We've got a new look! Tenet Education Services and CPL Group have joined the CPC brand! Learn more 

CPC Swoosh

Privacy Policy

1. Introduction

1.1 This privacy policy explains how and why Crescent Purchasing Consortium (CPC) and its subsidiary companies (referred to as "we", "us" or "our") collect and use your personal data under the General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1.2 CPC acts as the Data Controller in respect of the personal data we process.

1.3 If you have a query about this privacy notice, please contact our data protection officer by emailing [email protected]. Alternatively, you can contact in writing at the following address: Procurement House, Unit 23, Leslie Hough Way, Salford M6 6AJ.

1.4 We regularly review this notice, so you are always aware of:

  • What information we collect.

  • How we use it.

  • What circumstances, if any, we will share it with other parties.

1.5 This privacy policy was last updated on 31 May 2024.

2. What personal data we collect and how we collect it

2.1 Most of the personal data we collect is provided directly to us by you when you:

  • Subscribe to CPC membership.

  • Access our managed or on-demand consultancy service.

  • Access our frameworks.

  • Make a complaint or enquiry.

  • Attend an event organised by CPC or attended by CPC (such as the Schools and Academies Show).

  • Visit our website.

  • Apply for a job with us.

  • Engage with our social media accounts and communicator tool.

2.2 The personal data we collect will include your:

  • Name.

  • Business address.

  • Business email address.

  • Job title.

  • Contact phone numbers.

  • IP (Internet Protocol) address.

  • Social media handles.

  • CV including home address, personal contact details and employment details.

2.3 Calls made to our helpdesk are not recorded at present. Phone numbers, from incoming calls to our helpdesk are recorded so we can return your call, help with your request.

2.4 We may also collect personal data specified in 2.2 by viewing your company website.

2.5 We use several different cookies on our site. If you do not know what cookies are, or how to control or delete them, then we recommend you visit http://www.aboutcookies.org for detailed guidance.

2.6 You will find information below on the cookies that we use on our website and their uses. Currently we operate an 'implied consent' policy which means that we assume you are happy with this usage. If you are not happy with our usage of cookies then you could delete the cookies after having visited the site or you could browse the site using your browser's anonymous usage setting (called "Incognito" in Chrome, "InPrivate" for Internet Explorer, "Private Browsing" in Firefox and Safari etc.).

2.7 First Party Cookies: These are cookies that are set by this website directly.

2.8 We make use of both session cookies and persistent cookies throughout all of the CPC websites; including but not limited to: www.thecpc.ac.uk, this is to provide a fluid and consistent service. We deem these as being strictly necessary to the working of the website. If these are disabled, then we expect that certain features of the website will not function correctly.

2.9 More information on the different types of cookies and what they are used for can be found at:

2.10 Google Analytics: We use Google Analytics to collect information about visitor behaviour on our website. Google Analytics stores information about what pages you visit, how long you are on the site, how you got here and what you click on. This Analytics data is collected via a JavaScript tag in the pages of our site and is not tied to personally identifiable information.

2.11 X: This Cookie is placed by X. It enables CPC to measure, optimise and build audiences for advertising campaigns served on X. It enables us to see how our followers move between devices when accessing the CPC web site and X, to ensure that CPC's X advertising is seen by our users most likely to be interested in such advertising by analysing which content a user has viewed and interacted with on the CPC website.

2.12 For further information about the X cookies and Pixel please see: About the X Cookies.

2.13 LinkedIn: This Cookie is placed by LinkedIn. CPC use the LinkedIn Insight Tag to track conversions, retarget website visitors, and unlock additional insights about members interacting with our LinkedIn ads.

2.14 For further information about LinkedIn please see: About LinkedIn conversion tracking.

3. Use of personal data

3.1 We use the information that you have given us in the following ways:

  • To provide an appropriate level of service.

  • To improve our website and services.

  • To make sure we are meeting the needs of our members and customers.

  • To understand how users interact with our website.

  • To respond effectively to queries raised. Note, if we request further information from you to help provide you with the most accurate answer possible, we will always explain at the outset our reasoning behind the request for additional information.

  • From time to time, we may send you marketing emails regarding CPC events, training and other membership benefits.

  • We periodically send out a newsletter to all members with relevant articles about new services, frameworks, special offers or other information which we believe will be of interest to you.

  • We periodically send out news and marketing campaigns via Mailchimp and Outlook to all our framework suppliers, signposting industry news and marketing opportunities.

3.2 You have the option to "opt-out" or reduce the volume of e-mails you receive from us at any time by contacting our helpdesk via the CPC website.

3.3 We use Mailchimp to send out our newsletters and you are always free to unsubscribe from them, however, as long as you are a member or framework supplier with CPC, we may use Mailchimp to send you information about your account.

4. Sharing personal data

4.1 We share your personal data with the following third parties, where relevant.

  • Our employees, to enable us to provide a professional service to both members and suppliers.

  • Other CPC members through our National and Regional Procurement Advisory Groups (PAGs) and the Further Education Facilities Management Network (FEFMN), this is to facilitate collaboration and knowledge sharing between members and to advance research in procurement.

  • Our framework suppliers who may send marketing material direct to members via email to promote goods or services.

  • Third party contractors that provide specialist services such as Risk2Value (insurance), Mailchimp and Lemlist (marketing), Survey Monkey (research) and Elcom (Multiquote).

  • Other third parties that may be used in the organisation of events such as our annual supplier awards.

  • Our professional advisors should the need arise, Weightmans (solicitors) and Hiscox (CPC insurance broker).

4.2 We will not:

  • sell, distribute, or grant access to your personal data to third parties (not mentioned above) unless we have your express written permission or are required to do so by law.

  • be aggressive or coercive in the way we request information from you.

5. How we keep personal data safe

5.1 We protect the information you give us using physical, electronic and management procedures on use of personal data. Industry-standard secure sockets layer (SSL) encryption is used on the web pages where we collect personal data.

5.2 We manage risk around use of personal data using processes incorporated in achieving Cyber Essentials Plus accreditation and other internal, audited controls. We commission external consultants each year to perform penetration testing on our systems as part of our aspiration to gain ISO 27001 -- Information Security Management accreditation.

5.3 Our data is backed up each day on the Azure cloud platform using global datacentres with encryption measures for both data at rest, or in transit.

6. How long we keep personal data

6.1 We keep your personal data only for as long as is reasonably necessary for the purposes of providing our services as identified in section 3.

6.2 CPC member data is kept for as long as your institution remains a member of CPC.

6.3 Supplier data (framework bidders) is kept in line with the requirements of the Public Procurement Regulations. Framework supplier data is kept for the duration of the contract in line with ICO (Information Commissioner's Office) retention guidelines.

6.4 Following the relevant retention period your personal data is deleted.  

6.5 Personal data of employees and applicants are kept in line with ICO retention guidelines and then deleted.

7. International data transfers

7.1 We do not transfer your personal data outside of the EEA (European Economic Area).  

7.2 Where your personal data may be backed-up on servers outside of the EEA or where a third-party may process your personal data outside of the EEA we will try to ensure your personal data gets the same protection as in the EEA.

8. Your rights under data protection law

8.1 You have certain rights under the UK GDPR (General Data Protection Regulation) and the Data Protection Act 2018.

8.2 You may have a right to request:

  • A copy of the information that CPC or its subsidiary companies hold about you (the right of access). See section 10. Subject Access Request (SAR).

  • That anything inaccurate in your personal data is corrected (the right to rectification).

  • That we remove your personal data (the right of erasure).

  • That we use your personal data only in specific circumstances (the right to restrict processing).

  • That we stop processing your personal data (the right to object).

  • That we provide your data in a readable format (right of data portability).

  • That you have human contact and be protected against automated systems (rights in relation to automated decision-making and profiling).

9.1 Under data protection law we must have a legal basis to collect, store and use your personal data.

9.2 The legal basis for processing the personal data that we collect is:

  • When you have given consent (for example, by registering as a CPC member).

  • When we make a contract with you (for example, employment with us or becoming a framework supplier).

  • To protect our legitimate interest of developing and providing our services and growing our business.

  • In the exercise of our legal duties (for example, where we are required to share information in accordance with legislation, to prevent fraud or due to a court order).

  • Necessary to perform a task in the public interest.

10. Subject Access Request

10.1 You can send a personal data request by emailing [email protected].

10.2 Alternatively, you can write to us at:

The Data Protection Officer

Crescent Purchasing Consortium

              Procurement House

              Unit 23, Leslie Hough Way, Salford

              M6 6AJ

11. How to complain

11.1 If you are not happy with how CPC has dealt with your request or how it manages your personal data you have the right to complain to the Information Commissioner's Office (ICO), the UK regulator on data protection.

11.2 You can make a complaint by phone on 0303 123 1113, or via the ICO website:  Information Commissioner's Office (ICO)