Skip to main content

How we will handle any personal data you provide in relation to procurement processes.

First published:
17 July 2019
Last updated:

Welsh Government manages procurement activities to undertake public tasks. The procurement activities could include:

  • tenders/request for quotes
  • evaluations/selection
  • contract award
  • contract management.

Personal information that individuals, organisations and suppliers submit to the Welsh Government, including that requested in relation to officials, when responding to activities throughout the procurement process could be communicated in a number of ways. This could include but may not be limited to: Sell2Wales, eProcurement tools, email, paper and verbally.

The personal information submitted as part of the procurement process, or which we have collected from publically available sources, may include but may not be limited to:

  • name
  • home/business address including postcode
  • email address
  • driving license number
  • passport/ID card number
  • photograph
  • personal financial information
  • National Insurance number
  • tax/benefits/pension records
  • employment records (including self-employed and voluntary work)
  • educational record
  • criminal and court records (including alleged offences).

The Welsh Government will be Data Controller for any personal data you provide in relation to your tender, quote, contract management activities (including invoicing, payments and debt management). The information will be processed as part of our public task; i.e. exercising our official authority to undertake the core role and functions of the Welsh Government in relation to procurement and or contract management activity.

During the procurement process, Welsh Government and fraud prevention agencies, may use this information, including any personal data, to prevent fraud and money laundering, and to verify your identity. We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime. Fraud prevention agencies can hold your personal data for different periods of time, depending on how that data is being used. Please contact them for more information. If you or your company are considered to pose a fraud or money laundering risk, your data can be held by fraud prevention agencies for up to 6 years from its receipt.

If Welsh Government, or a fraud prevention agency, determines that you pose a fraud or money laundering risk, we may refuse to award a contract you applied for, or we may suspend or terminate an existing contact with you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing, awarding contracts or providing employment to you.

Data may be shared by the Welsh Government in relation to collaborative procurements to undertake tender evaluation, or to allow Welsh public sector organisations to undertake purchasing requirements under existing contractual arrangements. An example of this may be a catalogue of products or services where the account managers’ details are provided or for services accreditations/training etc of an individual who may be used to complete a project or deliver a service.

The organisations include but are not limited to:

  • local authorities (including schools)
  • health
  • Police
  • Fire & Rescue
  • universities
  • colleges
  • sponsored bodies (such as Natural Resources Wales)
  • housing sector, etc

Welsh Government’s spend information and supplier contact details are submitted to the Welsh Government’s spend analysis provider to assist with the delivery of reporting services.

Spend data is provided to the spend analysis provider by public sector organisations. The Welsh Government uses this data for the purposes of spend analysis, reporting, and project/ service delivery.

In addition, information will be shared and or input into the Welsh Government Enterprise Resource Planning tool (SAP) managed by the shared service centre.

We will keep personal information contained in files in line with our retention policy. Your personal data may be kept for 6 years (or up to 15 years for major projects) after the contract/framework end date, (this includes call-off contracts under framework/master services agreements (MSA) which may continue beyond the framework/MSA end date) and all payments have been made. Financial data may be required to be retained for 7 years. If you are unsuccessful with respect to a tender, or quotation, or expression of interest, your details may be kept for 6 years after the contract/framework end date for which you provided them, for audit purposes.

In addition, the Commercial Procurement Directorate maintains a stakeholder database which it will use to communicate key information which it believes will be of interest to its stakeholders via email.

Under the data protection legislation, you have the right:

  • to access the personal data the Welsh Government holds on you
  • require us to rectify inaccuracies in that data
  • to (in certain circumstances) object to or restrict processing
  • for (in certain circumstances) your data to be ‘erased’
  • to lodge a complaint with the Information Commissioner’s Office (ICO) who is the independent regulator for data protection

For further details about the information the Welsh Government holds and its use, or if you want to exercise your rights under the GDPR, please see contact details below:

Data Protection Officer
Welsh Government
Cathays Park
CF10 3NQ

Email Address:

The contact details for the Information Commissioner’s Office are:

Wycliffe House
Water Lane

Telephone: 01625 545 745 or 0303 123 1113