for our legitimate interests (for running our business)

Maintaining our own accounts and records

Performance of a contract with you

Necessary for our legitimate interests (for running our business)

 

Supporting and managing our staff

Necessary for our legitimate interests (for running our business)

Fulfilling our legal obligations and exercising our legal rights (including legal proceedings)

 

Necessary to comply with legal obligations

Contacting you with important information relating to products, services or promotions, reminding you of an upcoming event or letting you know about changes that may affect you

 

Performance of a contract with you

Consent

Necessary for our legitimate interests (for running our business)

 

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

6. Disclosure of your Personal Data

We will only disclose any Personal Data for the purposes described above to the following organisations:

  • Third parties who use our services and/or systems (such as local authorities and suppliers);
  • Bloom Procurement Services Limited as part of the provision of NEPRO services;
  • The Procurement Partnership Limited and other procurement buying organisations;
  • Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this privacy policy; and
  • Regulators such as the Advertising Standards Authority and HM Revenue & Customs.

We may also disclose Personal Data:

  • to others in your organisation for the purposes of administering, consolidating and linking accounts to help us efficiently provide you with our procurement solution;
  • in order to enforce or apply our terms of use and other agreements; and/or
  • to protect the rights, property, or safety of NEPO, our customers, or others.

When we work with third party organisations we require them to comply with data protection law and our security requirements. This is detailed in the contracts we have with them.

7. International transfers

We might transfer your Personal Data to places outside the UK and store it there where we or organisations we work with might process it. Whenever we transfer your Personal Data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your Personal Data:
  • to countries that have been deemed by the UK government to provide an adequate level of protection for Personal Data;
  • where there are adequate safeguards in place. For example, where we use specific contracts approved for use in the UK which give Personal Data adequate protection; or 
  • the transfer is otherwise permitted by data protection law.

For further information about these transfers and the safeguards in place (including to obtain a copy of any documents in place), please contact us using the details at paragraph 3 above.

 

8. Data Security

We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality. 

We have put in place procedures to deal with any suspected Personal Data Breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Personal Data, we cannot guarantee the security of your data transmitted to us, and any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

9. How long we store Personal Data

We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

To help us operate our website and services, and meet our legal obligations, our standard data retention period is 6 years from the date on which our contractual relationship with you ends in respect of data relating to standard contracts, and 12 years from the date on which our contractual relationship with you ends in respect of data relating to deeds.

10. Your rights

Under certain circumstances, you have the following rights under data protection laws in relation to your Personal Data:

  • The right to access any Personal Data relating to you which we use or hold.
  • The right to object to any use of Personal Data relating to you which is carried out on the ground of legitimate interests.
  • The right to withdraw your consent to the use or storage of Personal Data relating to you where the ground for the use or storage is your consent. The withdrawal of consent will not affect any use or storage of Personal Data relating to you which was based on consent before it was withdrawn.
  • The right to erasure of Personal Data relating to you that we use or hold (only in some circumstances).
  • The right of data portability.
  • The right to have Personal Data relating to you rectified if it is inaccurate.
  • The right to have Personal Data relating to you restricted or blocked from being used or stored.

 

Please be aware that these rights are not always absolute and there may be some situations in which you cannot exercise them or they are not relevant. To help you understand these rights, please visit the ICO's website.

If you wish to exercise any of the rights set out above, please contact us using the details set out above.

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.