For the purpose of the Data Protection Act 2018 (which enshrines the General Data Protection Regulation in British law), the data controller is Commerce Decisions Limited of 101 Park Drive, Milton Park, Oxfordshire OX14 4RY.
We value your privacy and are committed to protecting and processing your personal information responsibly.
This privacy statement describes how Commerce Decisions Limited (including our subsidiaries, Commerce Decisions Pty Ltd and Commerce Decisions Canada Inc) collects, uses and shares your information.
We may provide additional data privacy information by using a supplementary privacy notice.
PERSONAL INFORMATION WE COLLECT AND USE
This section describes the various types of information that we collect and how we use it.
Your AWARD® Account
Your name and email address is required in order to access your AWARD® account.
Our website offers ways to communicate with you about us, our products, and services. The information that we collect on websites is used to provide you with access to the website, to operate the website, to improve your experience, and to personalize the way that information is provided to you.
You may also sign up via our website to receive regular updates from us by email.
We use the information that we collect to communicate with you about relevant products, services, and offerings. We also use this information to personalize your experience with our content and advertisements, and to develop internal marketing and business intelligence. To set or update your marketing communications preferences, please visit the Commerce Decisions Preference Centre. You may also select the Unsubscribe option that appears at the bottom of each marketing email.
A contractual relationship is created when you order a trial, or a product or service from us. While we mainly provide our products and services to businesses, individuals may also enter into an agreement with us directly as a client. We may collect any information that is reasonably necessary to prepare for, enter, and fulfil, the contractual agreement.
When you contact us to request support, we collect your contact information, problem description, and possible resolutions. We record the information that is provided to handle the support query, for administrative purposes, to foster our relationship with you, for staff training, and for quality assurance purposes. We use 3rd Party applications, Freshdesk and Absorb LMS, to provide extended support to our clients – contracts include
AWARD® Knowledgebase and Learning Management System
Our cloud and online services include Knowledgebase and LMS. We collect information about the use of these services, such as pages you view or your interactions on that page, to improve and develop our services and to generate technical and market insights.
We may collect and use information to protect you and Commerce Decisions from IT security threats and to secure the information that we hold from unauthorized access, disclosure, alteration, or destruction. This includes information from our IT access authorization systems, such as log-in information.
When you visit a Commerce Decisions location, or we visit you, we collect your name or business contact information. This information is collected for access management and to protect the security and safety of our locations and employees.
Recruitment and Former Employees
We are constantly searching for new talent for our organization, and we collect information about job applicants or prospective candidates from several sources. CVs from applicants who are not hired are removed from our systems immediately.
When an employee leaves Commerce Decisions, we continue to process information that is related to them for any remaining business, contractual, employment, legal, and fiscal purposes, including the management of pensions to the extent handled by Commerce Decisions.
Cookies and Similar Technologies
When you visit our website and online software and support services, we collect information regarding your connection by using various online tracking technologies, such as cookies. Information that is collected with these technologies may be necessary to operate the website or service, to improve performance, to help us understand how our online services are used, or to determine the interests of our users.
GENERAL DATA PROTECTION REGULATION (GDPR) COMMITMENT STATEMENT
The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It has replaced the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.
Commerce Decisions complies with applicable GDPR regulations as a data processor and is fully committed to high standards of information security, privacy and transparency. Our success is dependent on our customers’ and partners’ ability to trust in the high priority we place on protecting and managing data in accordance with rigorous standards. We are an ISO/IEC 27001-certified organisation, and have successfully maintained this standard since 2014. We also hold the Cyber Essentials Plus certification. These standards demand a high level of information and technical security, recognising the important role we play in sensitive, strategic procurement programmes in both the public and private sectors.
PROCESSING OF DATA BY COMMERCE DECISIONS
Commerce Decisions is a Data Processor
Commerce Decisions is registered with the Information Commissioner’s Office (ICO) to comply with the Data Protection Act. (Note: the new Data Protection Act 2018 incorporates all the provisions of GDPR.) We treat our customers as the Data Controllers and ourselves as Data Processors under the definition of the Act.
Our customers own the data they load into AWARD® and are the Data Controllers for this data, ie. our customers control what happens to their data in AWARD®. Commerce Decisions processes the data on behalf of our customers, but does not own or control the data. The only data that is controlled by Commerce Decisions are AWARD® user login details (see below: ‘Personal data held in AWARD®’).
Sub-contractor to a prime
Where Commerce Decisions is a sub-contractor to a prime contractor under the GCloud or any other contract or framework, Commerce Decisions is a sub-processor to the prime and as such takes on the GDPR obligations as stated in the contract.
PROCESSING OF DATA IN AWARD®
Personal data held in AWARD®
Commerce Decisions does not hold or process and sensitive personal data other than names and email addresses, which are required to login to the system. AWARD® also contains audit trails which define the actions of its users.
The data that our clients input and store in AWARD® may contain personal information. In this case, the client is the data controller and owns the data in AWARD®. The client is responsible for its retention/deletion as appropriate.
Duration of the processing
For the duration of the licence period. Please also note that project data is retained in read-only format for a period of 7 years following contract end unless otherwise agreed.
Nature and purposes of the Processing
Email addresses are required for secure access to the AWARD® service.
Names and email addresses of primary users/contract owners (as notified to Commerce Decisions) are also logged in our CRM system in order to provide AWARD® service updates where appropriate.
Personally Identifiable Information (PII) data is collected exclusively for the execution of all the activities related to the AWARD® platform. In the Commerce Decisions business context, PII may be included in bidder/supplier bids/data uploaded into AWARD®
Type of Personal Data
Name and email address.
Categories of Data Subject
Users of the AWARD® service
Plan for return or destruction of the data once the Processing is complete UNLESS there is a requirement under union or member state law to preserve that type of data:
Personal data as outlined above will be retained in an archive of the organisation/project data for a period of 7 years following contract end, or as otherwise outlined in the contract or subsequently requested by the client. The client can request the extraction of the exportable data stored within its AWARD® instance, or an extension to the audit/read-only access licence. Following the data extraction, if requested, all customer data will be destroyed; noting that data that is stored as a result of DR back-ups will be subject to destruction in due course, but is not accessible in the ordinary course of business. Both options are chargeable – please contact your Account Manager for further details.
Information Security and Retention
We only retain personal information as long as necessary to fulfill the purposes for which it is processed, or to comply with legal and regulatory retention requirements. Legal and regulatory retention requirements may include retaining information for:
- Client contractual purposes,
- audit and accounting purposes,
- statutory retention terms,
- the handling of disputes,
- and the establishment, exercise, or defence of legal claims in the countries where we do business.
When personal information is no longer needed, we have processes in place to securely delete it, for example by erasing electronic files and shredding physical records.