Cookie Preferences

Supplier Privacy Notice 

Introduction

You are receiving this Privacy Notice as a supplier of goods and/or services to us. We are committed to protecting the privacy and security of your personal information during and after your engagement with us, in accordance with the new law, the General Data Protection Regulation (“GDPR”), effective from 21st August 2025. The extensive content of the GDPR introduces a raft of changes including an increase to the territorial scope of European Union data protection law.

We will process certain personal information about you when we engage you as a supplier. We ask that you read this section carefully as it contains important information about who we are, how and why we collect, store, use and share your personal information, your rights in relation to your personal information, and on how to contact us and supervisory authorities in the event you have a complaint.

Who We Are

SRK Consulting (UK) Limited (“we”, “us” or “our”) collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the GDPR which applies across the European Union, including in the United Kingdom, and we are responsible as “data controller” of that personal information for the purposes of those laws. Our data controller registration number in the United Kingdom is Z9683755.

Data Protection Principles

We will comply with data protection law. This says that the personal information we hold about you must be:

  • used lawfully, fairly, and in a transparent way;
  • collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
  • relevant to the purposes we have told you about and limited only to those purposes;
  • accurate and kept up to date;
  • kept only as long as necessary for the purposes we have told you about; and
  • kept securely.

The Personal Information We Collect and Use

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

While you work for us, we process the following personal information when you provide it to us:

  • personal contact details such as name, title, address, telephone number, and personal email address;
  • travel related details such as gender, date of birth, place of birth, photographs, and visa applications including scans of passports;
  • family details such as marital status, dependants, and next of kin details;
  • financial details such as bank account records and tax status information;
  • professional details such as education qualifications, work history, professional memberships, and CVs; and
  • copies of any relevant licences such as driving licences or quarry licences.

On occasion, and where necessary on the grounds for processing set out below, we may also collect the following “special categories” of data, which is more sensitive personal information and requires a higher level of protection, including:

  • information about your race, ethnicity, and/or religious beliefs;
  • health related information such as medical conditions, allergies, blood type, and vaccination records that are relevant to an assignment or location;
  • biometric data;
  • information concerning any criminal convictions or offences; and
  • safety records such as risk assessments and drug and alcohol test results (as required on occasions by our clients).

We will only collect information about criminal convictions if it is required for the purposes of an assignment we may engage you on or for the purposes of arranging business travel, visa, or permits and any necessary supply chain due diligence.

Most of the personal information listed above is collected directly from you either when you are engaged by us as a supplier or during the performance of the contract between us; however, we may also obtain personal information from other sources such as credit reference agencies, travel agents, or health professionals.

How We Use Your Personal Information and the Grounds on Which We Will Process It

We use your personal information (including special category data) to:

  • perform the contract we have entered into with you and our clients, including to arrange travel and/or visas and permits to undertake the work we have contracted with you to perform;
  • undertake supply chain due diligence
  • where it is necessary for our legitimate interests (or those of a third party) provided always that your interests and fundamental rights do not override those interests; and
  • to comply with our legal obligations.

In addition, but circumstances we expect would be rare, we may use your personal information:

  • in an emergency, for the protection of life, to protect yours or somebody else’s vital interests; and
  • where it is needed in the public interest.

If you fail to provide certain personal information to us, we may not be able to perform the contract we have entered into with you or our clients (such as paying you or arranging travel and insurance coverage for you) or we may be prevented from complying with our legal obligations (such as assessing the health and safety risks of our work).

Change of Purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Who We Share Your Personal Information With

We may share your personal information (e.g. your personal contact details and professional details) with consulting practices within the same network of companies as us including subsidiary or associated companies (“Consulting Practices”) for the purposes of us working with those Consulting Practices on client engagements and who in turn may contact you to engage you as a supplier. We assert that sharing your personal information in this way is in our legitimate business interests.

Some of the Consulting Practices are in countries outside the United Kingdom and the European Economic Area ("EEA") which may not provide the same statutory level of data protection as in the United Kingdom; however, all such transfers will be carried out in line with the relevant UK data protection legislation, using appropriate safeguards which may include International Data Transfer Agreements (IDTAs). Should you have any concerns about your personal data being transferred internationally, please do not hesitate to contact us.

Your personal information may also be used and reproduced as a form of standard CV to be used by us or other Consulting Practices in proposals or tender documents submitted to our clients for works to be carried out by us. We will only use those classes of your personal information (typically name, nationality, qualifications and accreditations, professional experience and languages spoken) to the extent reasonably required for this purpose, which we assert is in our legitimate interest. You acknowledge that certain of our clients may be in countries outside of the United Kingdom who do not provide the same level of data protection as in the United Kingdom.

We may also share your personal information with certain third-party suppliers (e.g. our insurers, bankers, travel agents, and professional advisers). Some of those third-party suppliers may be based outside of the United Kingdom and the EEA.  We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions. We assert that this purpose will either be necessary for the performance of our contract with you or in our legitimate interests.

We will share personal information with law enforcement or other authorities if required by applicable law.

Transfer of Your Information Out of the United Kingdom and EEA

Given the nature of our work and the locations of our clients and projects, we may transfer your personal information to any country.

Some countries do not have the same data protection laws as the United Kingdom and EEA. Whilst the European Commission has not given a formal decision that all such countries provide an adequate level of data protection similar to those which apply in the United Kingdom and EEA, any transfer of your personal information will be subject to appropriate or suitable relevant safeguards as permitted under Article 46(5) of the GDPR that are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information.

If you would like further information about these protective measures please contact us (see ‘How to contact us’ below).

Data Security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

If you would like further information about these data security measures please contact us (see ‘How to contact us’ below).

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

How Long Your Personal Information Will Be Kept

We will hold your personal information for as long as necessary to fulfil the purposes we collected it for, including to satisfy any legal, accounting or reporting requirements (e.g. certain information must be retained under applicable United Kingdom accounting and tax law for 6 years).

In some circumstances, we may anonymise your personal information so that it can no longer be associated with you and in which case, we may use such information without further notice to you. 

Your Duty to Inform Us of Changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Consequences of Our Use of Your Personal Information and Your Rights

Under certain circumstances, by law you have several important rights which may generally be exercised free of charge. In summary, these include rights to:

  • fair processing of information and transparency over how we use your use personal information;
  • request access to your personal information (commonly referred to as a “data subject access request”) and to certain other supplementary information that is addressed in this Privacy Notice;
  • require us to correct any mistakes in your personal information which we hold;
  • require the erasure (deletion) of personal information concerning you in certain situations;
  • receive the personal information concerning you which you have provided to us, in a structured, commonly used, and machine-readable format and have the right to transmit those data to a third party in certain situations;
  • object at any time to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground; you also have the right to object where we are processing your personal information for direct marketing purposes;
  • request the restriction of processing of your personal information; this enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it; and
  • request the transfer of your personal information to another party.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights), although we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the United Kingdom Information Commissioner’s Office on individuals’ rights under the GDPR.

If you would like to exercise any of those rights, please:

  • email, call, or write to us;
  • let us have enough information to identify you;
  • let us have proof of your identity; and
  • let us know the information to which your request relates.

How to Complain

We hope that we can resolve any query or concern you raise about our use of your information. The GDPR also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or EEA) state where you work, normally live, or where any alleged infringement of data protection laws occurred. The supervisory authority in the United Kingdom is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.

Changes to This Privacy Notice

This privacy notice was published on 21st August 2025 and last updated on 21st August 2025. We may change this privacy notice from time to time; when we do, we will inform you via email.

How to Contact Us

Please contact us if you have any questions about this privacy notice or the information we hold about you. If you wish to contact us, please send an email to privacy@srk.co.uk or call +44 (0) 29 20 348 150.

Do You Need Extra Help?

If you would like this notice in another format (for example: audio, large print, braille) please contact us (see ‘How to Contact Us’ above).