This policy explains how Winning Tenders Limited (The Company) collects, uses, stores and disposes of personal data
in line with the General Data Protection Regulation (EU) 2016/679 requirements. This is generally referred to as GDPR.
It is EU legislation effective from May 25th, 2018 and setting guidelines for the way personal data is handled and
processed and the responsibilities of the data controller and data processors handling the data.

As defined by ICO (the Information Commissioner’s Office), a data controller determines the purposes and means of
processing personal data. A data processor is responsible for processing personal data on behalf of a controller.

What do we mean by personal data?

Personal data means details which can identify an individual or could be used to identify an individual, such as a name,
contact details or address.

What personal data does The Company hold?

The Company holds the following types of data:

▪ Personal information of customers, suppliers and third parties who work with us or handle services or products to
and from us. This includes contact numbers and email addresses.
▪ Names and contact details, including email addresses, for individuals who have registered to receive marketing
material, such as our email newsletter.
▪ Brief special category data. This data may include an individual’s name, telephone number and / or email
address.

How does the Company receive and collect data?

▪ Data controllers, third parties and people who work with us: Provided to us either at the time of opening an
account with The Company, or to update us about relevant changes and additions, as well as orders and
instructions to supply products and services.
▪ Marketing: Collated through events, exhibitions, meetings, online newsletters and social media where each
individual’s consent has been received. Also allowing individuals to opt out, deregister or be anonymised or
made invisible at any point.
▪ Individuals (general public): Provided directly by the individual or via an employer, legal entity, therapist or
other healthcare professional with the data subject’s consent.

What lawful basis does the Company use to process data?

The Company processes data where the data subject or relevant company / body has given consent, or where
processing is required for the performance of a contract or transaction.

Who does the Company share data with?

The Company sometimes needs to share personal data with buying organisations or commissioners to whom we are
submitting tender responses on behalf of the client to.

Subject Access Request

The Company recognises that all data subjects have the right to know about what data The Company holds, stores,
shares and processes them, as set out in Article 15 (Right of access by the data subject) of GDPR. Data subjects are
entitled only to information about themselves and not about others. A request can be made verbally or in writing. The
Company will identify and act on the request within one month of receipt, as set out in the GDPR guidelines.
However, if The Company feels that the individual’s request is uncorroborated The Company reserves the right to

refuse or to charge accordingly. If a request is refused, The Company will explain to the individual why and inform
them that they have the right to appeal to the Managing Director.

Individual’s Rights

The Company understands that the individual has the following rights with regards to any personal data that is stored
about them:

▪ The right to be informed.
▪ The right to access.
▪ The right to rectification.
▪ The right to erasure
▪ The right to restrict processing.
▪ The right to data portability.
▪ The right to object.
▪ The right not to be subject to automated decision-making including profiling.

Data Security and Retention

The Company systems and devices are monitored and backed up continuously. All emails are encrypted (TLS) and any
sensitive attachments have been replaced with a secure storage system providing individual document access via
secure hyperlink. All employees receive training to reduce the possible risks involved in handling personal data and to
ensure all data is handled in a secure environment.

The Company holds personal data for seven years unless there is a requirement to do otherwise. Also if the personal
data is requested to be disposed of The Company will act upon the request accordingly.

Data Breaches

The Company understands the importance of, and needs to identify, assess and respond to a breach (within 72
hours).

Cookies / Website

The Company uses cookies to track visitor behavior patterns on our website. However, cookies can be restricted or
blocked at any point by individuals in the internet settings on their device. Please note that, if all cookies are blocked,
this may impact the functionality of the website. The Company also uses Google Analytics which collects anonymous
information about how individuals use our website. This particular information is used to help us monitor and
improve our site. All of the information mentioned is anonymous and cannot be linked with a specific individual.

Complaints

The Company has a complaints procedure in place to ensure that all complaints are addressed and resolved effectively
in an adequate timescale. Complaints can be received verbally in person or by phone, or in writing by email or post.
The complaint will then be passed to the relevant Department Manager and / or Managing Director to action
accordingly.

Registration with ICO

The Company is registered with the Information Commissioner’s Office (ICO) and you can view our registration by
visiting the ICO website at ico.org.uk and entering the following reference number: C1368167
Data Protection Officer

The Company has appointed a Data Protection Officer (DPO). The DPO is Managing Director, Philip Norman, and can
be contacted on pnorman@winningtenders.com.