Brasenose College GDPR ROPA – Financial, Commercial & Supplier Related Processing
Version 1.4 (Reviewed June 2023)
| ID | Category of personal data | Source of the data | Why we process it | How long we keep this data | Our lawful basis for processing | Details relating to lawful basis (where applicable) | Special / public interest / criminal data |
|---|---|---|---|---|---|---|---|
| 1 | Supplier and contractor information including names, contact details, communications with contractors, details of contracts, tender information, works undertaken, items purchased, invoicing arrangements, VAT numbers and payments made, banking details and information about supplier selection and quality/value of work or products. | Obtained from you; generated by us. | As part of the College’s normal operations and dealings with suppliers and contractors. | Transaction records – 7 years after financial year end; fixed-asset records may be kept longer; supplier-selection data retained while you remain a current or potential supplier. | Performance of contract; steps prior to contract; legitimate interests. | Legitimate interest in engaging suppliers and contractors that meet required standards. | |
| 2 | Event and merchandise sales and purchases – order details, event bookings, amount due, contact and payment details (e.g. credit-/debit-card or bank-transfer information) and receipts. | Obtained from you; generated by us. | To process payments for events and merchandise. | 7 years after financial year end. | Performance of contract; steps prior to contract. | ||
| 3 | Conference bookings – communications and inquiries, event details, payments and contact information. | Generated by us. | To process bookings and payments for conferences. | Inquiries – 7 years after inquiry or conference (whichever later); transaction records – 7 years after financial year end; conference papers and information may be retained indefinitely in the College archive. | Performance of contract; steps prior to contract. | ||
| 4 | Title documents, transfers, leases and contracts showing names of parties, signatories and witnesses. | Obtained from you. | To execute and retain legal title documents, leases and contracts. | Contracts – 7 years after conclusion; title documents and leases – 12 years after disposal of interest; ownership records kept permanently. | Performance of contract; steps prior to contract; legitimate interests. | Interest in entering and retaining property and contract records for legal and management purposes. | |
| 5 | Budget, audit and accounting documents, management accounts, investment records and related communications that include names and contact details of those responsible or involved. | Generated by us; obtained from you and third parties (e.g. accountants). | As part of normal budgetary and accounting processes. | 7 years after financial year end. | Legitimate interests. | Interest in operating budgeting, auditing and investment processes. | |
| 6 | Bank account records – names of payees and transaction details. | Received from third parties (e.g. the bank). | In the course of operating College bank accounts. | 7 years after financial year end. | Performance of contract; legitimate interests. | Interest in processing banking records for cash-flow, accounting and audit purposes. | |
| 7 | Governing Body and committee agenda, governance documents and some legal, financial and architectural records held in the College archive. | Obtained from you; generated by us. | To maintain a historic record of College administration. | Permanently. | Legitimate interests; archiving in the public interest (UK Data Protection Act). | Interest in preserving records of College life for research and heritage purposes. | Public-interest archiving under the Data Protection Act 2018 with appropriate safeguards. |
| 8 | Records generated for legal or statutory compliance that include names or associated personal data (e.g. data-protection or FOI requests, safeguarding, H&S or counter-terrorism records, legal advice or auditor requirements). | Generated by us; obtained from you and third parties (e.g. legal advisors). | To document information supplied for administration and to meet legal or regulatory obligations. | 7 years from creation unless longer retention required (e.g. legal advice or audit records). | Legal obligation. | Ensures compliance with law and good governance requirements. | Substantial public interest under the UK Data Protection Act 2018; statutory and legal obligations with Schedule 1 conditions met. |
Version control: v1.4 (Reviewed June 2023)