Brasenose College Finance, Commercial, Supplier and Related Administration Privacy Notice (v1.4)

Brasenose College is committed to protecting the privacy and security of personal data.

This notice applies to anyone whose personal data is processed by Brasenose College as a supplier or contractor, or in connection with property transactions, for accounting, administrative and similar purposes.

Separate privacy notices covering staff, students and others’ data (including website users) are available at:
https://www.bnc.ox.ac.uk/privacypolicies

This notice explains what personal data Brasenose College holds about you, how we use it internally, how we share it, how long we keep it and what your legal rights are in relation to it.

For data that you supply to us, this notice explains the basis on which you are required or requested to provide it. For data we generate or receive from others, it explains the source.

“Personal data” is information relating to you as a living, identifiable individual. “Processing” means collecting, recording, organising, using, disclosing, storing or deleting data.

Data protection law requires us:

• To process your data lawfully, fairly and transparently;
• To collect your data only for explicit and legitimate purposes;
• To ensure the data collected is relevant and limited to those purposes;
• To keep your data accurate and up to date;
• To retain your data only as long as necessary; and
• To use appropriate security measures to protect your data.

The Data Protection Officer
Brasenose College
Radcliffe Square
Oxford OX1 4AJ
data.protection@bnc.ox.ac.uk

In most cases, the data you provide will be a necessary requirement of your transaction with the College. If you do not provide such data, we will be unable to process the transaction.

Apart from the data you provide, we may also process data we generate or receive from third parties (for example, banks providing details when payments are made or received).

• Where it is necessary for performance of our contract with you;
• Where it is necessary to take steps at your request prior to entering a contract;
• Where it is necessary for our legitimate interests (or those of a third party) and your rights do not override those interests;
• Where necessary to comply with a legal obligation; and
• In emergencies, where it is necessary to protect your or another person’s vital interests.

“Special categories” of particularly sensitive personal data require higher levels of protection. These include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data, or data concerning sex life or orientation.

We may process such data where:

• We have your explicit written consent;
• It is necessary in the substantial public interest (e.g. for prevention or detection of unlawful acts, or equal opportunities monitoring);
• It is necessary for archiving, research or statistical purposes under legal safeguards.

Less commonly, we may process this type of data in relation to legal claims, to protect vital interests, or where you have made the information public.

We may process such data on the same grounds as those identified for special category data.

Our detailed Record of Processing Activities (ROPA) explains our processing purposes, data sources, retention periods, and lawful bases. It can be found at:
https://www.bnc.ox.ac.uk/privacypolicies

Examples include:

• Contractor and supplier selection: Data about the quality and value of work or products. Lawful basis: legitimate interest in engaging suitable suppliers and contractors.
• Title documents, contracts, transfers and leases: Lawful basis: performance of contract (if you are a contracting party); otherwise, legitimate interest in managing College property.
• Legal or statutory compliance: Data in connection with legal advice, claims, audits, or compliance with legislation (e.g. safeguarding, health and safety, counter-terrorism, data protection, FOI requests).

We do not sell your data. We will only share it with third parties if required or permitted by law (e.g. reporting suspected criminal misconduct to the police).

Third-party service providers must comply with our data protection and security policies and process data only under our instructions. They may not use it for their own purposes.

Details of data recipients are listed in the Brasenose Data Sharing table:
https://www.bnc.ox.ac.uk/privacypolicies

Personal data may flow between the UK and EEA without additional measures. Transfers outside these areas will only occur under adequacy decisions, legal safeguards, or if necessary to perform or prepare a contract with you.

We do not make decisions about you based solely on automated means. If this changes, we will notify you.

Retention periods are listed in our ROPA:
https://www.bnc.ox.ac.uk/privacypolicies

Deletion may be suspended if legal, disciplinary, or criminal investigations are ongoing. Anonymised statistical data may be retained indefinitely.

• Right to request access to your data;
• Right to correct inaccuracies or complete incomplete data;
• Right to request erasure in certain cases;
• Right to restrict processing;
• Right to receive and transfer your data to another controller;
• Right to object to direct marketing;
• Right to object to processing based on legitimate or public-interest grounds;
• Right to object to automated decision-making with legal or significant effects; and
• Right to withdraw consent at any time (where applicable).

Contact:

The Data Protection Officer
Brasenose College
Radcliffe Square
Oxford OX1 4AJ
data.protection@bnc.ox.ac.uk

Further guidance: https://ico.org.uk/
Complaints: https://ico.org.uk/concerns/

We may update this notice periodically (e.g. due to changes in law, technology, or College/University procedures). For material changes, at least two months’ notice will be given by email or in writing.

Past versions are available at:
https://www.bnc.ox.ac.uk/privacypolicies

Version control: v1.4 (February 2024)

Last Review Date: February 2024
Next Review Date: February 2025