Suppliers Privacy Notice

Who we are

The Board of Trustees of the National Galleries of Scotland is the Data Controller for any personal data you give to us or we collect about you. Our full contact details are:

National Galleries of Scotland
73 Belford Road

0131 624 6200
[email protected]

National Galleries of Scotland is a charity registered in Scotland, No. SC003728. VAT No. GB 100 1904 82

We are a data ‘controller’, which means we are responsible for deciding how we hold and use your personal information.

This notice explains how and why we will collect and use your personal information and your rights in relation to your personal information. We may amend this notice at any time. Please refer back to this page for the most recent version. You may be notified directly of any significant changes which affect you where we believe it is appropriate and proportionate to do so.

What personal data do we collect and what do we do with it?

We process data from prospective, current and former suppliers as part of our procurement processes, which may include personal data. This allows us to select appropriate suppliers, order and pay for goods and services, record and manage that relationship and fulfil relevant legal obligations.

Who? What data do we collect? What is the lawful basis?

Sole traders

From you:
Contact details
Company Registration Number
Financial information
Tax status
Disclosure/ PVG Status*
Details of how you will fulfil/ deliver the service

From third parties:
Credit checks

From public sources:
Skills/ services provided
Professional/ career background

When we begin to gather information about potential suppliers, this is a part of our Public Task, to enable us to fulfil our obligations under the National Heritage (Scotland) Act 1985. This is also the basis for recording our interactions with you through correspondence, at meetings etc, and for gathering CCTV images, location data when you visit our sites.

Most processing relating to ordering and paying for goods and services is necessary to enter into or for the performance of a Contract.

Other processing is necessary for compliance with Legal Obligations.

Company (legal entity) representative or contact

Provided by you or your company:
Job title/ role
Contact details
Disclosure/ PVG Status*


Created by us/ you:
CCTV images
Location data
Feedback about you
Attendance at and contribution to meetings
Signed data processing agreement

From other sources:
Confirmation of PVG Status

*Basic Disclosure or PVG status may reveal criminal convictions or offences data. Processing of this data can only be carried out when it is authorised by UK law. The Data Protection Act 2018 sets out the conditions for processing. A policy document setting out how we meet those conditions and our procedures for safeguarding your data is available on request.

Failure to provide, create or compile some other types of personal information may prevent us from discharging our functions. For example, if you don’t provide your bank account details, we will be unable to process payment. We will let you know where this is the case.

Automated decision-making and Profiling

We do not currently take, and do not envisage taking, any decision about you based solely on automated processing (ie without human involvement), which have a legal or similarly significant effect on you.

Who sees my data?

NGS is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud. On behalf of the Auditor General for Scotland, Audit Scotland appoints the auditor for NGS’ accounts.

Audit Scotland is also responsible for carrying out data-matching exercises which compare computer records held by one body against other computer records held by the same or another body to see how far they match, allowing potentially fraudulent claims and payments to be identified. Where a match is found it indicates that there may be an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

The use of data by Audit Scotland in a data-matching exercise is carried out with statutory authority, normally under its powers in Part 2A of the Public Finance and Accountability (Scotland) Act 2000.

More information on the data-matching exercise.

Under the Public Services Reform (Scotland) Act 2010, we are required to publish details of payments in excess of £25,000 each financial year, with the vendor name, payment date, amount paid and a description of the work. This is available on our website and therefore potentially visible to anyone.

We are also subject to the Freedom of Information (Scotland) Act 2002, and may be required to disclose details of suppliers if requested, subject to various exemptions and in consultation with you if appropriate.

In addition, we may be required to share your personal information with other third parties where: -

  • It is necessary for compliance with other legal obligations not outlined here
  • It is necessary to enter into or carry out our contract with you or administer the working relationship with you
  • It is a task in the public interest or we have a legitimate interest
  • It is necessary to protect your vital interests or those of another person.

Other recipients of your data may include (but are not limited to):

  • Scottish Government
  • HMRC
  • Health and Safety Executive

International Transfers

We do not currently transfer or intend to transfer your personal information to any country outside of the EU, or to any international organisation. Some third party systems that we use are hosted outside the EU but we will always ensure appropriate safeguards are in place.

How long will we keep the data?

We will only retain your personal information for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting or reporting requirements.

We will retain all of your personal information during your relationship with us and for no longer than is necessary after the completion/ termination of your contract to fulfil the terms of your contract and allow us to establish, exercise or defend legal claims.

What are my rights over access to the data you hold on me?

Subject to some legal exceptions, you have the right:

  • To access the data we hold about you and to know what we are doing with it
  • To have any inaccuracies corrected
  • To have your personal data erased
  • To place a restriction on our processing of your data
  • To object to processing
  • To request your data to be ported (data portability)

If we are processing your data on the basis of your consent, you also have the right to withdraw your consent at any time. For processing based on Public Task or Legitimate Interest, you have the right to object to the use of your personal data at any time, but if we believe that this would interfere with the performance of our functions and/or your contractual obligations, we will inform you that this is the case.

If you want to learn more about these rights, please see the Information Commissioner’s Office (ICO) website.

How to contact us about your personal data or this privacy notice

If you have any questions about this privacy notice or about your personal data, please contact: 

Data Protection Officer
Director-General’s Office
National Galleries of Scotland
73 Belford Road

Tel: 0131 624 6473

Email: [email protected]


As well as contacting the Data Protection Officer using the details above, you can use our Feedback procedure to make a complaint about the way we process your personal information.

You also have the right to lodge a complaint directly with the UK Information Commissioner's Office (ICO), the data protection supervisory authority in the UK.