1. Introduction
This Supplier Privacy Notice (or fair processing notice) has been issued by VIVO Defence Services Limited (hereafter "VIVO", "us", "we" or "our"), in order to help you understand how VIVO collects, uses, discloses, and safeguards the personal information of our suppliers and/or their personnel.
VIVO is deeply committed to protecting the personal data of our customers, suppliers and other external stakeholders and maintaining the privacy of those whose information we handle in the course of our business is one of the key principles in our Code of Conduct.
The purpose of this document is to notify our suppliers and/or their personnel of the following:
- The type of personal data which we will collect;
- The manner in which we will collect that personal data;
- The reason why we need to collect that personal data;
- How we will keep your personal data secure;
- Who we may share your personal data with; and
- How long we will retain your personal data.
2. What type of Personal Data will we collect?
In order to manage our ongoing relationship with our supply chain, it may be necessary for us to collect and use the following personal information about you:
- Personal Details: title, full name, date of birth, e-mail address, visual images, and personal appearance.
- Employment and Business Details: industry, job role, business activities, employer, work contact details, details of services/products provided, the terms and conditions of your contract.
- Financial Information: transaction history and details, bank details and account numbers, invoice details.
- Security Checks: results from due diligence and security checks.
- Incident History: health and safety accidents, security incidents, accident information, complaints communications, insurance claims history.
- IT Details: where you have been provided with VIVO equipment, information about the browser or device you used and the date and time you accessed our IT systems
Special Category and Sensitive Data
Subject to the below paragraph, we will not intentionally or systematically seek to collect, store, or otherwise use information about you classed as ‘special categories of data' or 'sensitive data' (for example, information relating to your ethnic origin, health or sexual orientation, criminal history).
In certain instances, we are required to undertake supplier due diligence to ensure that we are able to comply with our legal obligations (including our anti-money laundering and anti-bribery obligations). In undertaking such supplier due diligence, we may process information relating to any criminal convictions which you have. We undertake our supplier due diligence as it is necessary to allow us to meet our corporate ethics standards and regulatory requirements to unlawful acts and dishonesty.
3. How will we collect your Personal Data?
We collect information directly from you in various ways, including, over the phone, via email, in person and otherwise in writing.
We may also receive information about you from third parties, including from: your employer, the providers of our due diligence checks when onboarding a business, our security checks team when providers personnel require access to VIVO or customers IT systems.
We may collect your data via our IT systems or when you log on to our procurement systems.
Personal data may also be created by us, such as records of your communications with us.
4. Why do we collect your Personal Data?
The purposes for which we may use your personal data referred to above and the legal basis on which we may perform such processing are set out below:
Where necessary to fulfil a contract, or take steps linked to a contract:
- To confirm details in order to purchase goods and service on behalf of VIVO;
- To pay you for your goods and service.
- For purposes which are required by law:
- In response to requests from government law enforcement authorities conducting an investigation.
- Screening for financial and other sanctions or embargoes.
- Other processing necessary to comply with professional, legal, and regulatory obligations that apply to our business e.g. in the framework of money laundering regulations, tax control and reporting obligations.
Where necessary for VIVO’s legitimate interests or those of a third party and those interests are not overridden by your data protection rights, such as:
- To manage and facilitate the provision of products and/or services.
- To contact you and manage any enquiries, complaints, and feedback.
- To undertake due diligence on all suppliers, which will include the details of directors, for risk management.
- For security checks of relevant supplier personnel to allow access to Customer and VIVO IT systems.
- For accounting and auditing purposes.
- To monitor compliance with business policies including the Supplier Code of Conduct.
- To support business and administrative functions.
- For risk management purposes.
- For security and safety purposes.
- For staff training purposes.
- For business management and analysis purposes.
- To monitor supplier accounts to prevent, investigate and/or report fraud, misrepresentation, security incidents or crime, in accordance with applicable law.
- To protect our legal rights and manage the security of our networks and property.
- In connection with a business transaction such as merger, restructuring or sale of the business.
- In connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation).
5. How will we keep your personal data secure?
VIVO takes precautions including administrative, technical, and physical measures to safeguard your personal information, including documented employee procedures, internal monitoring, and training to help ensure that your information is protected and secure. Our employees and contractors are bound by confidentiality obligations and we only allow access to employees and those contractors who need it to conduct their business responsibilities.
6. Who will we share your Personal Data with?
We will only disclose personal information to a third party in limited circumstances, including where the third party is providing a service to us as a data processor or where we are permitted to do so by law. The third parties we may share your personal data with include:
- other organisations within our shareholders’ group of companies, where such disclosure is necessary for our business;
- third parties who help manage our business and deliver services (e.g. debt collectors, IT suppliers, suppliers of procurement management services, communication platform providers) or our professional advisors (e.g. law firms, insurers, auditors); and
- Government, regulatory and law enforcement bodies as required.
We may transfer your personal data from one supplier to another as part of service migration where we change providers for a particular service, for example, if we change our supplier of procurement management services.
Less commonly, we may process and share your personal data with third parties where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent.
VIVO may share personal information with other companies within our shareholders’ Group companies located outside the European Economic Area, but we will take all reasonable steps to ensure such transfers are covered by our intra-group data sharing agreement entered into by relevant entities.
In the event that we do transfer your Personal data outside of the European Economic Area, we shall only do so in accordance with relevant Data Protection legislation.
7. How long will you retain my Personal Data for?
We will store your personal information for as long as is reasonably necessary for the purposes set out in this Privacy Notice, including where we maintain an ongoing relationship you. We are required by law (for the purpose of complying with regulatory, tax, accounting requirements etc.) to retain certain information for a period of time following the expiry of our business relationship with you.
Generally, we will retain your personal data for as long as is necessary in order to achieve the purposes for which the Personal Data was obtained. For example, we may store your personal information so that we have an accurate record of your dealings with us in the event of any complaints or challenges or where we reasonably believe there is a prospect of litigation relating to your personal information or dealings. When no longer necessary to retain your personal information, we will delete or anonymise it.
8. Your Legal Rights
You have certain legal rights in relation to your personal information. For further details about these rights and how you may exercise them, or if you would like further information about the way we handle your Personal Data please contact [email protected].
We would be happy to address any concerns you have about your data privacy directly, and we encourage you to contact us in the first instance with your queries. However, you have a right to lodge a complaint with the Information Commissioner’s Office (https://ico.org.uk/concerns/ or telephone: 0303 123 1113) or other relevant supervisory authority who will then investigate your complaint accordingly.
9. Changes To This Supplier Privacy Notice
This Supplier Privacy Notice was updated in February 2022. We may amend this Supplier Privacy Notice from time to time to keep it up to date with legal requirements and the way we operate our business. Please regularly check our website for the latest version of this Supplier Privacy Notice. On some occasions, we may also actively advise you of specific data handling activities or significant change to this Supplier Privacy Notice as required by applicable law.