Information for suppliers

View of Edale from Edale Rocks at Kinder Scout in the Peak District, Derbyshire

As a UK conservation charity protecting historic places and green spaces it is important that goods and services meet our requirements and comply to our terms and conditions.

Our values 

Our suppliers play a crucial role in enabling the National Trust to care for special places. We aim to work with suppliers who share our values and avoid business practices which harm the environment or individuals and communities.  This includes zero tolerance of modern slavery in all its forms:

Modern slavery statement 

The National Trust's statement on modern slavery.

How we buy goods and services - what suppliers need to know

To help us work efficiently with our suppliers and make sure we hold accurate and up-to-date information, any suppliers we use will be first, formally invited to register on Proactis, our supplier management system: www.proactisplaza.com
 
If you are a prospective supplier who would like to tender your goods or services to the National Trust, you can register yourself on Proactis (www.proactisplaza.com) without an invite from the National Trust. If we advertise an opportunity you will then be able to view it using this Portal.

Please note however that you will need to be invited specifically by the National Trust before our staff will be able to raise orders with you.

Please only accept a request for goods/services from a formal National Trust purchase order. This should be issued to you before you dispatch any goods /services or before sending an invoice to us for payment. The only exception to this will be the use of Purchasing Cards for smaller transactions.

All orders will be subject to our standard terms and conditions unless different terms and conditions have been agreed between the supplier and the National Trust.

Our payment terms 

Unless we have specifically agreed otherwise with you we will pay the price of the goods and/or services 30 days from the later of (a) the date of invoice, or (b) the date the goods and/or services are received, provided that a valid invoice, quoting the Purchase Order number, is received by National Trust Supplier Invoices at PO Box 352, Darlington, DL1 9QQ or supplierinvoices@nationaltrust.org.uk and provided that the supplier has registered properly on the Proactis portal following a formal National Trust invitation.

Existing Suppliers Invoicing

If you can email us a PDF or other electronic image of your invoices and credit notes then please send them to: supplierinvoices@nationaltrust.org.uk

Otherwise please post hardcopies of invoices and credit notes to us at this new PO Box address:

If you have queries about billing, invoicing or payments please contact:

National Trusts Supplier Invoices
PO Box 352
Darlington
DL1 9QQ
 
If you are a utility or one-bill supplier than we will have given you different address information, but unless we have contacted you directly about that then please use the address information above.

Existing Supplier Queries

If you have queries about billing, invoicing or payments please contact:

National Trust Finance Service Centre
Epsom Court
Epsom Road
Trowbridge
Wiltshire
BA14 0XF
Tel: 0844 800 4201
Email: fsc.customerservices@nationaltrust.org.uk

General Data Protection Regulation

You will most likely be aware of the new General Data Protection Regulation (GDPR) which was implemented in the UK on the 25 May 2018.

This legislation requires all organisations that process personal data, or engage others to do so on their behalf, to adopt certain practices to safeguard personal data.

Frequently Asked Questions - Changes to Standard Terms and Conditions

If you are an existing supplier you will have received an email from us notifying you of changes to our terms of business. 

If you have any queries about these changes you may find the following Q & A section helpful.

Q: Are these changes really necessary?
A:  We’re afraid they are. However, we’re trying to strike a balance between doing all the things we have to do to achieve compliance, and going over the top and asking too much of suppliers. Therefore, we have adopted terms in a form recommended by the regulators / ICO. www.ico.org.uk

These should therefore become ‘standard terms’ for everyone and you should find other organisations will ask you to sign up to very similar or identical terms.

We could have used different ‘friendlier’ looking terms but on balance we thought it was simplest to just adopt the ones that the regulators are recommending since we expect these to become ‘standard practice’.

Q: But the sort of work I do has nothing to do with personal data, why these complicated terms?
A:  If you don’t process personal data on our behalf you can ignore all this. The terms will technically still apply to our relationship but because of the way they’re written they will have no effect on you.

The Trust has a very large number of suppliers doing an incredibly broad range of activities. Therefore, it’s impractical to review every single arrangement and establish which suppliers process personal data, and which don’t. Had we tried to do that, this would have created a lot more work for our suppliers and for us.

Q: What is ‘personal data’?
A: Personal Data is any information that tells you something about an identifiable living individual. This could include name and address, e-mail addresses or contact numbers.

Certain ‘special categories’ of personal data are more heavily protected. These include information about racial or ethnic origin, sexual orientation or religious belief. If you process that sort of data (or large amounts of personal data in general) we are more likely to get in touch and ask you to work with us to review our processes to ensure data is processed securely. This may include entering into a specific ‘Data Processing Agreement’.

Q: What is the Data Processing Agreement you refer to?
A:  Ideally, we should list out the forms of processing that our suppliers are involved in as part of our terms of business. In reality this is too impractical to do with all suppliers that process personal data (and had we gone down that route this process would be much more difficult for you). However, we will do this with those suppliers that we think are higher risk in the form of a specific ‘Data Processing Agreement’.

We may consider suppliers ‘high risk’ either because they process personal data that is more heavily protected under the regulations (‘special category data’) or because suppliers process large amounts of personal data in general. We will be in touch with suppliers that we deem high risk.

Q:  But we already operate under agreed terms / we only operate under our own terms/we have accepted standard National Trust terms. Surely this doesn’t apply to us?
A:  They do. Regardless of the arrangements that may already exist, if you process personal data on our behalf, we have to ensure that specific terms are included that oblige our suppliers to safeguard personal data. The terms that we have sent to you via our ‘Proactis’ system will take effect as an amendment to whatever agreement(s) we have with you.

Other clients of yours (especially large clients) are likely to ask you to do very similar things.   We expect the terms that we have sent to you to become ‘normal industry practice’.

Q: Where can I go to find out more about this?
A: The ICO Website www.ico.org.uk has a lot of information about the General Data Protection Regulation and the piece of UK legislation that brings it into effect (the Data Protection Act 2018). If this is all news to you we would encourage you to take advice.

If you handle personal data as part of your business (and most businesses do) then you will be affected by these regulations and it is likely you will need to change your processes in order to be compliant.

Frequently Asked Questions – GDPR Risk Assessment

Q:  Why are you writing to me again about GDPR?  Isn’t that all done with?
A:  The General Data Protection Regulation has not gone away I’m afraid. There are lots of things we’ve all had to do under these regulations but one of the more difficult things to do is ensure that specific ‘Data Processing Agreements’ and ‘Data Protection Impact Assessments’ are completed, where required. 

When we wrote to you in May we were notifying you of general changes to our terms and conditions. Those go some way towards achieving compliance, but the regulations require us to go through one further step to achieve full compliance in relation to certain suppliers.

We are writing to suppliers now because we need some of our suppliers to complete the above documents with us.

Q:  Is this really necessary?
A:  We’re afraid so. The way the rules work means that if any supplier processes any personal data at all, on our behalf, we need to enter into a specific ‘data processing agreement’ with that supplier. That agreement must take a specific form. If suppliers do any processing that we determine to be ‘higher risk’ then we also need to complete a ‘data Protection Impact Assessment’, which is something that we cannot do without our suppliers’ co-operation.

We have assessed all our suppliers to try to categorise them into ‘higher risk’ and ‘lower risk’ processors. We have then written to all ‘higher risk’ processors, i.e. those that we think either process significant volumes of personal data or that process some ‘special category’ personal data that is more carefully protected under the rules (e.g. health records). We have explained and provided the documents that need to be completed.

For lower risk suppliers we are not asking them to complete the above documents, but we are asking for a short form to be completed just to help us make sure that our assessment is correct and such suppliers really are ‘low risk’. 

If we don’t get suitable documents completed in relation to our suppliers then we may be unable to continue to work those suppliers.

Q:  What if I no longer work with you?  What if I don’t process any personal data on your behalf?
A:  The National Trust has thousands of suppliers. We have assessed our suppliers based on the nature of the business that they are involved in, the nature of the services that our records show they have supplied to us, our recent spend with those suppliers and our staff understanding of the volumes and types of personal data that our suppliers process.

Of course, despite all this work, it is quite possible that we may have made some mistakes. If you either no longer work with us or think that you process no personal data on our behalf then please e-mail the following e-mail address quoting the reference number shown in the e-mails we sent to you: gdpr.questionnaires@nationaltrust.org.uk

Q:  What about lower risk suppliers?
A:  There are a limited number of suppliers that we’ve assessed as ‘low risk’ i.e. they process some personal data, but only in small volumes and none of it is of a sensitive nature.

For these lower risk suppliers we’re asking them to complete a very short risk assessment, to help us determine if our assessment is correct. These suppliers may subsequently be asked to complete full Data Processing Impact Assessments and enter into formal Data Processing Agreements with us. However, in most cases this won’t be necessary.

The Short Security Questionnaire is easy to complete and is really intended to help us work out if our initial ‘low risk’ assessment is correct.  We expect that, in the vast majority of cases, it will be.

Construction work at Croome, Worcestershire

Assessment of our building contractors 

Useful information on our new method of assurance for building contractors, and how to get started.

Dunwich Heath Coastguard Cottages Heather

Our cause 

We know the positive effects that special places have on people, so we work hard to keep them special. We look after our shared natural and built heritage across England, Wales and Northern Ireland, so it lasts for ever, for everyone.