Last updated: 6 March 2019
The Digital Marketplace is built and run by the Cabinet Office.
Cabinet Office is the data controller. A data controller determines how and why personal data can be processed. Read the Cabinet Office’s entry in the Data Protection Public Register for more information.
What data we collect from you
We collect several pieces of personal data from our users. These are:
- email addresses, phone number and address
- company name and contact information (suppliers only)
We use this data when you create a user account to buy or sell digital services.
Your email address and contact details
When you give us your email we will only use it so that you can:
- sign in securely
- be contacted about a particular contract, application or brief
- receive updates from a mailing list you’ve subscribed to (for example if you’ve asked to be notified when a new framework opens)
Your company information
If you register as a supplier on the Digital Marketplace, you need to provide us with several pieces of data, including your company contact information. We use that data to:
- inform buyers who they can get in touch with at your company
- register a company on a framework to sell services
- update you on the status of your applications to frameworks or briefs
You will always be told if the personal data you provide is going to be displayed on the Digital Marketplace.
Information about criminal convictions and company directors
We’ll ask you if you have any criminal convictions.
If you’re a supplier applying to join a framework we’ll also ask if your company director has been:
- convicted of bribery
- declared bankrupt within the last 5 years
We use this information to help make a decision about your application.
The legal basis for processing this data is because it is ‘necessary for reasons of substantial public interest for the exercise of a function of a government department’ (Article 6 of The General Data Protection Regulation (GDPR)). This means we’re legally allowed to process this data because it’s in the public interest that government checks this information about suppliers.
Cookies and analytics
What we do with your data
Digital Marketplace staff have access to the data they need to manage the live services or frameworks, and make sure spend data is collected correctly.
We will not:
- sell or rent your data to third parties
- share your data with third parties for marketing purposes
We will share your data if we’re required to do so by law – for example, by court order, or to prevent fraud or other crime.
We’ll also share your data with our IT suppliers who provide notification and mailing list management services.
Giving feedback about the Digital Marketplace
You may be asked to provide feedback or take part in research about the Digital Marketplace. We use this data to improve our systems.
The legal basis for processing this data is because you give your consent.
How long we keep your data
We’ll store your data in our database for as long as you have an active account on the Digital Marketplace.
If your account becomes inactive
If your account becomes inactive, we’ll keep any data related to a framework agreement for 7 years.
Any data not related to a framework agreement, for example your email address or password, will be deleted after 3 years. If you prefer, you can ask us to delete this information earlier.
Where your data is processed and stored
Your personal data may be transferred outside the European Economic Area (EEA). If this happens, we’ll use the the US Privacy Shield scheme to make sure that you’re given the same level of legal protection as within the EEA.
How we protect your data and keep it secure
We’re committed to doing all that we can to keep your data secure.
We set up systems and processes to prevent unauthorised access to or disclosure of the data we collect about you – for example, we protect your data using varying levels of encryption.
All third parties that process personal data for Cabinet Office are required to keep that data secure.
Children’s privacy protection
The Digital Marketplace is not designed for, or intentionally targeted at, children 13 years of age or younger. It is not our policy to intentionally collect or maintain data about anyone under the age of 13.
You have the right to:
- ask for information about how your personal data is processed
- ask for a copy of all the personal data you’ve given to us - this copy will be provided in a structured, commonly used and machine-readable format
- ask for any mistakes in your personal data to be corrected
- ask for your personal data to be erased if we no longer need to hold it
- raise an objection about how your personal data is processed
- ask that we only process your data in certain circumstances
If your personal data is processed on the basis of consent, you can withdraw your consent at any time.
Questions and complaints
Contact the GDS Privacy Team if you:
- have any questions about anything in this notice
- think that your personal data has been misused or mishandled
- want to make a subject access request
You can also contact The Data Protection Officer (DPO) if you have any concerns about how your personal data has been handled. The DPO gives advice and monitors Cabinet Office’s use of personal information.
- Data Protection Officer
- Cabinet Office
- 70 Whitehall
London SW1A 2AS
Making a complaint to an independent body
You can also complain to the Information Commissioner (an independent regulator) for example if your complaint is not resolved by GDS or the DPO.
Information Commissioner (ICO)
- Information Commissioner’s Office
- Wycliffe House
- Water Lane
- Cheshire SK9 5AF
Changes to this notice
We may modify or amend this privacy notice at any time. Any modification or amendment to this privacy notice will be applied to your data immediately. We encourage you to review this privacy notice regularly to stay informed about how we’re protecting your data.