waitrose arpon used on support page

Protecting Your Privacy


Introduction

This Privacy Notice explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we'll store and handle that data, and keep it safe. This notice covers you if you are a supplier, an employee of a supplier, a sole trader or a community matters organisation / charity.

We hope the following sections will answer any questions you have but if not, please do get in touch with us via the contact details at the end.

What is the John Lewis Partnership?

The John Lewis Partnership – which we'll refer to as 'the Partnership' in this document – is made up of a number of related businesses:

  • John Lewis Partnership plc and its subsidiaries, including;
    • Herbert Parkinson ltd
    • John Lewis plc
    • John Lewis Hong Kong Limited
    • Waitrose (Jersey) Limited
    • Waitrose (Guernsey) Limited
    • Waitrose Limited

For simplicity throughout this notice, 'we' and 'us' means the Partnership and the companies that compose its group.

The Legal Basis We Rely On

The law on data protection sets out a number of different reasons for which a company may collect and process your personal data, including:

Consent

In specific situations, we can collect and process your data with your consent. For example when we ask for your consent to use your information, including images, for marketing and PR purposes.

When collecting your personal data, we'll always make clear to you which data is necessary in connection with a particular service.

Contractual obligations

In certain circumstances, we need your personal data to comply with our contractual obligations. This will be the case for example when we process your details to ensure payments from suppliers are appropriately processed.

Legal compliance

If the law requires us to, we may need to collect and process your data. This will be the case for example when we conduct credit checks on suppliers.

Legitimate interest

In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not impact your fundamental rights and freedoms or interests. For example; when we conduct market analysis of our brands, to ensure we are positioning food and services correctly, we may need to use your personal data and pass your details to the PR/Marketing agency.

When do we collect your personal data?

  • When we hold a contract/agreement with you.
  • When you register as a supplier with us you may do this by phone, e-mail, or via onboarding forms, which exist on various platforms including (but not limited to):
    • John Lewis Connect
    • Waitrose Connect
    • iSupplier
    • MDM
    • Verisae
    • Coupa
    • Softco

Coupa

Coupa is the Business Spend Platform used by the Partnership for its Goods for Resale (GFR) and Goods not for resale (GNFR) purchasing. The Coupa Procurement Suite consists of various modules; Coupa core allows the following capabilities to the Partnership: Supplier onboarding, Guided Buying, Sourcing, invoicing, Self-Service Catalogue Management, Spend Classification & Analytics. Contract Lifecycle Management Advanced (CLMa) for Contract Management and Coupa Risk Assess (CRAs) for Risk and Supplier Management.

What sort of personal data do we collect?

We collect:

  • Names, surnames, telephone number, mobile number, email address of suppliers and / or employees of suppliers, via on boarding forms and relating documentation to ensure appropriate processing of your agreement and compliance with our contractual obligations.
  • Physical address and postcode of suppliers, which may be the place of employment of their employees, including warehouse details.
  • Bank Details of suppliers to enable payments and refunds.
  • Email address to ensure suppliers and suppliers employees undertake required training.
  • Risk assurance information such as policies and evidence of legal compliance including accreditations relating to areas such as Business Continuity, Health and Safety, Modern Slavery, IR35.

How and why do we use your personal data

Here's how we'll use your personal data and why

  • To maintain our own accounts and records. We do so to comply with our legal obligations to HMRC.
  • To process orders, ensuring our delivery services are able to deliver orders successfully. We do so to fulfil our contractual obligations with our customers associated with their orders.
  • To process payments and to prevent fraudulent transactions. We do this on the basis of our legitimate interest. This also helps to protect our suppliers and customers from fraud.
  • To process and pay for your supplies. We do so to ensure we comply with our contractual obligations under our contracts with our suppliers.
  • To comply with our legal obligations to share data with law enforcement on their request.
  • To ensure that suppliers have access to appropriate training. We do so on the basis of our legitimate interest to ensure suppliers and their employees are aware of the rules in our branches and premises for example.
  • To carry out supplier due diligence to ensure companies are complying with the Law and that they meet the Partnership's minimum standards and agree to our policies.

How long will we keep your personal data?

  • Whenever we collect or process your personal data, we'll only keep it for as long as is necessary for the purpose for which it was collected.
  • At the end of that retention period, your data will either be deleted completely or anonymised.
  • Many of the documents and records created by the Partnership (regardless of the format in which they are held) are required to be retained by law for specified periods, such as accounting, and tax.
  • It is the policy of the Partnership to retain information for as long as required for the purposes for which that information was created, obtained or used, and at least the minimum periods legally required.
  • We will also need to hold supplier details for warranty purposes, and for a certain length of time, for example, complaints about the product or service.
  • In most cases we will hold your data for 6 years after the current year to comply with HMRC guidelines.

Who do we share your personal data with?

We sometimes need to share your personal data with our third parties.

Here's the policy we apply to the organisations that process the data on our behalf, aimed at keeping your data safe and protect your privacy:

  • We provide the information they need to perform their specific services.
  • They should use your data for the exact purposes we specify in our contract with them.
  • We work with them to ensure that your privacy is respected and protected at all times.
  • If we stop using their services, your data held by them will either be deleted or rendered anonymous.
  • 3rd parties include (but not limited to):
    • Delivery and Haulage services
    • Fuel monitoring third parties
    • Upholsterers
    • Property management services
    • The Police
    • The DVLA
    • Builders and Contractors
    • Assurance third parties
    • IT testing third parties
    • Media directory
    • PR agencies
    • Public affairs agencies
    • Marketing and PR agencies
    • Payment services
    • Credit checking agencies
    • Suppliers of IT and web based services

Sharing your data with third parties for their own purposes:

We will only do this in very specific circumstances, for example:

  • For fraud management, we may share information about fraudulent or potentially fraudulent activity in our systems. This may include sharing data about individuals with law enforcement bodies.
  • We may, from time to time, expand, reduce or sell the Partnership and this may involve the transfer of suppliers or the whole business to new owners. If this happens, your personal data will, where relevant, be transferred to the new owner or controlling party, under the terms of this Privacy Notice.

How will the data be shared internationally, outside the EEA?

Sometimes we will need to share your personal data with third parties and suppliers outside the European Economic Area (EEA).

The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway.

We may transfer personal data that we collect from you to third-party data processors in countries that are outside the EEA, for example:

  • Data will be shared internationally to enable the trade of products and services outside the EEA.
  • Data may be shared internationally for payment purposes.

If we do this, we have procedures in place to ensure your data receives the same protection as if it were being processed inside the EEA. For example, our contracts with third parties stipulate the standards they must follow at all times. If you wish for more information about these contracts please contact our Data Protection Officer.

Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy Notice.

What Processing/Profiling is Done with your Data?

  • We may have to perform credit checking and background, including identity checks. In some cases we will conduct credit checks via third parties for example we may use the services of third party credit referencing agencies such as Experian or Creditsafe to carry out credit checks.
  • The result of credit/background/ID checks will have an impact on the decision in question which required the check to be performed, but you will always be able to discuss it with someone from the Partnership.

The Rights

An overview of your different rights.

You have the right to request:

  • Access to the personal data we hold about you, free of charge in most cases.
  • The correction of your personal data when incorrect, out of date or incomplete.
  • The deletion of the personal data we hold about you, in specific circumstances. For example, when you withdraw consent or object and we have no legitimate overriding interest, or once the purpose for which we hold the data has come to an end (e.g. no longer supplying to us).
  • A computer file in a common format (e.g. CSV or similar) containing the personal data that you have previously provided to us and the right to have your information transferred to another entity where this is technically possible.
  • Restriction of the use of your personal data, in specific circumstances, generally whilst we are deciding on an objection you have made.
  • That we stop processing your personal data, in specific circumstances. For example, when you have withdrawn consent, or object for reasons related to your individual circumstances.
  • That we stop any consent-based processing of your personal data after you withdraw that consent.
  • Review by a Partner of any decision made based solely on automatic processing of your data (i.e. where no human has yet reviewed the outcome and criteria for the decision).

You can contact us to request to exercise these rights at any time. Please visit www.jlpsuppliers.com for details on how to submit your request.

If we choose not to action your request we will explain to you the reasons for our refusal.

Where we rely on our legitimate interest

In cases where we are processing your personal data on the basis of our legitimate interest as described above, you can ask us to stop for reasons connected to your individual situation.

We must then do so unless we believe we have compelling legitimate grounds for the processing which override your own interests, rights and freedoms.

Checking your identity

To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice.

If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.

Contacting the Regulator

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the relevant Regulator, such as the UK Information Commissioner's Office.

For the ICO, you can contact them by calling 0303 123 1113.

Any questions?

We hope this Privacy Notice has been helpful in setting out the way we handle your personal data and your rights to control it.

If you have any questions that haven't been covered, please contact our Data Privacy & Information Security Office via one of the following routes, who will be pleased to help you:

Email: [email protected]

Post: DPO Office, 1st Floor, Partnership House, Carlisle Place, London, SW1P 1BX

This notice was last updated on 01 April 2023