Information for suppliers

As a UK conservation charity protecting historic places and green spaces, it is important that goods and services meet our requirements and comply to our terms and conditions.

To help us work efficiently with our suppliers and make sure we hold accurate and up-to-date information, any suppliers we use are formally invited to register on Proactis, our supplier management system: www.proactisplaza.com

If you are a prospective supplier who would like to tender your goods or services to the National Trust, you can register yourself on Proactis without an invite from the National Trust. If we advertise an opportunity, you will then be able to view it using this Portal.

Please note however that you will need to be invited specifically by the National Trust before our staff will be able to raise orders with you.

Please only accept a request for goods/services from a formal National Trust purchase order. This should be issued to you before you dispatch any goods /services or before sending an invoice to us for payment. The only exception to this will be the use of Purchasing Cards for smaller transactions.

All orders will be subject to our standard terms and conditions unless different terms and conditions have been agreed between the supplier and the National Trust.

Our payment terms

Unless we have specifically agreed otherwise with you we will pay the price of the goods and/or services 30 days from the later of (a) the date of invoice, or (b) the date the goods and/or services are received, provided that a valid invoice, quoting the Purchase Order number, is received by National Trust Supplier Invoices at PO Box 352, Darlington, DL1 9QQ or supplierinvoices@nationaltrust.org.uk and provided that the supplier has registered properly on the Proactis portal following a formal National Trust invitation.

Existing supplier invoicing

If you can email us a PDF or other electronic image of your invoices and credit notes then please send them to: supplierinvoices@nationaltrust.org.uk

Otherwise please post hardcopies of invoices and credit notes to us at the below PO Box address.

National Trust Finance Service Centre
Epsom Court
Epsom Road
Whitehorse Business Park
Trowbridge
Wiltshire
BA14 0XF

If you are a utility or one-bill supplier than we will have given you different address information, but unless we have contacted you directly about that then please use the address information above.

Existing supplier queries

If you have queries about billing, invoicing or payments please contact:

National Trust Finance Service Centre
Epsom Court
Epsom Road
Whitehorse Business Park
Trowbridge
Wiltshire
BA14 0XF

Tel: 0344 800 4201

Email: fsc.customerservices@nationaltrust.org.uk

You will most likely be aware of the General Data Protection Regulation (GDPR) which was implemented in the UK on the 25 May 2018.

This legislation requires all organisations that process personal data, or engage others to do so on their behalf, to adopt certain practices to safeguard personal data.

How is GDPR implemented?

We use terms as recommended by the regulators/ICO at www.ico.org.uk.

These should become ‘standard terms’ for everyone and you should find other organisations will ask you to sign up to very similar or identical terms.

What is ‘personal data’?

Personal Data is any information that tells you something about an identifiable living individual. This could include name and address, e-mail addresses or contact numbers.

Certain ‘special categories’ of personal data are more heavily protected. These include information about racial or ethnic origin, sexual orientation or religious belief. If you process that sort of data (or large amounts of personal data in general) we are more likely to get in touch and ask you to work with us to review our processes to ensure data is processed securely. This may include entering into a specific ‘Data Processing Agreement’.

The sort of work I do has nothing to do with personal data, so why these terms?

If you don’t process personal data on our behalf, you can ignore all this. The terms will technically still apply to our relationship but because of the way they’re written they will have no effect on you.

The Trust has a very large number of suppliers doing an incredibly broad range of activities. Therefore, it’s impractical to review every single arrangement and establish which suppliers process personal data, and which don’t. Had we tried to do that, this would have created a lot more work for our suppliers and for us.

What is the Data Processing Agreement you refer to?

Ideally, we should list out the forms of processing that our suppliers are involved in as part of our terms of business. In reality, this is too impractical to do with all suppliers that process personal data. However, we will do this with those suppliers that we think are higher risk in the form of a specific ‘Data Processing Agreement’.

We may consider suppliers ‘high risk’ either because they process personal data that is more heavily protected under the regulations (‘special category data’) or because suppliers process large amounts of personal data in general. We will be in touch with suppliers that we deem high risk.

We already operate under agreed terms/we only operate under our own terms/we have accepted standard National Trust terms. Does this still apply to us?

Yes. Regardless of the arrangements that may already exist, if you process personal data on our behalf, we have to ensure that specific terms are included that oblige our suppliers to safeguard personal data.

The terms that we have sent to you via Proactis will take effect as an amendment to whatever agreement(s) we have with you. Other clients of yours (especially large clients) are likely to ask you to do very similar things.

Where can I go to find out more about GDPR?

The ICO website has a lot of information about the General Data Protection Regulation and the piece of UK legislation that brings it into effect (the Data Protection Act 2018). If this is all news to you, we would encourage you to take advice.

If you handle personal data as part of your business (and most businesses do) then you will be affected by these regulations, and it is likely you will need to change your processes to be compliant.

Why are you writing to me again about GDPR?

The General Data Protection Regulation has not gone away I’m afraid. There are lots of things we’ve all had to do under these regulations but one of the more difficult things to do is ensure that specific ‘Data Processing Agreements’ and ‘Data Protection Impact Assessments’ are completed, where required.

When we wrote to you in May we were notifying you of general changes to our terms and conditions. Those go some way towards achieving compliance, but the regulations require us to go through one further step to achieve full compliance in relation to certain suppliers.

We are writing to suppliers now because we need some of our suppliers to complete the above documents with us.

Am I a low risk or high risk supplier?

The way the rules work means that if any supplier processes any personal data at all on our behalf, we need to enter a specific ‘data processing agreement’ with that supplier. That agreement must take a specific form.

As such, we have assessed all our suppliers to try to categorise them into ‘higher risk’ and ‘lower risk’ processors.

There are a limited number of suppliers that we’ve assessed as ‘low risk’. This means they process some personal data, but only in small volumes and none of it is of a sensitive nature.

High risk suppliers

If suppliers do any processing that we determine to be ‘higher risk’ then we also need to complete a ‘data Protection Impact Assessment’, which is something that we cannot do without our suppliers’ co-operation.

We write to all ‘higher risk’ processors – those that we think either process significant volumes of personal data or that process some ‘special category’ personal data that is more carefully protected under the rules, such as health records. We have explained and provided the documents that need to be completed.

Low risk suppliers

We are not asking suppliers assessed as lower risk to complete the above documents but are asking for a short form to be completed just to help us ensure our assessment is correct and such suppliers really are ‘low risk’.

The Short Security Questionnaire is easy to complete, and we expect that in the vast majority of cases the supplier will have been assessed correctly.

It is possible that suppliers may subsequently be asked to complete full Data Processing Impact Assessments and enter into formal Data Processing Agreements with us. However, in most cases this won’t be necessary.

If we don’t get suitable documents completed in relation to our suppliers, then we may be unable to continue to work those suppliers.7

What if I no longer work with you or don’t process any personal data on your behalf?

The National Trust has thousands of suppliers. We have assessed our suppliers based on the nature of the business that they are involved in, the nature of the services that our records show they have supplied to us, our recent spend with those suppliers and our staff understanding of the volumes and types of personal data that our suppliers process.

If you either no longer work with us or think that you process no personal data on our behalf then please e-mail the following e-mail address quoting the reference number shown in the e-mails we sent to you: gdpr.questionnaires@nationaltrust.org.uk.

Modern slavery statement

We have a zero tolerance of modern slavery in all its forms.

Read our latest statement on modern slavery

Environmental policy statement

Read our Environmental Policy statement