Privacy Notice

Last updated January 2026.

This Privacy Notice will be reviewed on a regular basis or when a change in legislation and/or practices dictates and any changes will be notified to you by posting an updated version on our websites and/or by contacting you via email.

We recommend that you regularly check for changes and review this policy when visiting our website(s).

1. Introduction

This Privacy Notice aims to explain the types of personal data we may collect about you when you interact with us and use our website, Procurement Services, including any data you may provide when you purchase products, goods and services or sign up to our newsletters. It also explains how we will store and handle your data and keep it safe.

When you are using the Procurement Services website, Commercial Services Kent Ltd (company registration No: 05858177 (England and Wales)), or Commercial Services Trading Ltd (company registration No: 05858178 (England and Wales)) may act as the data controller.

We understand that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of all our customers and their employees and other people with whom we interact in the course of undertaking our services.  This Privacy Notice offers both our customers and their employees with meaningful and accessible guidance on our approach to handling personal data.

2. Who are we?

Procurement Services is a registered trading function of Kent County Council which forms part of Commercial Services Group (CSG), and where services are provided by this function Commercial Services Kent Ltd will act as the data controller.

Where services are provided under the trading brand Procurement Services - Lifecycle, the data controller will be Commercial Services Trading Ltd.

CSG is the umbrella for all its trading brands, with its ultimate parent organisation being Kent County Council. It provides the support, dependability, and security to allow all brands to thrive independently. CSG are committed to providing an excellent customer and user experience underpinned by social value and a committed and empowered workforce

Procurement Services collects, uses and processes personal information about you. When we do, we are regulated under the UK Data Protection Act 2018 (DPA 2018), the UK General Data Protection Regulation (UK GDPR) and the Data (Use and Access) Act 2025.

If you have any questions, suggestions or complaints about the processing of your personal information please contact our Data Protection Officer (DPO) via email at dpo@csltd.org.uk, or in writing by using the address below;

Data Protection Officer
Commercial Services Group
1 Abbey Wood Road
Kings Hill
West Malling
ME19 4YT.

3. Our services

We offer several solutions and services including:

Providing Digital solutions to educational establishments with our DfE-approved, nationwide framework designed to support schools with cutting-edge multi-functional devices and digital services.

Lifecycle is dedicated to supporting public sector organisations with a comprehensive suite of solutions designed to enhance contract management and procurement processes. This includes solutions such as the Lifecycle Index™, contract management, supplier relationship management, procurement, further competition support, performance, and KPI monitoring.

Providing public sector Vehicle solutions, we pride ourselves on providing compliant, tailored solutions to fulfil each of our customer’s requirements.

Our Leasing team can support organisations to finance capital purchases by advising finance leaders on how to structure and procure their financing at the most competitive rates and under the best possible terms.

Tender Service where our experienced team of procurement professionals can deliver a tender service based on your requirements. All our teams work in accordance with procurement regulations (PA23 and PCR 2015), and you can be confident to receive a fully compliant outcome.

Our Framework Solutions offer compliant routes for the UK public sector to procure products and services from local, national and global suppliers.

In providing these goods and services to our customers, it will be necessary for Procurement Services to gather, obtain, record and hold your personal information.

4. The personal information we collect and use

The table below summarises the information we collect, use and retain for our services, how and why we do so, how we use it and with whom it may be shared.

We seek to ensure that our information collection and processing is always proportionate. We will notify you of any changes to information we collect or to the purposes for which we collect and process it.

Outline below the type of data collected when customers engage with Procurement Services (below are some examples)

The information collected	How the information is collected	Why the information is collected	How the information is use and may be shared
School name, address, contact name, contact telephone number, contact email address	From the customer email or verbally from calling	To enable the Digital team to quote and place orders, to respond to customer queries and make contact when necessary	Info may be shared with our partner (if they have a relationship with that partner) or seek permission from the customer to share with other partners, or at our customer's request.
School name, address, contact name, contact telephone number, contact email address	From the customer email or verbally from calling	To enable the Vehicles team to quote and place orders, arrange delivery and collections. To respond to customer queries.	The information is shared with our partner that the customer has decided on so they can place the order and deliver the vehicle.
School name, address, contact name, contact telephone number, contact email address, annual salary info	From the customer email or verbally from calling	To enable the Vehicles team to quote and place orders, arrange delivery and collections. To respond to customer queries.	The information is shared with our partner that the customer has decided on so they can place the order and deliver the vehicle. Also shared internally to HR, Line Manager, and our internal sign off delegates.
The information collected	How the information is collected	Why the information is collected	How the information is use and may be shared
Supplier quotes, contact names, addresses, emails, telephone number, service reports	From the supplier emails	To enable the Lifecycle team to manage contracts via the OPTIMiSe system	The information is shard with our clients via OPTIMiSe in the form of a commercial proposal, or portal
Client contact name, email, telephone number	From the client emails	To enable the Lifecycle team to manage contracts via the OPTIMiSe system	The information is shared with our suppliers so they can carry out servicing
Client contact name, email, telephone numbers, job role	From client emails	To enable the MPS team to contact the correct stakeholders	The information is shared internally, and with suppliers (with the client’s consent) to facilitate site visits/presentations
Contract data, costs, specifications	From client emails	To enable the MPS team to establish the full contract history	The information is shared internally to determine the correct procurement process/rote
Lessor quotes, name, email, telephone, costs, supplier details	From Lessor and supplier emails	To enable the Leasing team to manage leases on the OPTIMiSe system	The information is shared internally, and with our clients in the form of a commercial proposal, or via the OPTIMiSe portal.
Marketing Preferences – Opt-ins	From customer via email subscription forms or account settings	To enable the Marketing team to send communications	The information is used to tailor information and is shared with internal teams for business development purposes. May also be shared with email marketing platforms for campaign delivery.
Business contact details, job titles, company details	From publicly available sources (Company websites, LinkedIn, directories, Oscar Data)	To enable the Marketing team to identify potential customers and tailor outreach	The information is used to inform marketing strategies and outreach and is shared with internal teams for business development purposes.
Website and email interaction data such as number of clicks, opens, and website traffic	Collected via Cookies, tracking and analytics tools (Consent given via cookie settings)	To enable the Marketing team to measure campaign effectiveness	The information is used to optimise marketing content and is shared with internal teams for business development purposes.
The information collected	How the information is collected	Why the information is collected	How the information is use and may be shared
Customer name, email, telephone, requirements data	From customer calls, emails and video chat (With consent)	To enable the PSE team to provide tailored marketing support and improve customer experience	The information is used to optimise marketing content and is shared with internal teams for business development purposes.

Other than stated above, we may share personal information with law enforcement, our regulators or other authorities if required by applicable law.

If there is a statutory and contractual basis for collecting your personal data and you do not provide some or all of the details specified, we may be unable to enter into a contract with you or your organisation.

5. Marketing

We will provide you with choices regarding the use of your personal data around marketing and advertising and enable you to exercise your right to prevent such processing by:

checking certain boxes on the forms we use to collect your personal data for marketing purposes;

offer you opt out and unsubscribe links in all marketing emails sent to you;

or by emailing us at pscommunications@csltd.org.uk to ask us to stop sending you marketing messages.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase or contract for product/service.

We will retain your contact details on a marketing suppression list to ensure we do not contact you again.

Promotional offers from us

We may use your contact details to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased goods or services from us and you have not opted out of receiving that marketing.

6. How long your personal data will be retained

We will not keep your information for longer than is necessary, for either:

•    the purpose of administering your individual record;
•    or as is necessary in providing a service to our customer;
•    or as required by law.

Upon expiry, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning. 

For certain data sets, we have the following specific retention periods:

Orders, Contracts, and Invoices: when you place an order with us for goods which have been invoiced for, the personal data you give us will be retained for current financial year plus a further 6 years so we can comply with our legal and contractual obligations.

Marketing Emails: 6 months post campaign.

Customer Access Agreements: A minimum of 2 years.

7. Who we share your personal information with

We may share your personal data with the following organisations:

•    Suppliers
•    Internal Teams

•    Service Providers

We may also share your personal information with trusted third parties that are under contract with us and where it is necessary to administer our working relationship with you or where we have another legitimate interest in doing so (providing this is not overridden by your interests).

Our trusted third parties may include service providers who supply us with processing services or functions, including our contracted IT suppliers, access to data and systems is only granted where authorised and specifically required in line with our contracts with them.

Management information may be shared within Commercial Services Group, under a Data Sharing Agreement held by its operating company Global Commercial Services Group Ltd, a company registered in England and Wales (Reg No. 11735631). This Agreement reflects the requirements of the UK GDPR, DPA2018 and DUAA2025.

We may also need to share some of the categories of personal information with other parties where a transfer of the business takes place. Usually, information will be anonymised or pseudonymised, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations and legally binding data sharing agreements.

8. Where information may be retained

Information may be retained at our offices and those of our service providers, representatives and agents as described above.

Some of the personal information you provide to us may be transferred to or made accessible to separate organisations located outside of the UK. Where this occurs, we will make the restricted transfer under UK “adequacy regulations”, which ensure appropriate protection for individuals’ rights and freedoms.

Where the UK has not issued “adequacy regulations” for the destination country, the restricted transfer will be subject to appropriate safeguards. These may include the use of standard data protection clauses, such as the International Data Transfer Agreement or International Data Transfer, when entering into restricted transfers with the organisation receiving the data.

9. Your rights

Under the UK GDPR you have a number of rights which allow you to:

Your right of access - You have the right to ask us for copies of your personal data, however there are some exemptions which means you may not receive all the information you ask for.

Your right to rectification - You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure - You have the right to ask us to erase your personal data in certain circumstances.

Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal data in certain circumstances.

Your right to object to processing - You have the right to object to the processing of your personal data in certain circumstances.

Your right to data portability - You have the right to ask that we transfer the personal data you gave us to another organisation, or to you, in certain circumstances.

Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent.

If you make a request, we have one calendar month to respond to you. If a request is deemed to be complex or a number of requests have been received from an individual, the response time may be extended by up to 2 months.

We will always seek to comply with your request however we may be required to hold or use your information to comply with legal duties.

You can also withdraw your consent and opt-out from direct marketing by using the unsubscribe link at the bottom of our marketing emails.

Suppression lists will be maintained to screen against direct marketing information being sent to people who have already exercised their right to object to direct marketing.  These lists will be held for compliance purposes only, and this does not affect your rights to be erased.

Please note: your request may delay or prevent us delivering a service to you.

For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioners Office (ICO) on individuals’ rights under the UK General Data Protection Regulation https://ico.org.uk/

If you would like to exercise a right or make a complaint about how your personal data is handled by Procurement Services, please contact our DPO via email at dpo@csltd.org.uk or write to Data Protection Officer, Commercial Services Group, 1 Abbey Wood Road, Kings Hill, West Malling, ME19 4YT.

10. Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost, used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. 

We also have procedures in place to deal with any suspected data security breach. We will notify you and the ICO as regulator of any suspected data security breach where we are legally required to do so.

11.  Who to contact

If you have any questions, suggestions or complaints about the processing of your personal information, or you wish to exercise any of your rights please contact our Data Protection Officer (DPO) via email at dpo@csltd.org.uk or in writing by using the address below;

Data Protection Officer
Commercial Services Group
1 Abbey Wood Road
Kings Hill
West Malling
ME19 4YT.

The UK General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk or telephone 0303 123 1113.

We reserve the right to update this Privacy Notice at any time, and we will provide you with a new Privacy Notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.